Malware Analysis Report

2024-11-16 13:20

Sample ID 240519-m2fbtseh8v
Target 994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248.exe
SHA256 994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248

Threat Level: Known bad

The file 994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

UAC bypass

Modifies firewall policy service

Sality

Windows security modification

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 10:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 10:57

Reported

2024-05-19 10:59

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
File created C:\Windows\f766ce6 C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
File created C:\Windows\f7689b9 C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A
File created C:\Windows\f761ca5 C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 2752 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c38.exe
PID 2752 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c38.exe
PID 2752 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c38.exe
PID 2752 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761c38.exe
PID 3040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\system32\DllHost.exe
PID 3040 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\system32\rundll32.exe
PID 3040 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761dcd.exe
PID 2752 wrote to memory of 2536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761dcd.exe
PID 2752 wrote to memory of 2536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761dcd.exe
PID 2752 wrote to memory of 2536 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761dcd.exe
PID 2752 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2752 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2752 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2752 wrote to memory of 2772 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 3040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\system32\taskhost.exe
PID 3040 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\system32\Dwm.exe
PID 3040 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Users\Admin\AppData\Local\Temp\f761dcd.exe
PID 3040 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Users\Admin\AppData\Local\Temp\f761dcd.exe
PID 3040 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 3040 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\f761c38.exe C:\Users\Admin\AppData\Local\Temp\f763b5b.exe
PID 2536 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe C:\Windows\system32\taskhost.exe
PID 2536 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe C:\Windows\system32\Dwm.exe
PID 2536 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f761dcd.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761c38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761dcd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763b5b.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761c38.exe

C:\Users\Admin\AppData\Local\Temp\f761c38.exe

C:\Users\Admin\AppData\Local\Temp\f761dcd.exe

C:\Users\Admin\AppData\Local\Temp\f761dcd.exe

C:\Users\Admin\AppData\Local\Temp\f763b5b.exe

C:\Users\Admin\AppData\Local\Temp\f763b5b.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761c38.exe

MD5 93b2239926111d0bb1e6c59405c8ea3e
SHA1 9decfb123ec11d9cb1913c808bddf4fe7f28ee79
SHA256 8ddc9f13a89c83a055b3e77a709929f0752ef0251bd821168e36bb18e6796643
SHA512 d4bb4e4743e2bb29d45db49a389f685c1dd4aa1ea7b88541a21d02094fd27c94d0d79f1a5cf72213605ef2e2023d793575ac2dd172e4b46420a4f0f5dceff0df

memory/2752-8-0x0000000010000000-0x0000000010020000-memory.dmp

memory/3040-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2752-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2752-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3040-13-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-17-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-21-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-16-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-20-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-18-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-22-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-15-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-19-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-55-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/3040-50-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/3040-48-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/2752-47-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2752-56-0x0000000000440000-0x0000000000452000-memory.dmp

memory/3040-23-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2752-38-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2752-37-0x0000000000350000-0x0000000000352000-memory.dmp

memory/1084-29-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2752-59-0x0000000000350000-0x0000000000352000-memory.dmp

memory/2536-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2752-61-0x0000000000350000-0x0000000000352000-memory.dmp

memory/3040-63-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-64-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-65-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-66-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-67-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2752-77-0x0000000000350000-0x0000000000352000-memory.dmp

memory/2772-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2752-79-0x0000000000440000-0x0000000000452000-memory.dmp

memory/3040-82-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-83-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/2536-94-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2536-93-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2772-101-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2772-100-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2772-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2536-102-0x0000000000260000-0x0000000000262000-memory.dmp

memory/3040-104-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-106-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-108-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-115-0x00000000004A0000-0x00000000004A2000-memory.dmp

memory/3040-144-0x00000000006C0000-0x000000000177A000-memory.dmp

memory/3040-145-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 0cf1c9d04cdd2092dcdab62ae6225cb3
SHA1 46593cdcd05feee355bc384ebb47cf1034e58e0b
SHA256 5ff546cb4b56c9d92d7a31dc017f356de101b0d31e1ee6059c76ae315229b179
SHA512 9fd38851833663ed5591746a57c7ae6d2f001c8e60e9fb6b88998bbd2446fa8203733a9ce9b9b5d407a38f489dfa8e7a454cc3595187e3db11a79eaf2f2bc2d0

memory/2536-157-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/2536-180-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2536-181-0x00000000009B0000-0x0000000001A6A000-memory.dmp

memory/2772-198-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 10:57

Reported

2024-05-19 10:59

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

105s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575237.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e573691 C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 1036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3312 wrote to memory of 1036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3312 wrote to memory of 1036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1036 wrote to memory of 1392 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe
PID 1036 wrote to memory of 1392 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe
PID 1036 wrote to memory of 1392 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e573652.exe
PID 1392 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\fontdrvhost.exe
PID 1392 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\fontdrvhost.exe
PID 1392 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\dwm.exe
PID 1392 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\sihost.exe
PID 1392 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\svchost.exe
PID 1392 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\taskhostw.exe
PID 1392 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\Explorer.EXE
PID 1392 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\svchost.exe
PID 1392 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\DllHost.exe
PID 1392 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1392 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1392 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1392 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1392 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\rundll32.exe
PID 1392 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SysWOW64\rundll32.exe
PID 1392 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SysWOW64\rundll32.exe
PID 1036 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57370e.exe
PID 1036 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57370e.exe
PID 1036 wrote to memory of 1748 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57370e.exe
PID 1036 wrote to memory of 1236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575237.exe
PID 1036 wrote to memory of 1236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575237.exe
PID 1036 wrote to memory of 1236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575237.exe
PID 1392 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\fontdrvhost.exe
PID 1392 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\fontdrvhost.exe
PID 1392 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\dwm.exe
PID 1392 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\sihost.exe
PID 1392 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\svchost.exe
PID 1392 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\taskhostw.exe
PID 1392 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\Explorer.EXE
PID 1392 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\svchost.exe
PID 1392 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\DllHost.exe
PID 1392 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1392 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1392 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1392 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1392 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Users\Admin\AppData\Local\Temp\e57370e.exe
PID 1392 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Users\Admin\AppData\Local\Temp\e57370e.exe
PID 1392 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Users\Admin\AppData\Local\Temp\e575237.exe
PID 1392 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\e573652.exe C:\Users\Admin\AppData\Local\Temp\e575237.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e573652.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\994f8cb8f98143788b089eacc953b61337c01bea06571a6250b238236a8a0248.dll,#1

C:\Users\Admin\AppData\Local\Temp\e573652.exe

C:\Users\Admin\AppData\Local\Temp\e573652.exe

C:\Users\Admin\AppData\Local\Temp\e57370e.exe

C:\Users\Admin\AppData\Local\Temp\e57370e.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e575237.exe

C:\Users\Admin\AppData\Local\Temp\e575237.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\e573652.exe

MD5 93b2239926111d0bb1e6c59405c8ea3e
SHA1 9decfb123ec11d9cb1913c808bddf4fe7f28ee79
SHA256 8ddc9f13a89c83a055b3e77a709929f0752ef0251bd821168e36bb18e6796643
SHA512 d4bb4e4743e2bb29d45db49a389f685c1dd4aa1ea7b88541a21d02094fd27c94d0d79f1a5cf72213605ef2e2023d793575ac2dd172e4b46420a4f0f5dceff0df

memory/1392-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1036-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/1392-8-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-26-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1036-30-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

memory/1392-28-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1748-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-27-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-35-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-34-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-22-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-29-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1392-19-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-11-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-9-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1036-16-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

memory/1392-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

memory/1392-10-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1036-13-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/1036-12-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

memory/1392-37-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-36-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-38-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-40-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-39-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-42-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-43-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1236-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-52-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-54-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-55-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1236-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1748-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1236-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1236-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1748-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1748-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1392-66-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-67-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-70-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-72-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-74-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-76-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-78-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-85-0x0000000003520000-0x0000000003522000-memory.dmp

memory/1392-86-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-88-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1392-108-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1392-99-0x0000000000790000-0x000000000184A000-memory.dmp

memory/1748-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1236-117-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1236-118-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/1236-119-0x0000000000B30000-0x0000000001BEA000-memory.dmp