sality | 1023451895ac837d95a13b21db728c1d90ff39e6e90b4de47a4341b238884004

General

Target

1023451895ac837d95a13b21db728c1d90ff39e6e90b4de47a4341b238884004.dll
Size

120KB
MD5

80acbf9b26cd09f9969db4be655b2863
SHA1

56934e37a65d38d128db673d04f7869e74a71382
SHA256

1023451895ac837d95a13b21db728c1d90ff39e6e90b4de47a4341b238884004
SHA512

eecadb5f032d968674c302012d78bfaa39973416d0f96249680f994958275f7fc662bcb30668b8a20fd99677e9d0c4ba935f4a9f2eeea620ccd53003f36df201
SSDEEP

3072:CP2LnVuScaEPM1CqWVVByNgQI5DHqqn6e8:jjdEYk5yhIzf6e

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e57517b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57517b.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e57517b.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57517b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57517b.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57517b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57517b.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 32 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1472-8-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-10-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-20-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-34-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-21-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-31-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-11-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-24-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-9-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-35-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-36-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-37-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-38-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-39-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-40-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-42-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-56-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-57-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-59-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-72-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-75-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-76-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-78-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-80-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-82-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-83-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-85-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-87-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-88-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-89-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1472-90-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3964-123-0x0000000000B40000-0x0000000001BFA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1472-5-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1472-8-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-10-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-20-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-34-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-21-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-31-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-11-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/4764-25-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1472-24-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-9-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-35-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-36-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-37-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-38-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-39-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-40-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-42-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/4580-55-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1472-56-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-57-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-59-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-72-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-75-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-76-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-78-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-80-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-82-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-83-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-85-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-87-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-88-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-89-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-90-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/1472-109-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4764-113-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/3964-118-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4580-122-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/3964-123-0x0000000000B40000-0x0000000001BFA000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

e57517b.exee5752a4.exee576d50.exee576d7f.exe

pid process

1472 e57517b.exe
4764 e5752a4.exe
3964 e576d50.exe
4580 e576d7f.exe

pid	process
1472	e57517b.exe
4764	e5752a4.exe
3964	e576d50.exe
4580	e576d7f.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1472-8-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-10-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-20-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-34-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-21-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-31-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-11-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-24-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-9-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-35-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-36-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-37-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-38-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-39-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-40-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-42-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-56-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-57-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-59-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-72-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-75-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-76-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-78-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-80-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-82-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-83-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-85-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-87-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-88-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-89-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/1472-90-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/3964-123-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57517b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57517b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57517b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57517b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e57517b.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57517b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57517b.exe

Enumerates connected drives 3 TTPs 13 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57517b.exe

description	ioc	process
File opened (read-only)	\??\K:	e57517b.exe
File opened (read-only)	\??\M:	e57517b.exe
File opened (read-only)	\??\P:	e57517b.exe
File opened (read-only)	\??\Q:	e57517b.exe
File opened (read-only)	\??\L:	e57517b.exe
File opened (read-only)	\??\N:	e57517b.exe
File opened (read-only)	\??\R:	e57517b.exe
File opened (read-only)	\??\G:	e57517b.exe
File opened (read-only)	\??\I:	e57517b.exe
File opened (read-only)	\??\J:	e57517b.exe
File opened (read-only)	\??\O:	e57517b.exe
File opened (read-only)	\??\E:	e57517b.exe
File opened (read-only)	\??\H:	e57517b.exe

Drops file in Program Files directory 4 IoCs

Processes:

e57517b.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57517b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57517b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57517b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e57517b.exe

Drops file in Windows directory 2 IoCs

Processes:

e57517b.exe

description ioc process

File created C:\Windows\e5751c9 e57517b.exe
File opened for modification C:\Windows\SYSTEM.INI e57517b.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e57517b.exe

pid process

1472 e57517b.exe
1472 e57517b.exe
1472 e57517b.exe
1472 e57517b.exe

description	ioc	process
File created	C:\Windows\e5751c9	e57517b.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57517b.exe

pid	process
1472	e57517b.exe
1472	e57517b.exe
1472	e57517b.exe
1472	e57517b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57517b.exe

description	pid	process
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe
Token: SeDebugPrivilege	1472	e57517b.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

rundll32.exerundll32.exee57517b.exe

description	pid	process	target process
PID 1856 wrote to memory of 4136	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 4136	1856	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 4136	1856	rundll32.exe	rundll32.exe
PID 4136 wrote to memory of 1472	4136	rundll32.exe	e57517b.exe
PID 4136 wrote to memory of 1472	4136	rundll32.exe	e57517b.exe
PID 4136 wrote to memory of 1472	4136	rundll32.exe	e57517b.exe
PID 1472 wrote to memory of 788	1472	e57517b.exe	fontdrvhost.exe
PID 1472 wrote to memory of 792	1472	e57517b.exe	fontdrvhost.exe
PID 1472 wrote to memory of 1020	1472	e57517b.exe	dwm.exe
PID 1472 wrote to memory of 2992	1472	e57517b.exe	sihost.exe
PID 1472 wrote to memory of 3020	1472	e57517b.exe	svchost.exe
PID 1472 wrote to memory of 2280	1472	e57517b.exe	taskhostw.exe
PID 1472 wrote to memory of 3372	1472	e57517b.exe	Explorer.EXE
PID 1472 wrote to memory of 3548	1472	e57517b.exe	svchost.exe
PID 1472 wrote to memory of 3760	1472	e57517b.exe	DllHost.exe
PID 1472 wrote to memory of 3856	1472	e57517b.exe	StartMenuExperienceHost.exe
PID 1472 wrote to memory of 3956	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 4060	1472	e57517b.exe	SearchApp.exe
PID 1472 wrote to memory of 4116	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 4712	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 3980	1472	e57517b.exe	TextInputHost.exe
PID 1472 wrote to memory of 1360	1472	e57517b.exe	backgroundTaskHost.exe
PID 1472 wrote to memory of 1856	1472	e57517b.exe	rundll32.exe
PID 1472 wrote to memory of 4136	1472	e57517b.exe	rundll32.exe
PID 1472 wrote to memory of 4136	1472	e57517b.exe	rundll32.exe
PID 4136 wrote to memory of 4764	4136	rundll32.exe	e5752a4.exe
PID 4136 wrote to memory of 4764	4136	rundll32.exe	e5752a4.exe
PID 4136 wrote to memory of 4764	4136	rundll32.exe	e5752a4.exe
PID 4136 wrote to memory of 3964	4136	rundll32.exe	e576d50.exe
PID 4136 wrote to memory of 3964	4136	rundll32.exe	e576d50.exe
PID 4136 wrote to memory of 3964	4136	rundll32.exe	e576d50.exe
PID 4136 wrote to memory of 4580	4136	rundll32.exe	e576d7f.exe
PID 4136 wrote to memory of 4580	4136	rundll32.exe	e576d7f.exe
PID 4136 wrote to memory of 4580	4136	rundll32.exe	e576d7f.exe
PID 1472 wrote to memory of 788	1472	e57517b.exe	fontdrvhost.exe
PID 1472 wrote to memory of 792	1472	e57517b.exe	fontdrvhost.exe
PID 1472 wrote to memory of 1020	1472	e57517b.exe	dwm.exe
PID 1472 wrote to memory of 2992	1472	e57517b.exe	sihost.exe
PID 1472 wrote to memory of 3020	1472	e57517b.exe	svchost.exe
PID 1472 wrote to memory of 2280	1472	e57517b.exe	taskhostw.exe
PID 1472 wrote to memory of 3372	1472	e57517b.exe	Explorer.EXE
PID 1472 wrote to memory of 3548	1472	e57517b.exe	svchost.exe
PID 1472 wrote to memory of 3760	1472	e57517b.exe	DllHost.exe
PID 1472 wrote to memory of 3856	1472	e57517b.exe	StartMenuExperienceHost.exe
PID 1472 wrote to memory of 3956	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 4060	1472	e57517b.exe	SearchApp.exe
PID 1472 wrote to memory of 4116	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 4712	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 3980	1472	e57517b.exe	TextInputHost.exe
PID 1472 wrote to memory of 4764	1472	e57517b.exe	e5752a4.exe
PID 1472 wrote to memory of 4764	1472	e57517b.exe	e5752a4.exe
PID 1472 wrote to memory of 4808	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 5076	1472	e57517b.exe	RuntimeBroker.exe
PID 1472 wrote to memory of 3964	1472	e57517b.exe	e576d50.exe
PID 1472 wrote to memory of 3964	1472	e57517b.exe	e576d50.exe
PID 1472 wrote to memory of 4580	1472	e57517b.exe	e576d7f.exe
PID 1472 wrote to memory of 4580	1472	e57517b.exe	e576d7f.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e57517b.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57517b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57517b.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1020

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3020

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2280

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1023451895ac837d95a13b21db728c1d90ff39e6e90b4de47a4341b238884004.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1023451895ac837d95a13b21db728c1d90ff39e6e90b4de47a4341b238884004.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Local\Temp\e57517b.exe
C:\Users\Admin\AppData\Local\Temp\e57517b.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1472

C:\Users\Admin\AppData\Local\Temp\e5752a4.exe
C:\Users\Admin\AppData\Local\Temp\e5752a4.exe
4⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\AppData\Local\Temp\e576d50.exe
C:\Users\Admin\AppData\Local\Temp\e576d50.exe
4⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
C:\Users\Admin\AppData\Local\Temp\e576d7f.exe
4⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4712

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3980

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57517b.exe
Filesize
97KB

MD5
205ac0dffe632b9743cff3d38bd1bea4

SHA1
d02471bb7a32bf8de383c2a54160626c047bd638

SHA256
6ba4f5aa5b8e9f02c748b12d655ae250cf73809cc05ade57dd363730cad62a98

SHA512
af338f7c798141670b3cc53b6907bfb212cc56b32aa807835b068d6b7c4c3c1a8aea23d5ceda85ddfce5b50d9005b3966c01ae10c07780c6ac75e38006ee030b

Download Submit
memory/1472-57-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-78-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-26-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1472-20-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1472-100-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1472-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-21-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-31-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-90-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-24-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-89-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-15-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1472-88-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-87-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-9-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-35-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-59-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-56-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-85-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-83-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-33-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/1472-42-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-82-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-80-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1472-76-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-75-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/1472-72-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/3964-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3964-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3964-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3964-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3964-123-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/3964-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3964-124-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4136-32-0x0000000003590000-0x0000000003592000-memory.dmp

Filesize
8KB

Download
memory/4136-13-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/4136-16-0x0000000003590000-0x0000000003592000-memory.dmp

Filesize
8KB

Download
memory/4136-12-0x0000000003590000-0x0000000003592000-memory.dmp

Filesize
8KB

Download
memory/4136-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4580-122-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4580-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4580-68-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4580-71-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4580-66-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4764-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4764-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4764-113-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4764-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4764-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads