sality | 6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac

General

Target

6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll
Size

120KB
MD5

36eae6416ac6cb365c05bc7a22484539
SHA1

2146d672184a2c013d19028a1a88c4f341bad40e
SHA256

6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac
SHA512

07c91fb844cc81a6ccfd45723f4e2b38cd79db80aa06fcaa12573772b64c995e31d9ea863b8aa82269b4dce9fb9348a24492b8989174811e8e764acc5dcdb3f9
SSDEEP

3072:RFEkfFmQpZykF2lqAXu+0bloQmzkQC5BZlHW3eyH:RC48Qpgm2lTP0b2QtPHy

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e575c39.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575c39.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e575c39.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575c39.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575c39.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575c39.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575c39.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 25 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/4672-47-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp	UPX
behavioral2/memory/3924-94-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1928-95-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4672-99-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

e575c39.exee575ff2.exee5787fc.exe

pid process

3924 e575c39.exe
1928 e575ff2.exe
4672 e5787fc.exe

pid	process
3924	e575c39.exe
1928	e575ff2.exe
4672	e5787fc.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp	upx
behavioral2/memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575c39.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575c39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575c39.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575c39.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e575c39.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575c39.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575c39.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e575c39.exe

description	ioc	process
File opened (read-only)	\??\E:	e575c39.exe
File opened (read-only)	\??\G:	e575c39.exe
File opened (read-only)	\??\H:	e575c39.exe
File opened (read-only)	\??\I:	e575c39.exe
File opened (read-only)	\??\J:	e575c39.exe
File opened (read-only)	\??\K:	e575c39.exe

Drops file in Windows directory 2 IoCs

Processes:

e575c39.exe

description ioc process

File created C:\Windows\e575da1 e575c39.exe
File opened for modification C:\Windows\SYSTEM.INI e575c39.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e575c39.exe

pid process

3924 e575c39.exe
3924 e575c39.exe
3924 e575c39.exe
3924 e575c39.exe

description	ioc	process
File created	C:\Windows\e575da1	e575c39.exe
File opened for modification	C:\Windows\SYSTEM.INI	e575c39.exe

pid	process
3924	e575c39.exe
3924	e575c39.exe
3924	e575c39.exe
3924	e575c39.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e575c39.exe

description	pid	process
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe
Token: SeDebugPrivilege	3924	e575c39.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

rundll32.exerundll32.exee575c39.exe

description	pid	process	target process
PID 3172 wrote to memory of 3116	3172	rundll32.exe	rundll32.exe
PID 3172 wrote to memory of 3116	3172	rundll32.exe	rundll32.exe
PID 3172 wrote to memory of 3116	3172	rundll32.exe	rundll32.exe
PID 3116 wrote to memory of 3924	3116	rundll32.exe	e575c39.exe
PID 3116 wrote to memory of 3924	3116	rundll32.exe	e575c39.exe
PID 3116 wrote to memory of 3924	3116	rundll32.exe	e575c39.exe
PID 3924 wrote to memory of 796	3924	e575c39.exe	fontdrvhost.exe
PID 3924 wrote to memory of 804	3924	e575c39.exe	fontdrvhost.exe
PID 3924 wrote to memory of 336	3924	e575c39.exe	dwm.exe
PID 3924 wrote to memory of 2524	3924	e575c39.exe	sihost.exe
PID 3924 wrote to memory of 2568	3924	e575c39.exe	svchost.exe
PID 3924 wrote to memory of 2812	3924	e575c39.exe	taskhostw.exe
PID 3924 wrote to memory of 3408	3924	e575c39.exe	Explorer.EXE
PID 3924 wrote to memory of 3540	3924	e575c39.exe	svchost.exe
PID 3924 wrote to memory of 3764	3924	e575c39.exe	DllHost.exe
PID 3924 wrote to memory of 3864	3924	e575c39.exe	StartMenuExperienceHost.exe
PID 3924 wrote to memory of 3976	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 4056	3924	e575c39.exe	SearchApp.exe
PID 3924 wrote to memory of 4136	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 4836	3924	e575c39.exe	TextInputHost.exe
PID 3924 wrote to memory of 1844	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 2488	3924	e575c39.exe	backgroundTaskHost.exe
PID 3924 wrote to memory of 3172	3924	e575c39.exe	rundll32.exe
PID 3924 wrote to memory of 3116	3924	e575c39.exe	rundll32.exe
PID 3924 wrote to memory of 3116	3924	e575c39.exe	rundll32.exe
PID 3116 wrote to memory of 1928	3116	rundll32.exe	e575ff2.exe
PID 3116 wrote to memory of 1928	3116	rundll32.exe	e575ff2.exe
PID 3116 wrote to memory of 1928	3116	rundll32.exe	e575ff2.exe
PID 3924 wrote to memory of 412	3924	e575c39.exe	BackgroundTaskHost.exe
PID 3116 wrote to memory of 4672	3116	rundll32.exe	e5787fc.exe
PID 3116 wrote to memory of 4672	3116	rundll32.exe	e5787fc.exe
PID 3116 wrote to memory of 4672	3116	rundll32.exe	e5787fc.exe
PID 3924 wrote to memory of 796	3924	e575c39.exe	fontdrvhost.exe
PID 3924 wrote to memory of 804	3924	e575c39.exe	fontdrvhost.exe
PID 3924 wrote to memory of 336	3924	e575c39.exe	dwm.exe
PID 3924 wrote to memory of 2524	3924	e575c39.exe	sihost.exe
PID 3924 wrote to memory of 2568	3924	e575c39.exe	svchost.exe
PID 3924 wrote to memory of 2812	3924	e575c39.exe	taskhostw.exe
PID 3924 wrote to memory of 3408	3924	e575c39.exe	Explorer.EXE
PID 3924 wrote to memory of 3540	3924	e575c39.exe	svchost.exe
PID 3924 wrote to memory of 3764	3924	e575c39.exe	DllHost.exe
PID 3924 wrote to memory of 3864	3924	e575c39.exe	StartMenuExperienceHost.exe
PID 3924 wrote to memory of 3976	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 4056	3924	e575c39.exe	SearchApp.exe
PID 3924 wrote to memory of 4136	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 4836	3924	e575c39.exe	TextInputHost.exe
PID 3924 wrote to memory of 1844	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 2488	3924	e575c39.exe	backgroundTaskHost.exe
PID 3924 wrote to memory of 3172	3924	e575c39.exe	rundll32.exe
PID 3924 wrote to memory of 1928	3924	e575c39.exe	e575ff2.exe
PID 3924 wrote to memory of 1928	3924	e575c39.exe	e575ff2.exe
PID 3924 wrote to memory of 4028	3924	e575c39.exe	RuntimeBroker.exe
PID 3924 wrote to memory of 4672	3924	e575c39.exe	e5787fc.exe
PID 3924 wrote to memory of 4672	3924	e575c39.exe	e5787fc.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e575c39.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575c39.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575c39.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2568

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2812

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc8872d56daab1ba2653b9bcb9ff31451f08ea264df1abec225185b03a2a3ac.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\e575c39.exe
C:\Users\Admin\AppData\Local\Temp\e575c39.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3924

C:\Users\Admin\AppData\Local\Temp\e575ff2.exe
C:\Users\Admin\AppData\Local\Temp\e575ff2.exe
4⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\e5787fc.exe
C:\Users\Admin\AppData\Local\Temp\e5787fc.exe
4⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4136

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1844

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2488

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e575c39.exe
Filesize
97KB

MD5
31e569cda6fbc584573f924788810d7a

SHA1
a6097df8abc417bf3a1b55722cdb5b79cd50e508

SHA256
67eddb6ad3e12fda050ae63c1adba55432034d47c639628252217674068babe5

SHA512
6fc2f8f9699364180711120f2b439a7678f979b7cf33bdbbac29ff9368778be2ff095d429b8bee00ec290d408f8e395ae66d14b9cb0d043f846b134cb5e5af47

Download Submit
memory/1928-91-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1928-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1928-54-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1928-49-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3116-15-0x0000000004420000-0x0000000004422000-memory.dmp

Filesize
8KB

Download
memory/3116-11-0x0000000004420000-0x0000000004422000-memory.dmp

Filesize
8KB

Download
memory/3116-13-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/3116-45-0x0000000004420000-0x0000000004422000-memory.dmp

Filesize
8KB

Download
memory/3116-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3116-12-0x0000000004420000-0x0000000004422000-memory.dmp

Filesize
8KB

Download
memory/3924-36-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-8-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-10-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-18-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-30-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-31-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-32-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-33-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-35-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-28-0x0000000001A30000-0x0000000001A32000-memory.dmp

Filesize
8KB

Download
memory/3924-37-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-38-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3924-20-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/3924-9-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-29-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-6-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-94-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3924-84-0x0000000001A30000-0x0000000001A32000-memory.dmp

Filesize
8KB

Download
memory/3924-56-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-57-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-59-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-62-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-68-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-70-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/3924-74-0x0000000000780000-0x000000000183A000-memory.dmp

Filesize
16.7MB

Download
memory/4672-53-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4672-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4672-51-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4672-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4672-96-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4672-99-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads