sality | fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486

Analysis

max time kernel
143s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll
Size

120KB
MD5

acab380414bf5d74b689cf9f6923f518
SHA1

207b5953dbfa696a3d887d1523c302a060eed848
SHA256

fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486
SHA512

40481bfe647131feb647b423d328ca6445a48195a935ba65e80dd48a3401821923003a485ddaa321cd8ac3c692f0ddccbaef179a29ffdc94e6f04a4b0d44641a
SSDEEP

1536:TP5I1kkXSUS4Ojou4n+OTCtaP0qGQItjeZmzmtKMqT7VW0PJqI2o0Wlwjsx8bvz/:TP52JGB7aP/Itavt2dWSJRr0dwiL/

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e57e6b6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57e6b6.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e57e6b6.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e6b6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57e6b6.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57e6b6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57e6b6.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp	UPX
behavioral2/memory/3808-88-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4908-92-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

e57e6b6.exee57e82d.exee581085.exe

pid process

3808 e57e6b6.exe
4908 e57e82d.exe
4972 e581085.exe

pid	process
3808	e57e6b6.exe
4908	e57e82d.exe
4972	e581085.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp	upx
behavioral2/memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57e6b6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57e6b6.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e57e6b6.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e6b6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57e6b6.exe

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57e6b6.exe

description	ioc	process
File opened (read-only)	\??\H:	e57e6b6.exe
File opened (read-only)	\??\I:	e57e6b6.exe
File opened (read-only)	\??\J:	e57e6b6.exe
File opened (read-only)	\??\L:	e57e6b6.exe
File opened (read-only)	\??\E:	e57e6b6.exe
File opened (read-only)	\??\K:	e57e6b6.exe
File opened (read-only)	\??\M:	e57e6b6.exe
File opened (read-only)	\??\N:	e57e6b6.exe
File opened (read-only)	\??\G:	e57e6b6.exe

Drops file in Program Files directory 3 IoCs

Processes:

e57e6b6.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57e6b6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57e6b6.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57e6b6.exe

Drops file in Windows directory 2 IoCs

Processes:

e57e6b6.exe

description ioc process

File created C:\Windows\e57e753 e57e6b6.exe
File opened for modification C:\Windows\SYSTEM.INI e57e6b6.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4188 4972 WerFault.exe e581085.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e57e6b6.exe

pid process

3808 e57e6b6.exe
3808 e57e6b6.exe
3808 e57e6b6.exe
3808 e57e6b6.exe

description	ioc	process
File created	C:\Windows\e57e753	e57e6b6.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57e6b6.exe

pid	pid_target	process	target process
4188	4972	WerFault.exe	e581085.exe

pid	process
3808	e57e6b6.exe
3808	e57e6b6.exe
3808	e57e6b6.exe
3808	e57e6b6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57e6b6.exe

description	pid	process
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe
Token: SeDebugPrivilege	3808	e57e6b6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57e6b6.exe

