sality | d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5

General

Target

d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5.dll
Size

120KB
MD5

c50a76afc0a61ae93d077a45dad04605
SHA1

e5127eddb59d758fddb919ddf8d0bd916baf3d4b
SHA256

d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5
SHA512

84479c6faf26e08dcb2ae15730fad3579e5c9578601262a990ff95d8c4223221327de010c07c63ab1b9f0af5bfa5a85a49f61bd0fe71e40a1992fdd2ab9c448e
SSDEEP

1536:9nEH/Uv9R3f9sx0CrJIXWn4xjp6uAwxYnnXrC4T7Md0lvOGy8k+MW4W8J52:VOUlR3ax0syX76lweXx7Bbk+8W8j

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e577e09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e577e09.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e577e09.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577e09.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e577e09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577e09.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 31 IoCs

Processes:

resource	yara_rule
behavioral2/memory/452-7-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-9-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-10-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-14-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-22-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-29-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-30-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-31-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-32-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-33-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-34-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-35-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-36-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-37-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-38-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-40-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-53-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-54-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-56-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-57-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-71-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-73-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-76-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-79-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-81-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-88-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-90-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-91-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-92-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/452-94-0x0000000000800000-0x00000000018BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4020-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/452-7-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-9-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-10-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-14-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-22-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-29-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-30-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-31-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-32-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-33-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-34-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-35-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-36-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-37-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-38-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-40-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-53-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-54-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-56-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-57-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-71-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-73-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-76-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-79-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-81-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-88-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-90-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-91-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-92-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/452-94-0x0000000000800000-0x00000000018BA000-memory.dmp	UPX
behavioral2/memory/3128-116-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/452-114-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1392-121-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4020-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp	UPX
behavioral2/memory/4020-126-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

e577e09.exee57806b.exee579952.exee579971.exe

pid process

452 e577e09.exe
3128 e57806b.exe
1392 e579952.exe
4020 e579971.exe

pid	process
452	e577e09.exe
3128	e57806b.exe
1392	e579952.exe
4020	e579971.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/452-7-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-9-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-10-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-14-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-22-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-29-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-30-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-31-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-32-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-33-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-34-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-35-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-36-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-37-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-38-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-40-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-53-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-54-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-56-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-57-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-71-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-73-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-76-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-79-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-81-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-88-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-90-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-91-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-92-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/452-94-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4020-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e577e09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e577e09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e577e09.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e577e09.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e577e09.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577e09.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e577e09.exe

description	ioc	process
File opened (read-only)	\??\P:	e577e09.exe
File opened (read-only)	\??\Q:	e577e09.exe
File opened (read-only)	\??\H:	e577e09.exe
File opened (read-only)	\??\L:	e577e09.exe
File opened (read-only)	\??\K:	e577e09.exe
File opened (read-only)	\??\M:	e577e09.exe
File opened (read-only)	\??\O:	e577e09.exe
File opened (read-only)	\??\G:	e577e09.exe
File opened (read-only)	\??\J:	e577e09.exe
File opened (read-only)	\??\N:	e577e09.exe
File opened (read-only)	\??\R:	e577e09.exe
File opened (read-only)	\??\E:	e577e09.exe
File opened (read-only)	\??\I:	e577e09.exe

Drops file in Program Files directory 4 IoCs

Processes:

e577e09.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e577e09.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e577e09.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e577e09.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e577e09.exe

Drops file in Windows directory 2 IoCs

Processes:

e577e09.exe

description ioc process

File created C:\Windows\e577ed5 e577e09.exe
File opened for modification C:\Windows\SYSTEM.INI e577e09.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e577e09.exe

pid process

452 e577e09.exe
452 e577e09.exe
452 e577e09.exe
452 e577e09.exe

description	ioc	process
File created	C:\Windows\e577ed5	e577e09.exe
File opened for modification	C:\Windows\SYSTEM.INI	e577e09.exe

pid	process
452	e577e09.exe
452	e577e09.exe
452	e577e09.exe
452	e577e09.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e577e09.exe

description	pid	process
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe
Token: SeDebugPrivilege	452	e577e09.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

rundll32.exerundll32.exee577e09.exe

description	pid	process	target process
PID 4324 wrote to memory of 2508	4324	rundll32.exe	rundll32.exe
PID 4324 wrote to memory of 2508	4324	rundll32.exe	rundll32.exe
PID 4324 wrote to memory of 2508	4324	rundll32.exe	rundll32.exe
PID 2508 wrote to memory of 452	2508	rundll32.exe	e577e09.exe
PID 2508 wrote to memory of 452	2508	rundll32.exe	e577e09.exe
PID 2508 wrote to memory of 452	2508	rundll32.exe	e577e09.exe
PID 452 wrote to memory of 788	452	e577e09.exe	fontdrvhost.exe
PID 452 wrote to memory of 792	452	e577e09.exe	fontdrvhost.exe
PID 452 wrote to memory of 64	452	e577e09.exe	dwm.exe
PID 452 wrote to memory of 2572	452	e577e09.exe	sihost.exe
PID 452 wrote to memory of 2620	452	e577e09.exe	svchost.exe
PID 452 wrote to memory of 2936	452	e577e09.exe	taskhostw.exe
PID 452 wrote to memory of 3552	452	e577e09.exe	Explorer.EXE
PID 452 wrote to memory of 3712	452	e577e09.exe	svchost.exe
PID 452 wrote to memory of 3928	452	e577e09.exe	DllHost.exe
PID 452 wrote to memory of 4024	452	e577e09.exe	StartMenuExperienceHost.exe
PID 452 wrote to memory of 4088	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 784	452	e577e09.exe	SearchApp.exe
PID 452 wrote to memory of 4244	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 2104	452	e577e09.exe	TextInputHost.exe
PID 452 wrote to memory of 4708	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 3720	452	e577e09.exe	backgroundTaskHost.exe
PID 452 wrote to memory of 4960	452	e577e09.exe	backgroundTaskHost.exe
PID 452 wrote to memory of 4208	452	e577e09.exe	backgroundTaskHost.exe
PID 452 wrote to memory of 4324	452	e577e09.exe	rundll32.exe
PID 452 wrote to memory of 2508	452	e577e09.exe	rundll32.exe
PID 452 wrote to memory of 2508	452	e577e09.exe	rundll32.exe
PID 2508 wrote to memory of 3128	2508	rundll32.exe	e57806b.exe
PID 2508 wrote to memory of 3128	2508	rundll32.exe	e57806b.exe
PID 2508 wrote to memory of 3128	2508	rundll32.exe	e57806b.exe
PID 2508 wrote to memory of 1392	2508	rundll32.exe	e579952.exe
PID 2508 wrote to memory of 1392	2508	rundll32.exe	e579952.exe
PID 2508 wrote to memory of 1392	2508	rundll32.exe	e579952.exe
PID 2508 wrote to memory of 4020	2508	rundll32.exe	e579971.exe
PID 2508 wrote to memory of 4020	2508	rundll32.exe	e579971.exe
PID 2508 wrote to memory of 4020	2508	rundll32.exe	e579971.exe
PID 452 wrote to memory of 788	452	e577e09.exe	fontdrvhost.exe
PID 452 wrote to memory of 792	452	e577e09.exe	fontdrvhost.exe
PID 452 wrote to memory of 64	452	e577e09.exe	dwm.exe
PID 452 wrote to memory of 2572	452	e577e09.exe	sihost.exe
PID 452 wrote to memory of 2620	452	e577e09.exe	svchost.exe
PID 452 wrote to memory of 2936	452	e577e09.exe	taskhostw.exe
PID 452 wrote to memory of 3552	452	e577e09.exe	Explorer.EXE
PID 452 wrote to memory of 3712	452	e577e09.exe	svchost.exe
PID 452 wrote to memory of 3928	452	e577e09.exe	DllHost.exe
PID 452 wrote to memory of 4024	452	e577e09.exe	StartMenuExperienceHost.exe
PID 452 wrote to memory of 4088	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 784	452	e577e09.exe	SearchApp.exe
PID 452 wrote to memory of 4244	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 2104	452	e577e09.exe	TextInputHost.exe
PID 452 wrote to memory of 4708	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 3720	452	e577e09.exe	backgroundTaskHost.exe
PID 452 wrote to memory of 4960	452	e577e09.exe	backgroundTaskHost.exe
PID 452 wrote to memory of 3128	452	e577e09.exe	e57806b.exe
PID 452 wrote to memory of 3128	452	e577e09.exe	e57806b.exe
PID 452 wrote to memory of 540	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 2896	452	e577e09.exe	RuntimeBroker.exe
PID 452 wrote to memory of 1392	452	e577e09.exe	e579952.exe
PID 452 wrote to memory of 1392	452	e577e09.exe	e579952.exe
PID 452 wrote to memory of 4020	452	e577e09.exe	e579971.exe
PID 452 wrote to memory of 4020	452	e577e09.exe	e579971.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e577e09.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577e09.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e577e09.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:64

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2620

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\e577e09.exe
C:\Users\Admin\AppData\Local\Temp\e577e09.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:452

C:\Users\Admin\AppData\Local\Temp\e57806b.exe
C:\Users\Admin\AppData\Local\Temp\e57806b.exe
4⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\AppData\Local\Temp\e579952.exe
C:\Users\Admin\AppData\Local\Temp\e579952.exe
4⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Local\Temp\e579971.exe
C:\Users\Admin\AppData\Local\Temp\e579971.exe
4⤵
- Executes dropped EXE
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4088

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4244

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4708

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3720

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4960

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4208

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e577e09.exe
Filesize
97KB

MD5
0e675e780b4fbea52100a50359abbf6f

SHA1
1b1b04ff3a8e39804bc71abcb5408639e4b99c17

SHA256
4401cc67ef5556e5c94dc1fd93ba1b89722d6886ea4989bfe8773473ee2bbe1f

SHA512
9d24aad2b43907c5601523b18a9bc8ba2bb26c76c744afee501912691011628f0ede9adf5bdc92a14ad26e6ab3efe92e51da02bc2d1e875097a1a2ade7315e04

Download Submit
memory/452-54-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-78-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/452-7-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-9-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-10-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-56-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-114-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/452-57-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-18-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/452-14-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-21-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/452-22-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-29-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-30-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-31-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-32-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-33-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-34-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-35-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-36-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-37-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-38-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-40-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-92-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-91-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-53-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-90-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-88-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-94-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-81-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-79-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/452-76-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-73-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/452-71-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/1392-64-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1392-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1392-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1392-67-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/1392-63-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2508-12-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2508-2-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2508-49-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/2508-13-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/2508-11-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/3128-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3128-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3128-116-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3128-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4020-126-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4020-68-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4020-70-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/4020-123-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads