sality | b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb

General

Target

b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb.dll
Size

120KB
MD5

5d825a2aa70b57b3a664db53d6996c5f
SHA1

06ecfd8d611989855ab4905cf72ada3a1a9051f9
SHA256

b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb
SHA512

8022008d49704aa959d7c3470813a7b9ccd011376a0f5678cbf4bd3a2e9599d473edeb166760763a169f3af2b74ef6cf4c4d3894686eeb582ef3c1f92142f605
SSDEEP

1536:kVshIgAiWmE86VxEQdg7wmdHd3if8WrBG3nAzo1YSYPZ+yA5GM77mOHROHbZm9oi:9Ig1WGHQdgFdH2B4nAzOYPgkOHcbY9t

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e57377b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57377b.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e57377b.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57377b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57377b.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57377b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57377b.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1788-7-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-9-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-10-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-12-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-23-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-31-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-32-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-33-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-34-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-35-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-36-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-37-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-38-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-39-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-40-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-42-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-55-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-56-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-58-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-59-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-73-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-75-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-78-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-80-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-82-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-84-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-86-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-88-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1788-90-0x0000000000810000-0x00000000018CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4248-120-0x0000000000B20000-0x0000000001BDA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 35 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1788-7-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-9-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-10-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-12-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-23-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/2072-22-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1788-31-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-32-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-33-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-34-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-35-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-36-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-37-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-38-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-39-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-40-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-42-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-55-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-56-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-58-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-59-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-73-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-75-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-78-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-80-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-82-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-84-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-86-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-88-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-90-0x0000000000810000-0x00000000018CA000-memory.dmp	UPX
behavioral2/memory/1788-106-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/2072-109-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4652-115-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4248-119-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4248-120-0x0000000000B20000-0x0000000001BDA000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

e57377b.exee57396f.exee5752d3.exee5752f2.exe

pid process

1788 e57377b.exe
2072 e57396f.exe
4652 e5752d3.exe
4248 e5752f2.exe

pid	process
1788	e57377b.exe
2072	e57396f.exe
4652	e5752d3.exe
4248	e5752f2.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1788-7-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-9-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-10-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-12-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-23-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-31-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-32-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-33-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-34-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-35-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-36-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-37-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-38-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-39-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-40-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-42-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-55-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-56-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-58-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-59-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-73-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-75-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-78-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-80-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-82-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-84-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-86-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-88-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/1788-90-0x0000000000810000-0x00000000018CA000-memory.dmp	upx
behavioral2/memory/4248-120-0x0000000000B20000-0x0000000001BDA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57377b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57377b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57377b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e57377b.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57377b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57377b.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57377b.exe

description	ioc	process
File opened (read-only)	\??\G:	e57377b.exe
File opened (read-only)	\??\L:	e57377b.exe
File opened (read-only)	\??\J:	e57377b.exe
File opened (read-only)	\??\Q:	e57377b.exe
File opened (read-only)	\??\E:	e57377b.exe
File opened (read-only)	\??\H:	e57377b.exe
File opened (read-only)	\??\I:	e57377b.exe
File opened (read-only)	\??\K:	e57377b.exe
File opened (read-only)	\??\M:	e57377b.exe
File opened (read-only)	\??\O:	e57377b.exe
File opened (read-only)	\??\P:	e57377b.exe
File opened (read-only)	\??\N:	e57377b.exe
File opened (read-only)	\??\R:	e57377b.exe

Drops file in Program Files directory 4 IoCs

Processes:

e57377b.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57377b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57377b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57377b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e57377b.exe

Drops file in Windows directory 2 IoCs

Processes:

e57377b.exe

description ioc process

File created C:\Windows\e573856 e57377b.exe
File opened for modification C:\Windows\SYSTEM.INI e57377b.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e57377b.exe

pid process

1788 e57377b.exe
1788 e57377b.exe
1788 e57377b.exe
1788 e57377b.exe

description	ioc	process
File created	C:\Windows\e573856	e57377b.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57377b.exe

pid	process
1788	e57377b.exe
1788	e57377b.exe
1788	e57377b.exe
1788	e57377b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57377b.exe

description	pid	process
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe
Token: SeDebugPrivilege	1788	e57377b.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

