sality | 392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033

General

Target

392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033.dll
Size

120KB
MD5

1f36085ce2c80a804bfd3cf99b4492a3
SHA1

740b3e28317ab6847e76af8b904a46696097d30e
SHA256

392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033
SHA512

c138bb562c02947701a623ffab767a681de8c9b5162442cb6e9e5888b01427ce2870050db2117614206e883ddde2743a4a10abef982c243a40b1f1e6d41a8179
SSDEEP

1536:wHILkvILFVLoYOFehsDQlx+j/t3msFyR2YkkxkpDVa9RSy3OUwb0OJNU7B6l3u:+xInL+FeG0lx+jpkR2xc4Q9PNwbAB6l

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

f760aca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f760aca.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

f760aca.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f760aca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760aca.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760aca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760aca.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2472-13-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-15-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-16-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-18-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-21-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-26-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-23-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-35-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-47-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-30-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-54-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-55-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-56-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-57-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-58-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-72-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-76-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-77-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-79-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-81-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-83-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-85-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-87-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-90-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-91-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-94-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-95-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-101-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-102-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2472-104-0x00000000006E0000-0x000000000179A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2472-10-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2472-13-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-15-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-16-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-18-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-21-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-26-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-23-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-35-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2616-46-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2472-47-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-30-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-54-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-55-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-56-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-57-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-58-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-72-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/1324-75-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2472-76-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-77-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-79-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-81-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-83-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-85-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-87-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-90-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-91-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-94-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-95-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-101-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-102-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2472-104-0x00000000006E0000-0x000000000179A000-memory.dmp	UPX
behavioral1/memory/2616-118-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

f760aca.exef760fd9.exef762694.exe

pid process

2472 f760aca.exe
2616 f760fd9.exe
1324 f762694.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

2564 rundll32.exe
2564 rundll32.exe
2564 rundll32.exe
2564 rundll32.exe
2564 rundll32.exe
2564 rundll32.exe

pid	process
2472	f760aca.exe
2616	f760fd9.exe
1324	f762694.exe

pid	process
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2472-13-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-15-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-16-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-18-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-21-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-26-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-23-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-35-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-47-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-30-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-54-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-55-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-56-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-57-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-58-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-72-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-76-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-77-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-79-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-81-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-83-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-85-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-87-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-90-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-91-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-94-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-95-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-101-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-102-0x00000000006E0000-0x000000000179A000-memory.dmp	upx
behavioral1/memory/2472-104-0x00000000006E0000-0x000000000179A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f760aca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f760aca.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f760aca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f760aca.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

f760aca.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f760aca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760aca.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f760aca.exe

description	ioc	process
File opened (read-only)	\??\I:	f760aca.exe
File opened (read-only)	\??\K:	f760aca.exe
File opened (read-only)	\??\N:	f760aca.exe
File opened (read-only)	\??\G:	f760aca.exe
File opened (read-only)	\??\H:	f760aca.exe
File opened (read-only)	\??\L:	f760aca.exe
File opened (read-only)	\??\M:	f760aca.exe
File opened (read-only)	\??\O:	f760aca.exe
File opened (read-only)	\??\P:	f760aca.exe
File opened (read-only)	\??\E:	f760aca.exe
File opened (read-only)	\??\J:	f760aca.exe

Drops file in Windows directory 2 IoCs

Processes:

f760aca.exe

description ioc process

File created C:\Windows\f760b76 f760aca.exe
File opened for modification C:\Windows\SYSTEM.INI f760aca.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f760aca.exe

pid process

2472 f760aca.exe

description	ioc	process
File created	C:\Windows\f760b76	f760aca.exe
File opened for modification	C:\Windows\SYSTEM.INI	f760aca.exe

pid	process
2472	f760aca.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

f760aca.exe

description	pid	process
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe
Token: SeDebugPrivilege	2472	f760aca.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

rundll32.exerundll32.exef760aca.exe

description	pid	process	target process
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2564	2660	rundll32.exe	rundll32.exe
PID 2564 wrote to memory of 2472	2564	rundll32.exe	f760aca.exe
PID 2564 wrote to memory of 2472	2564	rundll32.exe	f760aca.exe
PID 2564 wrote to memory of 2472	2564	rundll32.exe	f760aca.exe
PID 2564 wrote to memory of 2472	2564	rundll32.exe	f760aca.exe
PID 2472 wrote to memory of 1044	2472	f760aca.exe	Dwm.exe
PID 2472 wrote to memory of 1072	2472	f760aca.exe	taskhost.exe
PID 2472 wrote to memory of 1116	2472	f760aca.exe	Explorer.EXE
PID 2472 wrote to memory of 2128	2472	f760aca.exe	DllHost.exe
PID 2472 wrote to memory of 2660	2472	f760aca.exe	rundll32.exe
PID 2472 wrote to memory of 2564	2472	f760aca.exe	rundll32.exe
PID 2472 wrote to memory of 2564	2472	f760aca.exe	rundll32.exe
PID 2564 wrote to memory of 2616	2564	rundll32.exe	f760fd9.exe
PID 2564 wrote to memory of 2616	2564	rundll32.exe	f760fd9.exe
PID 2564 wrote to memory of 2616	2564	rundll32.exe	f760fd9.exe
PID 2564 wrote to memory of 2616	2564	rundll32.exe	f760fd9.exe
PID 2564 wrote to memory of 1324	2564	rundll32.exe	f762694.exe
PID 2564 wrote to memory of 1324	2564	rundll32.exe	f762694.exe
PID 2564 wrote to memory of 1324	2564	rundll32.exe	f762694.exe
PID 2564 wrote to memory of 1324	2564	rundll32.exe	f762694.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

f760aca.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f760aca.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f760aca.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1116

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\f760aca.exe
C:\Users\Admin\AppData\Local\Temp\f760aca.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2472

C:\Users\Admin\AppData\Local\Temp\f760fd9.exe
C:\Users\Admin\AppData\Local\Temp\f760fd9.exe
4⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\f762694.exe
C:\Users\Admin\AppData\Local\Temp\f762694.exe
4⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2128

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f760aca.exe
Filesize
97KB

MD5
6a1ce240e4d8cf642b1c51db59b3a900

SHA1
49d911b68395bf55d83f8af03d9d2e2841545dfa

SHA256
85cfb56e9ec5d79b7369ebea0ae8eada99a51084b40e86412e94aeba1254e7fa

SHA512
5a38ac5c17ad6a35777bc859580c5f08bfe3d161c10d455ea34caabb26b5df2c757206ba571f8c4bf0c04686546ae86abc15bc433a9f2d4d99f0ee151293ab99

Download Submit
memory/1044-17-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1324-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2472-77-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-79-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-104-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-57-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-102-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-16-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-18-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-21-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-101-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-26-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-56-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-95-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-58-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-35-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-94-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-47-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-30-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-91-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-54-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-55-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-23-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-15-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-90-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-87-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-72-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-85-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2472-83-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-81-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-76-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2472-13-0x00000000006E0000-0x000000000179A000-memory.dmp

Filesize
16.7MB

Download
memory/2564-34-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2564-67-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/2564-70-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2564-74-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2564-73-0x0000000000330000-0x0000000000332000-memory.dmp

Filesize
8KB

Download
memory/2564-0-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2564-33-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/2564-29-0x0000000000690000-0x0000000000692000-memory.dmp

Filesize
8KB

Download
memory/2564-31-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2564-11-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2564-4-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2616-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2616-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads