sality | b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb

General

Target

b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb.dll
Size

120KB
MD5

5d825a2aa70b57b3a664db53d6996c5f
SHA1

06ecfd8d611989855ab4905cf72ada3a1a9051f9
SHA256

b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb
SHA512

8022008d49704aa959d7c3470813a7b9ccd011376a0f5678cbf4bd3a2e9599d473edeb166760763a169f3af2b74ef6cf4c4d3894686eeb582ef3c1f92142f605
SSDEEP

1536:kVshIgAiWmE86VxEQdg7wmdHd3if8WrBG3nAzo1YSYPZ+yA5GM77mOHROHbZm9oi:9Ig1WGHQdgFdH2B4nAzOYPgkOHcbY9t

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

f76a8ae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	f76a8ae.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

f76a8ae.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a8ae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76a8ae.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76a8ae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76a8ae.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-12-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-14-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-15-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-18-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-23-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-43-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-49-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-27-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-58-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-59-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-60-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-61-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-62-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-63-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-78-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-81-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-82-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-83-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-85-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-106-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-108-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2172-144-0x00000000005D0000-0x000000000168A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral1/memory/2384-150-0x0000000000920000-0x00000000019DA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 28 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-10-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2172-12-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-14-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-15-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-18-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-23-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-43-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/1744-46-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2172-49-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-27-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-58-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-59-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-60-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-61-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-62-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2384-79-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2172-63-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-78-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-81-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-82-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-83-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-85-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-106-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-108-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2172-143-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral1/memory/2172-144-0x00000000005D0000-0x000000000168A000-memory.dmp	UPX
behavioral1/memory/2384-150-0x0000000000920000-0x00000000019DA000-memory.dmp	UPX
behavioral1/memory/2384-149-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

f76a8ae.exef76b02d.exef76c236.exe

pid process

2172 f76a8ae.exe
1744 f76b02d.exe
2384 f76c236.exe
Loads dropped DLL 6 IoCs

Processes:

rundll32.exe

pid process

1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe
1772 rundll32.exe

pid	process
2172	f76a8ae.exe
1744	f76b02d.exe
2384	f76c236.exe

pid	process
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2172-12-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-14-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-15-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-18-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-23-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-43-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-49-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-27-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-58-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-59-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-60-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-61-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-62-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-63-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-78-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-81-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-82-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-83-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-85-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-106-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-108-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2172-144-0x00000000005D0000-0x000000000168A000-memory.dmp	upx
behavioral1/memory/2384-150-0x0000000000920000-0x00000000019DA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f76a8ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f76a8ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	f76a8ae.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

f76a8ae.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a8ae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76a8ae.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f76a8ae.exe

description	ioc	process
File opened (read-only)	\??\G:	f76a8ae.exe
File opened (read-only)	\??\J:	f76a8ae.exe
File opened (read-only)	\??\M:	f76a8ae.exe
File opened (read-only)	\??\O:	f76a8ae.exe
File opened (read-only)	\??\L:	f76a8ae.exe
File opened (read-only)	\??\N:	f76a8ae.exe
File opened (read-only)	\??\E:	f76a8ae.exe
File opened (read-only)	\??\H:	f76a8ae.exe
File opened (read-only)	\??\I:	f76a8ae.exe
File opened (read-only)	\??\K:	f76a8ae.exe

Drops file in Windows directory 2 IoCs

Processes:

f76a8ae.exe

description ioc process

File created C:\Windows\f76a9d6 f76a8ae.exe
File opened for modification C:\Windows\SYSTEM.INI f76a8ae.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f76a8ae.exe

pid process

2172 f76a8ae.exe
2172 f76a8ae.exe

description	ioc	process
File created	C:\Windows\f76a9d6	f76a8ae.exe
File opened for modification	C:\Windows\SYSTEM.INI	f76a8ae.exe

pid	process
2172	f76a8ae.exe
2172	f76a8ae.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

f76a8ae.exe

description	pid	process
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe
Token: SeDebugPrivilege	2172	f76a8ae.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

rundll32.exerundll32.exef76a8ae.exe

description	pid	process	target process
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 1772	1152	rundll32.exe	rundll32.exe
PID 1772 wrote to memory of 2172	1772	rundll32.exe	f76a8ae.exe
PID 1772 wrote to memory of 2172	1772	rundll32.exe	f76a8ae.exe
PID 1772 wrote to memory of 2172	1772	rundll32.exe	f76a8ae.exe
PID 1772 wrote to memory of 2172	1772	rundll32.exe	f76a8ae.exe
PID 2172 wrote to memory of 1180	2172	f76a8ae.exe	taskhost.exe
PID 2172 wrote to memory of 1312	2172	f76a8ae.exe	Dwm.exe
PID 2172 wrote to memory of 1368	2172	f76a8ae.exe	Explorer.EXE
PID 2172 wrote to memory of 460	2172	f76a8ae.exe	DllHost.exe
PID 2172 wrote to memory of 1152	2172	f76a8ae.exe	rundll32.exe
PID 2172 wrote to memory of 1772	2172	f76a8ae.exe	rundll32.exe
PID 2172 wrote to memory of 1772	2172	f76a8ae.exe	rundll32.exe
PID 1772 wrote to memory of 1744	1772	rundll32.exe	f76b02d.exe
PID 1772 wrote to memory of 1744	1772	rundll32.exe	f76b02d.exe
PID 1772 wrote to memory of 1744	1772	rundll32.exe	f76b02d.exe
PID 1772 wrote to memory of 1744	1772	rundll32.exe	f76b02d.exe
PID 1772 wrote to memory of 2384	1772	rundll32.exe	f76c236.exe
PID 1772 wrote to memory of 2384	1772	rundll32.exe	f76c236.exe
PID 1772 wrote to memory of 2384	1772	rundll32.exe	f76c236.exe
PID 1772 wrote to memory of 2384	1772	rundll32.exe	f76c236.exe
PID 2172 wrote to memory of 1180	2172	f76a8ae.exe	taskhost.exe
PID 2172 wrote to memory of 1312	2172	f76a8ae.exe	Dwm.exe
PID 2172 wrote to memory of 1368	2172	f76a8ae.exe	Explorer.EXE
PID 2172 wrote to memory of 1744	2172	f76a8ae.exe	f76b02d.exe
PID 2172 wrote to memory of 1744	2172	f76a8ae.exe	f76b02d.exe
PID 2172 wrote to memory of 2384	2172	f76a8ae.exe	f76c236.exe
PID 2172 wrote to memory of 2384	2172	f76a8ae.exe	f76c236.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

f76a8ae.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a8ae.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f76a8ae.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1180

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb.dll,#1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\f76a8ae.exe
C:\Users\Admin\AppData\Local\Temp\f76a8ae.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172

C:\Users\Admin\AppData\Local\Temp\f76b02d.exe
C:\Users\Admin\AppData\Local\Temp\f76b02d.exe
4⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\f76c236.exe
C:\Users\Admin\AppData\Local\Temp\f76c236.exe
4⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:460

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f76a8ae.exe
Filesize
97KB

MD5
4dd8147ad96ba785517c6a0b399828b7

SHA1
1b36523f04d35630f82a4c428684e74762548ed0

SHA256
99db49fa8353610cd95e701335586f30a6459c1c3e95af585e89aaae381533c3

SHA512
ae9f7e5a30d7707101d0097bfec6604a3ff541ae8700e96b38da303e19aa9c7304357bd1af37899bfb9504671b6566e5eea9f4f0c90c158d8eef3d0bb55a777d

Download Submit
memory/1180-16-0x0000000001B40000-0x0000000001B42000-memory.dmp

Filesize
8KB

Download
memory/1744-96-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1744-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1744-94-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download
memory/1772-77-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1772-76-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1772-8-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/1772-11-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/1772-71-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1772-25-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1772-74-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1772-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1772-29-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1772-31-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1772-44-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1772-40-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1772-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2172-59-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-81-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-57-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2172-51-0x0000000001750000-0x0000000001751000-memory.dmp

Filesize
4KB

Download
memory/2172-27-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-58-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-43-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-60-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-61-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-62-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-23-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-18-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-15-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-14-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-144-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-63-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-78-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-49-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-82-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-83-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-85-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-12-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2172-105-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2172-108-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2172-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2172-106-0x00000000005D0000-0x000000000168A000-memory.dmp

Filesize
16.7MB

Download
memory/2384-102-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2384-104-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2384-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2384-150-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download
memory/2384-149-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2384-151-0x0000000000920000-0x00000000019DA000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads