Malware Analysis Report

2025-08-05 19:38

Sample ID 240229-kseb3abh5x
Target Packed.Win32.Salpack.e-e438d0a0631047f8f62fa69bd4dc07f6c4f0f1cac554b7ba6d166c0d5cf6f2e8
SHA256 e438d0a0631047f8f62fa69bd4dc07f6c4f0f1cac554b7ba6d166c0d5cf6f2e8
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e438d0a0631047f8f62fa69bd4dc07f6c4f0f1cac554b7ba6d166c0d5cf6f2e8

Threat Level: Known bad

The file Packed.Win32.Salpack.e-e438d0a0631047f8f62fa69bd4dc07f6c4f0f1cac554b7ba6d166c0d5cf6f2e8 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

UAC bypass

Sality

Modifies firewall policy service

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

UPX packed file

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 08:51

Reported

2024-02-29 08:54

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
File created C:\Windows\f76aaef C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A
File created C:\Windows\f763a81 C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1728 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763939.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763939.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763939.exe
PID 3020 wrote to memory of 2072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763939.exe
PID 2072 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\system32\taskhost.exe
PID 2072 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\system32\Dwm.exe
PID 2072 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\system32\DllHost.exe
PID 2072 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\system32\rundll32.exe
PID 2072 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\SysWOW64\rundll32.exe
PID 2072 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764328.exe
PID 3020 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764328.exe
PID 3020 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764328.exe
PID 3020 wrote to memory of 2696 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f764328.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765a6f.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765a6f.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765a6f.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f765a6f.exe
PID 2072 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\system32\taskhost.exe
PID 2072 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\system32\Dwm.exe
PID 2072 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Windows\Explorer.EXE
PID 2072 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Users\Admin\AppData\Local\Temp\f764328.exe
PID 2072 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Users\Admin\AppData\Local\Temp\f764328.exe
PID 2072 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Users\Admin\AppData\Local\Temp\f765a6f.exe
PID 2072 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\f763939.exe C:\Users\Admin\AppData\Local\Temp\f765a6f.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763939.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f765a6f.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Users\Admin\AppData\Local\Temp\f763939.exe

C:\Users\Admin\AppData\Local\Temp\f763939.exe

C:\Users\Admin\AppData\Local\Temp\f764328.exe

C:\Users\Admin\AppData\Local\Temp\f764328.exe

C:\Users\Admin\AppData\Local\Temp\f765a6f.exe

C:\Users\Admin\AppData\Local\Temp\f765a6f.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f763939.exe

MD5 2dbaf6c9322694eed36f5db287e977b5
SHA1 9009b4e7ef9e7f1f012bff8c2a6beb311ace94c4
SHA256 cf3f29025570deb7227b4cd4b8a88d49c3987f0abaa26d04581bec3fc1957db3
SHA512 8347e8ef0c4ba69329e0f27af10bd71858692f0696abfde1b8e32d1c50ad49049b7df9f5ffbc5d3f88d489337e8a464d309e7c845775b2d0f131835d3bc54c71

memory/2072-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2072-11-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-13-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/1124-15-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2072-14-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-17-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-21-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3020-27-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2072-26-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3020-28-0x0000000000200000-0x0000000000201000-memory.dmp

memory/3020-35-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2072-33-0x00000000005D0000-0x000000000168A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f764328.exe

MD5 3d6c458f3cd1986a2c05223a1c832cd0
SHA1 33c272ba8655b6c6299930d89e4db0a2e5396b80
SHA256 0b398016f770d77cb3aa085ad5aabd855e9705873b891932e609f1f382051fba
SHA512 f097b7e3eff478d6d4e4c374a53d5939ec31633dbf6fac094b142d5832def73a2d06ce97d9546b7b5c3bf9764f48b0f199e14353a4d679715c18dfb4cef30ce3

memory/2072-45-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3020-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2696-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-37-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2072-51-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-53-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-55-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-57-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-61-0x0000000003D10000-0x0000000003D11000-memory.dmp

memory/2072-60-0x00000000004C0000-0x00000000004C2000-memory.dmp

memory/2072-62-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-63-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-64-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3020-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2072-66-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/3020-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2072-80-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-82-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-83-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-88-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2072-93-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2696-101-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2072-95-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2696-102-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2420-109-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2072-131-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2072-132-0x00000000005D0000-0x000000000168A000-memory.dmp

memory/2420-134-0x00000000009B0000-0x0000000001A6A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 96b8c0a875eb41cf79192337d0a7b0f7
SHA1 3cbe9ec1460f544a66721bffc871221aecdce0ba
SHA256 995e17ef7b2ac6026ed429c5032f4c37b946abd624e499bb06647656133b55b1
SHA512 d178e393d2dd97690e844aa95aec0ad77f032912c001c0deb75a0e362b2d13633b89294806aa24835c99ff622b77b7fef3fb5e0d90635de89cc2ef07f11bfd27

memory/2420-141-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-142-0x00000000009B0000-0x0000000001A6A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 08:51

Reported

2024-02-29 08:54

Platform

win10v2004-20240226-en

Max time kernel

104s

Max time network

120s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57cfe3 C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A
File created C:\Windows\e576f54 C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576dfc.exe
PID 2844 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576dfc.exe
PID 2844 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576dfc.exe
PID 1844 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\fontdrvhost.exe
PID 1844 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\fontdrvhost.exe
PID 1844 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\dwm.exe
PID 1844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\sihost.exe
PID 1844 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\svchost.exe
PID 1844 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\taskhostw.exe
PID 1844 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\Explorer.EXE
PID 1844 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\svchost.exe
PID 1844 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\DllHost.exe
PID 1844 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1844 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1844 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1844 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1844 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1844 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1844 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\rundll32.exe
PID 1844 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1844 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 2844 wrote to memory of 4600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5770ea.exe
PID 2844 wrote to memory of 4600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5770ea.exe
PID 2844 wrote to memory of 4600 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5770ea.exe
PID 1844 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\fontdrvhost.exe
PID 1844 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\fontdrvhost.exe
PID 1844 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\dwm.exe
PID 1844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\sihost.exe
PID 1844 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\svchost.exe
PID 1844 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\taskhostw.exe
PID 1844 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\Explorer.EXE
PID 1844 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\svchost.exe
PID 1844 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\DllHost.exe
PID 1844 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1844 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1844 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1844 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1844 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1844 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1844 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\rundll32.exe
PID 1844 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 1844 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Users\Admin\AppData\Local\Temp\e5770ea.exe
PID 1844 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Users\Admin\AppData\Local\Temp\e5770ea.exe
PID 1844 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\RuntimeBroker.exe
PID 1844 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\e576dfc.exe C:\Windows\System32\wuapihost.exe
PID 2844 wrote to memory of 4728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe
PID 2844 wrote to memory of 4728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe
PID 2844 wrote to memory of 4728 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe
PID 4728 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe C:\Windows\system32\fontdrvhost.exe
PID 4728 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe C:\Windows\system32\fontdrvhost.exe
PID 4728 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe C:\Windows\system32\dwm.exe
PID 4728 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe C:\Windows\system32\sihost.exe
PID 4728 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe C:\Windows\system32\svchost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576dfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Packed.Win32.Salpack.dll,#1

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Users\Admin\AppData\Local\Temp\e576dfc.exe

C:\Users\Admin\AppData\Local\Temp\e576dfc.exe

C:\Users\Admin\AppData\Local\Temp\e5770ea.exe

C:\Users\Admin\AppData\Local\Temp\e5770ea.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\wuapihost.exe

C:\Windows\System32\wuapihost.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe

C:\Users\Admin\AppData\Local\Temp\e57a7aa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2844-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e576dfc.exe

MD5 2dbaf6c9322694eed36f5db287e977b5
SHA1 9009b4e7ef9e7f1f012bff8c2a6beb311ace94c4
SHA256 cf3f29025570deb7227b4cd4b8a88d49c3987f0abaa26d04581bec3fc1957db3
SHA512 8347e8ef0c4ba69329e0f27af10bd71858692f0696abfde1b8e32d1c50ad49049b7df9f5ffbc5d3f88d489337e8a464d309e7c845775b2d0f131835d3bc54c71

memory/1844-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1844-6-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-8-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-9-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/2844-10-0x0000000003C50000-0x0000000003C52000-memory.dmp

memory/2844-13-0x0000000003C50000-0x0000000003C52000-memory.dmp

memory/2844-12-0x0000000003D80000-0x0000000003D81000-memory.dmp

memory/1844-17-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/1844-14-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-22-0x00000000019F0000-0x00000000019F2000-memory.dmp

memory/4600-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1844-23-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-30-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-31-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-32-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-33-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-34-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-35-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-36-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/4600-38-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4600-39-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4600-40-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1844-41-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/4728-49-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2844-47-0x0000000003C50000-0x0000000003C52000-memory.dmp

memory/1844-50-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-51-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-52-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-58-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-59-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-72-0x00000000019F0000-0x00000000019F2000-memory.dmp

memory/1844-60-0x00000000007E0000-0x000000000189A000-memory.dmp

memory/1844-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4728-82-0x00000000007B0000-0x000000000186A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 f9ede2bf24098023078ad72afa9d2e7b
SHA1 449b69ea0adb0958cd84ada231caedce5e89f5d3
SHA256 d86161df67a6aa9d7fd28d0ac9a919a736c112e690fec2793fb59b4f4e45e838
SHA512 fc0dc264d63eb74ec912275af7e09db4865436094be4761d7a1b32ac87ccf7f7c19614d318fe554f52f011a817e88942fedfc0989525fde8152918b3665bc744

memory/4728-84-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-85-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-86-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-87-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-88-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-91-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/4728-97-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4728-92-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-98-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-99-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-100-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4728-117-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4728-118-0x00000000007B0000-0x000000000186A000-memory.dmp