description	pid	process	target process
PID 2868 wrote to memory of 3972	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 3972	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 3972	2868	rundll32.exe	rundll32.exe
PID 3972 wrote to memory of 3808	3972	rundll32.exe	e57e6b6.exe
PID 3972 wrote to memory of 3808	3972	rundll32.exe	e57e6b6.exe
PID 3972 wrote to memory of 3808	3972	rundll32.exe	e57e6b6.exe
PID 3808 wrote to memory of 780	3808	e57e6b6.exe	fontdrvhost.exe
PID 3808 wrote to memory of 788	3808	e57e6b6.exe	fontdrvhost.exe
PID 3808 wrote to memory of 316	3808	e57e6b6.exe	dwm.exe
PID 3808 wrote to memory of 2532	3808	e57e6b6.exe	sihost.exe
PID 3808 wrote to memory of 2564	3808	e57e6b6.exe	svchost.exe
PID 3808 wrote to memory of 2812	3808	e57e6b6.exe	taskhostw.exe
PID 3808 wrote to memory of 3448	3808	e57e6b6.exe	Explorer.EXE
PID 3808 wrote to memory of 3576	3808	e57e6b6.exe	svchost.exe
PID 3808 wrote to memory of 3744	3808	e57e6b6.exe	DllHost.exe
PID 3808 wrote to memory of 3840	3808	e57e6b6.exe	StartMenuExperienceHost.exe
PID 3808 wrote to memory of 3908	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 3992	3808	e57e6b6.exe	SearchApp.exe
PID 3808 wrote to memory of 432	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 2456	3808	e57e6b6.exe	TextInputHost.exe
PID 3808 wrote to memory of 4396	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 4468	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 3352	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 2392	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 3208	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 2920	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 3144	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 3520	3808	e57e6b6.exe	backgroundTaskHost.exe
PID 3808 wrote to memory of 3360	3808	e57e6b6.exe	backgroundTaskHost.exe
PID 3808 wrote to memory of 2868	3808	e57e6b6.exe	rundll32.exe
PID 3808 wrote to memory of 3972	3808	e57e6b6.exe	rundll32.exe
PID 3808 wrote to memory of 3972	3808	e57e6b6.exe	rundll32.exe
PID 3972 wrote to memory of 4908	3972	rundll32.exe	e57e82d.exe
PID 3972 wrote to memory of 4908	3972	rundll32.exe	e57e82d.exe
PID 3972 wrote to memory of 4908	3972	rundll32.exe	e57e82d.exe
PID 3972 wrote to memory of 4972	3972	rundll32.exe	e581085.exe
PID 3972 wrote to memory of 4972	3972	rundll32.exe	e581085.exe
PID 3972 wrote to memory of 4972	3972	rundll32.exe	e581085.exe
PID 3808 wrote to memory of 780	3808	e57e6b6.exe	fontdrvhost.exe
PID 3808 wrote to memory of 788	3808	e57e6b6.exe	fontdrvhost.exe
PID 3808 wrote to memory of 316	3808	e57e6b6.exe	dwm.exe
PID 3808 wrote to memory of 2532	3808	e57e6b6.exe	sihost.exe
PID 3808 wrote to memory of 2564	3808	e57e6b6.exe	svchost.exe
PID 3808 wrote to memory of 2812	3808	e57e6b6.exe	taskhostw.exe
PID 3808 wrote to memory of 3448	3808	e57e6b6.exe	Explorer.EXE
PID 3808 wrote to memory of 3576	3808	e57e6b6.exe	svchost.exe
PID 3808 wrote to memory of 3744	3808	e57e6b6.exe	DllHost.exe
PID 3808 wrote to memory of 3840	3808	e57e6b6.exe	StartMenuExperienceHost.exe
PID 3808 wrote to memory of 3908	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 3992	3808	e57e6b6.exe	SearchApp.exe
PID 3808 wrote to memory of 432	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 2456	3808	e57e6b6.exe	TextInputHost.exe
PID 3808 wrote to memory of 4396	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 4468	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 3352	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 2392	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 3208	3808	e57e6b6.exe	msedge.exe
PID 3808 wrote to memory of 2920	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 3144	3808	e57e6b6.exe	RuntimeBroker.exe
PID 3808 wrote to memory of 3520	3808	e57e6b6.exe	backgroundTaskHost.exe
PID 3808 wrote to memory of 3360	3808	e57e6b6.exe	backgroundTaskHost.exe
PID 3808 wrote to memory of 2868	3808	e57e6b6.exe	rundll32.exe
PID 3808 wrote to memory of 4908	3808	e57e6b6.exe	e57e82d.exe
PID 3808 wrote to memory of 4908	3808	e57e6b6.exe	e57e82d.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e57e6b6.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57e6b6.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57e6b6.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2564

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2812

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe20871af24272e9c0fc7638aec10eebfe44eeb1973f8f3b533f5d383e809486.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\e57e6b6.exe
      C:\Users\Admin\AppData\Local\Temp\e57e6b6.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\e57e82d.exe
      C:\Users\Admin\AppData\Local\Temp\e57e82d.exe
      4⤵
      Executes dropped EXE
      PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\e581085.exe
      C:\Users\Admin\AppData\Local\Temp\e581085.exe
      4⤵
      Executes dropped EXE
      PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 84
        5⤵
        Program crash
        
        PID:4188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:432

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffcb30dceb8,0x7ffcb30dcec4,0x7ffcb30dced0
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:2
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2464,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1320,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:2460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3144

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 4972
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57e6b6.exe

Filesize
97KB

MD5
4b102c7efb181e6fc185900d396d9f04

SHA1
803b9e9cbccfe73d7c04bf463e08d66b9420b8c6

SHA256
d518af8f5b20b8555a31ab68f0f06be7c977bf9a4b08cc50b73227c6b0cbd38b

SHA512
3a1e349f6a0554a4570516c33c86981b55e97b9c2d4d961f26e78542e97f05956225aa7d3d9c8a255f1432fd66eebe8b64bf3697aebe9b39bfcb5f7fbf578682

Download Submit
memory/3808-34-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-57-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-37-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-8-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-10-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-25-0x00000000019B0000-0x00000000019B2000-memory.dmp

Filesize
8KB

Download
memory/3808-24-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-35-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3808-11-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-9-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-80-0x00000000019B0000-0x00000000019B2000-memory.dmp

Filesize
8KB

Download
memory/3808-36-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-70-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-69-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-29-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-31-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-32-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-33-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3808-15-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/3808-28-0x00000000019B0000-0x00000000019B2000-memory.dmp

Filesize
8KB

Download
memory/3808-6-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-38-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-65-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-64-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-62-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-60-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-59-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3808-56-0x00000000007B0000-0x000000000186A000-memory.dmp

Filesize
16.7MB

Download
memory/3972-3-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/3972-53-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/3972-48-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3972-12-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3972-13-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3972-16-0x0000000004080000-0x0000000004082000-memory.dmp

Filesize
8KB

Download
memory/3972-27-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/4908-52-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4908-44-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4908-51-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4908-92-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4972-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download