rundll32.exerundll32.exee57377b.exe

description	pid	process	target process
PID 2212 wrote to memory of 3172	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 3172	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 3172	2212	rundll32.exe	rundll32.exe
PID 3172 wrote to memory of 1788	3172	rundll32.exe	e57377b.exe
PID 3172 wrote to memory of 1788	3172	rundll32.exe	e57377b.exe
PID 3172 wrote to memory of 1788	3172	rundll32.exe	e57377b.exe
PID 1788 wrote to memory of 780	1788	e57377b.exe	fontdrvhost.exe
PID 1788 wrote to memory of 788	1788	e57377b.exe	fontdrvhost.exe
PID 1788 wrote to memory of 380	1788	e57377b.exe	dwm.exe
PID 1788 wrote to memory of 2584	1788	e57377b.exe	sihost.exe
PID 1788 wrote to memory of 2608	1788	e57377b.exe	svchost.exe
PID 1788 wrote to memory of 2756	1788	e57377b.exe	taskhostw.exe
PID 1788 wrote to memory of 3508	1788	e57377b.exe	Explorer.EXE
PID 1788 wrote to memory of 3664	1788	e57377b.exe	svchost.exe
PID 1788 wrote to memory of 3864	1788	e57377b.exe	DllHost.exe
PID 1788 wrote to memory of 3956	1788	e57377b.exe	StartMenuExperienceHost.exe
PID 1788 wrote to memory of 4028	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 964	1788	e57377b.exe	SearchApp.exe
PID 1788 wrote to memory of 4136	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 4888	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 1656	1788	e57377b.exe	TextInputHost.exe
PID 1788 wrote to memory of 4416	1788	e57377b.exe	backgroundTaskHost.exe
PID 1788 wrote to memory of 4720	1788	e57377b.exe	backgroundTaskHost.exe
PID 1788 wrote to memory of 2232	1788	e57377b.exe	backgroundTaskHost.exe
PID 1788 wrote to memory of 2212	1788	e57377b.exe	rundll32.exe
PID 1788 wrote to memory of 3172	1788	e57377b.exe	rundll32.exe
PID 1788 wrote to memory of 3172	1788	e57377b.exe	rundll32.exe
PID 3172 wrote to memory of 2072	3172	rundll32.exe	e57396f.exe
PID 3172 wrote to memory of 2072	3172	rundll32.exe	e57396f.exe
PID 3172 wrote to memory of 2072	3172	rundll32.exe	e57396f.exe
PID 3172 wrote to memory of 4652	3172	rundll32.exe	e5752d3.exe
PID 3172 wrote to memory of 4652	3172	rundll32.exe	e5752d3.exe
PID 3172 wrote to memory of 4652	3172	rundll32.exe	e5752d3.exe
PID 3172 wrote to memory of 4248	3172	rundll32.exe	e5752f2.exe
PID 3172 wrote to memory of 4248	3172	rundll32.exe	e5752f2.exe
PID 3172 wrote to memory of 4248	3172	rundll32.exe	e5752f2.exe
PID 1788 wrote to memory of 780	1788	e57377b.exe	fontdrvhost.exe
PID 1788 wrote to memory of 788	1788	e57377b.exe	fontdrvhost.exe
PID 1788 wrote to memory of 380	1788	e57377b.exe	dwm.exe
PID 1788 wrote to memory of 2584	1788	e57377b.exe	sihost.exe
PID 1788 wrote to memory of 2608	1788	e57377b.exe	svchost.exe
PID 1788 wrote to memory of 2756	1788	e57377b.exe	taskhostw.exe
PID 1788 wrote to memory of 3508	1788	e57377b.exe	Explorer.EXE
PID 1788 wrote to memory of 3664	1788	e57377b.exe	svchost.exe
PID 1788 wrote to memory of 3864	1788	e57377b.exe	DllHost.exe
PID 1788 wrote to memory of 3956	1788	e57377b.exe	StartMenuExperienceHost.exe
PID 1788 wrote to memory of 4028	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 964	1788	e57377b.exe	SearchApp.exe
PID 1788 wrote to memory of 4136	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 4888	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 1656	1788	e57377b.exe	TextInputHost.exe
PID 1788 wrote to memory of 4416	1788	e57377b.exe	backgroundTaskHost.exe
PID 1788 wrote to memory of 4720	1788	e57377b.exe	backgroundTaskHost.exe
PID 1788 wrote to memory of 2072	1788	e57377b.exe	e57396f.exe
PID 1788 wrote to memory of 2072	1788	e57377b.exe	e57396f.exe
PID 1788 wrote to memory of 3540	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 388	1788	e57377b.exe	RuntimeBroker.exe
PID 1788 wrote to memory of 4652	1788	e57377b.exe	e5752d3.exe
PID 1788 wrote to memory of 4652	1788	e57377b.exe	e5752d3.exe
PID 1788 wrote to memory of 4248	1788	e57377b.exe	e5752f2.exe
PID 1788 wrote to memory of 4248	1788	e57377b.exe	e5752f2.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e57377b.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57377b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57377b.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2608

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2756

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b017edfff794a123a6192709800fa2c396b922aa0a1a1066618254e53e912cfb.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\e57377b.exe
C:\Users\Admin\AppData\Local\Temp\e57377b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1788

C:\Users\Admin\AppData\Local\Temp\e57396f.exe
C:\Users\Admin\AppData\Local\Temp\e57396f.exe
4⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\Temp\e5752d3.exe
C:\Users\Admin\AppData\Local\Temp\e5752d3.exe
4⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\AppData\Local\Temp\e5752f2.exe
C:\Users\Admin\AppData\Local\Temp\e5752f2.exe
4⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4028

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1656

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:4416

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4720

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3540

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57377b.exe
Filesize
97KB

MD5
4dd8147ad96ba785517c6a0b399828b7

SHA1
1b36523f04d35630f82a4c428684e74762548ed0

SHA256
99db49fa8353610cd95e701335586f30a6459c1c3e95af585e89aaae381533c3

SHA512
ae9f7e5a30d7707101d0097bfec6604a3ff541ae8700e96b38da303e19aa9c7304357bd1af37899bfb9504671b6566e5eea9f4f0c90c158d8eef3d0bb55a777d

Download Submit
memory/1788-75-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-78-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-7-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-9-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-10-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-56-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-58-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-12-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-30-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/1788-23-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-90-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-20-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1788-31-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-88-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-32-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-33-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-34-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-35-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-36-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-37-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-38-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-39-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-40-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-42-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-55-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-86-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-84-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-82-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1788-59-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-80-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/1788-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1788-70-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/1788-73-0x0000000000810000-0x00000000018CA000-memory.dmp

Filesize
16.7MB

Download
memory/2072-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2072-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2072-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2072-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3172-11-0x0000000004170000-0x0000000004172000-memory.dmp

Filesize
8KB

Download
memory/3172-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3172-15-0x0000000004170000-0x0000000004172000-memory.dmp

Filesize
8KB

Download
memory/3172-14-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/3172-51-0x0000000004170000-0x0000000004172000-memory.dmp

Filesize
8KB

Download
memory/4248-69-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4248-120-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Filesize
16.7MB

Download
memory/4248-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4248-119-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4652-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4652-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4652-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4652-114-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4652-115-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4652-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads