sality | 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Size

11.5MB
MD5

28888bd9ca38693de7a63b68b49ea57e
SHA1

33386637a11a825a77d38336f6435199d460b1f4
SHA256

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a
SHA512

9f6ff1be7bc3e164c2a975213d77bc6bf5f2db35246758bf9c9eb7b40241b0d096e4e32c329abc4adba1eba8da20e9d1b8711ed9803b454aee8386bce57a9962
SSDEEP

196608:vwwmggPmkzg3h4kwDy9cWWfIqw2XRJ2NFEzvwr3RDjRJQLY1vaWoA7fxFgRg8y:vjqx0R9kyTWfnwkRINmTyFjILcvabArL

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1464 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

invcol.exe

pid process

3028 invcol.exe
Loads dropped DLL 6 IoCs

Processes:

invcol.exe

pid process

3028 invcol.exe
3028 invcol.exe
3028 invcol.exe
3028 invcol.exe
3028 invcol.exe
3028 invcol.exe

pid	process
1464	netsh.exe

pid	process
3028	invcol.exe

pid	process
3028	invcol.exe
3028	invcol.exe
3028	invcol.exe
3028	invcol.exe
3028	invcol.exe
3028	invcol.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2860-1-0x0000000002420000-0x0000000003453000-memory.dmp	upx
behavioral2/memory/2860-27-0x0000000002420000-0x0000000003453000-memory.dmp	upx
behavioral2/memory/2860-163-0x0000000002420000-0x0000000003453000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Drops file in Windows directory 1 IoCs

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI 188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

pid	process
2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	pid	process
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Token: SeDebugPrivilege	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	pid	process	target process
PID 2860 wrote to memory of 1464	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	netsh.exe
PID 2860 wrote to memory of 1464	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	netsh.exe
PID 2860 wrote to memory of 1464	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	netsh.exe
PID 2860 wrote to memory of 804	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	fontdrvhost.exe
PID 2860 wrote to memory of 800	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	fontdrvhost.exe
PID 2860 wrote to memory of 384	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	dwm.exe
PID 2860 wrote to memory of 2660	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	sihost.exe
PID 2860 wrote to memory of 2684	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	svchost.exe
PID 2860 wrote to memory of 2900	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	taskhostw.exe
PID 2860 wrote to memory of 3348	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	Explorer.EXE
PID 2860 wrote to memory of 3564	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	svchost.exe
PID 2860 wrote to memory of 3752	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	DllHost.exe
PID 2860 wrote to memory of 3880	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	StartMenuExperienceHost.exe
PID 2860 wrote to memory of 3976	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	RuntimeBroker.exe
PID 2860 wrote to memory of 4064	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	SearchApp.exe
PID 2860 wrote to memory of 4112	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	RuntimeBroker.exe
PID 2860 wrote to memory of 4460	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	RuntimeBroker.exe
PID 2860 wrote to memory of 3056	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	TextInputHost.exe
PID 2860 wrote to memory of 1244	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 4788	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 1084	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 2232	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 4820	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 4228	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 4568	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	msedge.exe
PID 2860 wrote to memory of 2732	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	backgroundTaskHost.exe
PID 2860 wrote to memory of 2320	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	backgroundTaskHost.exe
PID 2860 wrote to memory of 4868	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	backgroundTaskHost.exe
PID 2860 wrote to memory of 216	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	BackgroundTaskHost.exe
PID 2860 wrote to memory of 4844	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	Conhost.exe
PID 2860 wrote to memory of 5024	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	RuntimeBroker.exe
PID 2860 wrote to memory of 1464	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	netsh.exe
PID 2860 wrote to memory of 1464	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	netsh.exe
PID 2860 wrote to memory of 3028	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	invcol.exe
PID 2860 wrote to memory of 3028	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	invcol.exe
PID 2860 wrote to memory of 3028	2860	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe	invcol.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2684

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
"C:\Users\Admin\AppData\Local\Temp\188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe"
2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4844

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
3⤵
- Modifies Windows Firewall
PID:1464

C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\invcol.exe
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\.\invcol.exe -bdir="C:\Users\Admin\AppData\Local\Temp"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff9adf35fd8,0x7ff9adf35fe4,0x7ff9adf35ff0
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2252 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:2
2⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3212 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:3
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3360 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5536 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
2⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5544 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:1
2⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
2⤵
PID:1212

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2732

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:2320

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4868

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:216

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E576E69_Rar\188404124e80dd746f7a3eef0e3c058f3ca20a28f61e05e0e874d9d3d8766f6a.exe
Filesize
11.4MB

MD5
ada55ba90caddd5608f8cff24fa1aebf

SHA1
ab4fb117391cfc7c237b83b002467cc9d2bd9861

SHA256
c11c47c3d653e28834639981838fd0bb633851eb71f2c5b740cfcf11ba8add3c

SHA512
d9ef070f916b7723bd150bee8b630a5869dbd4d300fb488138cdf6f9063a78d92e294bb53f49294c8adb059f0da382f7e5de4f5802a146df3bc678e3841b0007

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\ICConfig_user.xml
Filesize
5KB

MD5
43b8b7358adedb0c648341e3793525f2

SHA1
66f1a7c386834d9b2d541e49f293a9982dd4e837

SHA256
5c80c1ee6233cdffd0ba077d124162ca2ddb8524d0fb7891ac7ef099c082ea3b

SHA512
22a1bc5f845132814a7b0e57b93d8e00832ad455475c5adb484a27d0b6c67ac30ef57bf3b427cd38bdaf86a6ddf273140bc9e0301a3145dcfca086b362b64f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\IMAGE\DrvCfg32.ini
Filesize
499B

MD5
4228bbca64f8930e731f86a04c315a97

SHA1
832e5c640c186f23097012a05029435d9e334bc7

SHA256
1bc14f6aae8579e18446fad5fca50568dc2ebbbda16f7bc9fee78e6f85d5eb71

SHA512
ea2646c663c84bf8c30d8b215e991991cc2033a3cc117bac343275b59525b3f222c4b1471606f74affa00d59d633c659f62778e2d41a8cdf6b48941e6e64703f

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\Thunderbolt_Reg\Executables\DRVUpdate.exe
Filesize
376KB

MD5
149c2c52887c6977e446e6850b3664a4

SHA1
d8412451dc43276beb33fb98e272420faa14096e

SHA256
834031bfd5cb81c33f453ee26d35f4d57544098f223b6bee5ec8e5f2927b4756

SHA512
bcb45848ef0f2776ca1103c05222dd8d76d2518d40a80b7576214e16f015023ef58a6bd90a9e746b2c13ed62bb0f8bbeb76daeb31d05c477b614b2203e493656

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\Thunderbolt_Reg\RLtek_Ethernate\RegForceInventory.xml
Filesize
128KB

MD5
30aa7e953010b6b40f5cb83f6aff782e

SHA1
5ec0f4e8c60db66567983c858bd9b2780158b881

SHA256
95fdc46b7b1f57f0546304f9816894a6caf5fb767b7dd0aff2889cdc79f97ee0

SHA512
f58676f8f517da6aba2b02da014fd4b5c6e66d646c9635783e7f4af9d65e9c37e3ce7f86e87f11bef53c8d03a5938c732f3b777b7109f7177062049e1b0e8c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\Thunderbolt_Reg\RLtek_USB_Driver_WOW\DrvCfg32.ini
Filesize
1KB

MD5
9512cb4a8245bea4322f8bc680ac0dc3

SHA1
7ed23dc741ca0328562629f782e6456372f1c04b

SHA256
9141964056b46365da57f704104eea7d222741b3438d567c7f1b7569e0c0534c

SHA512
aae4d6e8c6edb14b774e348fec4e5fa3a3790e747c8526fc313efe34d7c2607779ff81785aca2640a60a7e308ec398a3035adac6488d66946b3e06fdaeddbdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\dsupt32.dll
Filesize
701KB

MD5
daff72a6f9ead46c5d4a6f098b9de957

SHA1
0588095631d10727a780c99089da975317891d4a

SHA256
7bb19abe5a3cbda2fd3832f711b960761af79d7e1845a3533864df51c30ba241

SHA512
950953335dda9759429806425449a9540c6dc11f88abf104227f8da97f8d8d30b2a96430a426829fad9c1654630f6c96dbf6487c49f3e36f9ade0fe2ab669dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\icsvc32.dll
Filesize
1.1MB

MD5
fd2d1ffd075c2e4014287d7be6144b02

SHA1
37128eab6cc55f834eaf64eb95308e3cff73323b

SHA256
513ce4c09b4454e98fce4575cffcee7707298450cabe3b6fa76496dbdb82097d

SHA512
bdf2a881f393bf678d0b285e429ed2edeec8eb8901f5549d71ab350b693782f48352b355573293fa5fd96179f95e7db607c76d586d32773882905eb35e34ecf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\invcol.exe
Filesize
40KB

MD5
f292f713153bec1c8fc47d528b107ad7

SHA1
d967cdacfe26dfdcf8f144218a9b9e2ed3d48624

SHA256
5bf0af9992ed358073d8a8e89c81b313f9c4ee7fec93245e2a9923a02e8e25c0

SHA512
37399aae2ec9f523fbb5a9f1010c77f3ee34ac69a9d00be56544d75377f2ce93dce78f319756b92e7f1a701faa9315ecbd9e37f8ceee4c13f66fbf42a43cbeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\msvcp140.dll
Filesize
436KB

MD5
37dcbba718886e5c24703b1268ce10b9

SHA1
441738a1ea802c266cb0a84789ace62e40010335

SHA256
968bbd2a36b04cc5795c6fc99afe85e4d294ff9c28032ce0e870463827181799

SHA512
00ab4cfe4b5bb989f2931cc8928982819a99df027b118c731957fc84c58cc8d636687ff39cf90dac313e3fe7c7738a4899fba98ebab5b6ed4cbfa372b0eb2561

Download Submit
C:\Users\Admin\AppData\Local\Temp\inv6DBE_tmp\vcruntime140.dll
Filesize
88KB

MD5
81b11024a8ed0c9adfd5fbf6916b133c

SHA1
c87f446d9655ba2f6fddd33014c75dc783941c33

SHA256
eb6a3a491efcc911f9dff457d42fed85c4c170139414470ea951b0dafe352829

SHA512
e4b1c694cb028fa960d750fa6a202bc3a477673b097b2a9e0991219b9891b5f879aa13aa741f73acd41eb23feee58e3dd6032821a23e9090ecd9cc2c3ec826a1

Download Submit
memory/1464-172-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1464-400-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/1464-194-0x00000000021C0000-0x00000000021C2000-memory.dmp

Filesize
8KB

Download
memory/2860-136-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/2860-163-0x0000000002420000-0x0000000003453000-memory.dmp

Filesize
16.2MB

Download
memory/2860-171-0x0000000003A80000-0x0000000003A82000-memory.dmp

Filesize
8KB

Download
memory/2860-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2860-131-0x0000000003A80000-0x0000000003A82000-memory.dmp

Filesize
8KB

Download
memory/2860-27-0x0000000002420000-0x0000000003453000-memory.dmp

Filesize
16.2MB

Download
memory/2860-392-0x0000000003A80000-0x0000000003A82000-memory.dmp

Filesize
8KB

Download
memory/2860-399-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2860-1-0x0000000002420000-0x0000000003453000-memory.dmp

Filesize
16.2MB

Download
memory/3028-271-0x0000000000900000-0x0000000000A1E000-memory.dmp

Filesize
1.1MB

Download