sality | 8c7859818c915aa9b5d35f88e9dcd1d51639a3ab54312e61f52807fa443da920

General

Target

8c7859818c915aa9b5d35f88e9dcd1d51639a3ab54312e61f52807fa443da920.dll
Size

120KB
MD5

70102e80b6d50af10dea65557a520381
SHA1

d6842fb652f1fe3ad8e8b18558c36a7e0a538e08
SHA256

8c7859818c915aa9b5d35f88e9dcd1d51639a3ab54312e61f52807fa443da920
SHA512

096a9bcbc11803236ce4cd7c6763ca4916d3d51a5487f3bff6c88452c6b503810c67c21adec3e46210b9f5fa42a5c0b8245a7b35186e21eb6550d27579ab7f15
SSDEEP

3072:WwPcuvxQ0GN2OG3O1T9/ywvydRqORRTq:pPcqjGfG3O1ZGRqOXTq

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

e5743a0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5743a0.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

e5743a0.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5743a0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5743a0.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5743a0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5743a0.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 31 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2284-6-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-21-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-25-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-11-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-31-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-34-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-10-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-36-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-35-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-9-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-8-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-37-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-38-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-39-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-40-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-41-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-43-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-44-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-53-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-55-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-56-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-66-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-68-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-71-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-73-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-75-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-77-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-79-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-81-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-83-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2284-84-0x00000000007F0000-0x00000000018AA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2284-5-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/2284-6-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-21-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-25-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/3872-32-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/2284-11-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-31-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-34-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-10-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-36-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-35-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-9-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-8-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-37-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-38-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-39-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-40-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-41-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-43-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-44-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/4576-52-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/2284-53-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-55-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-56-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-66-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-68-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-71-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-73-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-75-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-77-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-79-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-81-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-83-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-84-0x00000000007F0000-0x00000000018AA000-memory.dmp	UPX
behavioral2/memory/2284-103-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/3872-107-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4576-111-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

e5743a0.exee5744c9.exee575f75.exe

pid process

2284 e5743a0.exe
3872 e5744c9.exe
4576 e575f75.exe

pid	process
2284	e5743a0.exe
3872	e5744c9.exe
4576	e575f75.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2284-6-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-21-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-25-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-11-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-31-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-34-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-10-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-36-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-35-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-9-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-8-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-37-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-38-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-39-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-40-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-41-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-43-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-44-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-53-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-55-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-56-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-66-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-68-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-71-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-73-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-75-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-77-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-79-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-81-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-83-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx
behavioral2/memory/2284-84-0x00000000007F0000-0x00000000018AA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5743a0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5743a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5743a0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5743a0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e5743a0.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5743a0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5743a0.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5743a0.exe

description	ioc	process
File opened (read-only)	\??\L:	e5743a0.exe
File opened (read-only)	\??\R:	e5743a0.exe
File opened (read-only)	\??\S:	e5743a0.exe
File opened (read-only)	\??\I:	e5743a0.exe
File opened (read-only)	\??\J:	e5743a0.exe
File opened (read-only)	\??\N:	e5743a0.exe
File opened (read-only)	\??\M:	e5743a0.exe
File opened (read-only)	\??\Q:	e5743a0.exe
File opened (read-only)	\??\E:	e5743a0.exe
File opened (read-only)	\??\G:	e5743a0.exe
File opened (read-only)	\??\H:	e5743a0.exe
File opened (read-only)	\??\K:	e5743a0.exe
File opened (read-only)	\??\O:	e5743a0.exe
File opened (read-only)	\??\P:	e5743a0.exe

Drops file in Program Files directory 4 IoCs

Processes:

e5743a0.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e5743a0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e5743a0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e5743a0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e5743a0.exe

Drops file in Windows directory 2 IoCs

Processes:

e5743a0.exe

description ioc process

File created C:\Windows\e5743ee e5743a0.exe
File opened for modification C:\Windows\SYSTEM.INI e5743a0.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e5743a0.exe

pid process

2284 e5743a0.exe
2284 e5743a0.exe
2284 e5743a0.exe
2284 e5743a0.exe

description	ioc	process
File created	C:\Windows\e5743ee	e5743a0.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5743a0.exe

pid	process
2284	e5743a0.exe
2284	e5743a0.exe
2284	e5743a0.exe
2284	e5743a0.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5743a0.exe

description	pid	process
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe
Token: SeDebugPrivilege	2284	e5743a0.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

rundll32.exerundll32.exee5743a0.exe

description	pid	process	target process
PID 1748 wrote to memory of 2128	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2128	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2128	1748	rundll32.exe	rundll32.exe
PID 2128 wrote to memory of 2284	2128	rundll32.exe	e5743a0.exe
PID 2128 wrote to memory of 2284	2128	rundll32.exe	e5743a0.exe
PID 2128 wrote to memory of 2284	2128	rundll32.exe	e5743a0.exe
PID 2284 wrote to memory of 808	2284	e5743a0.exe	fontdrvhost.exe
PID 2284 wrote to memory of 816	2284	e5743a0.exe	fontdrvhost.exe
PID 2284 wrote to memory of 376	2284	e5743a0.exe	dwm.exe
PID 2284 wrote to memory of 2428	2284	e5743a0.exe	sihost.exe
PID 2284 wrote to memory of 2464	2284	e5743a0.exe	svchost.exe
PID 2284 wrote to memory of 2668	2284	e5743a0.exe	taskhostw.exe
PID 2284 wrote to memory of 3384	2284	e5743a0.exe	Explorer.EXE
PID 2284 wrote to memory of 3536	2284	e5743a0.exe	svchost.exe
PID 2284 wrote to memory of 3748	2284	e5743a0.exe	DllHost.exe
PID 2284 wrote to memory of 3844	2284	e5743a0.exe	StartMenuExperienceHost.exe
PID 2284 wrote to memory of 3908	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 4000	2284	e5743a0.exe	SearchApp.exe
PID 2284 wrote to memory of 4144	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 4468	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 2860	2284	e5743a0.exe	TextInputHost.exe
PID 2284 wrote to memory of 2132	2284	e5743a0.exe	backgroundTaskHost.exe
PID 2284 wrote to memory of 1748	2284	e5743a0.exe	rundll32.exe
PID 2284 wrote to memory of 2128	2284	e5743a0.exe	rundll32.exe
PID 2284 wrote to memory of 2128	2284	e5743a0.exe	rundll32.exe
PID 2128 wrote to memory of 3872	2128	rundll32.exe	e5744c9.exe
PID 2128 wrote to memory of 3872	2128	rundll32.exe	e5744c9.exe
PID 2128 wrote to memory of 3872	2128	rundll32.exe	e5744c9.exe
PID 2128 wrote to memory of 4576	2128	rundll32.exe	e575f75.exe
PID 2128 wrote to memory of 4576	2128	rundll32.exe	e575f75.exe
PID 2128 wrote to memory of 4576	2128	rundll32.exe	e575f75.exe
PID 2284 wrote to memory of 808	2284	e5743a0.exe	fontdrvhost.exe
PID 2284 wrote to memory of 816	2284	e5743a0.exe	fontdrvhost.exe
PID 2284 wrote to memory of 376	2284	e5743a0.exe	dwm.exe
PID 2284 wrote to memory of 2428	2284	e5743a0.exe	sihost.exe
PID 2284 wrote to memory of 2464	2284	e5743a0.exe	svchost.exe
PID 2284 wrote to memory of 2668	2284	e5743a0.exe	taskhostw.exe
PID 2284 wrote to memory of 3384	2284	e5743a0.exe	Explorer.EXE
PID 2284 wrote to memory of 3536	2284	e5743a0.exe	svchost.exe
PID 2284 wrote to memory of 3748	2284	e5743a0.exe	DllHost.exe
PID 2284 wrote to memory of 3844	2284	e5743a0.exe	StartMenuExperienceHost.exe
PID 2284 wrote to memory of 3908	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 4000	2284	e5743a0.exe	SearchApp.exe
PID 2284 wrote to memory of 4144	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 4468	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 2860	2284	e5743a0.exe	TextInputHost.exe
PID 2284 wrote to memory of 3872	2284	e5743a0.exe	e5744c9.exe
PID 2284 wrote to memory of 3872	2284	e5743a0.exe	e5744c9.exe
PID 2284 wrote to memory of 3168	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 3176	2284	e5743a0.exe	RuntimeBroker.exe
PID 2284 wrote to memory of 4576	2284	e5743a0.exe	e575f75.exe
PID 2284 wrote to memory of 4576	2284	e5743a0.exe	e575f75.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

e5743a0.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5743a0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5743a0.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:816

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2464

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c7859818c915aa9b5d35f88e9dcd1d51639a3ab54312e61f52807fa443da920.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c7859818c915aa9b5d35f88e9dcd1d51639a3ab54312e61f52807fa443da920.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\e5743a0.exe
C:\Users\Admin\AppData\Local\Temp\e5743a0.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2284

C:\Users\Admin\AppData\Local\Temp\e5744c9.exe
C:\Users\Admin\AppData\Local\Temp\e5744c9.exe
4⤵
- Executes dropped EXE
PID:3872

C:\Users\Admin\AppData\Local\Temp\e575f75.exe
C:\Users\Admin\AppData\Local\Temp\e575f75.exe
4⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4468

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2860

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2132

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3176

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

5

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5743a0.exe
Filesize
97KB

MD5
d43858b39b17c5ca024b5fbfea1fbb2a

SHA1
562f9580c85b1d308c5f5e8d5273327262accce1

SHA256
7f5e5c450437280aad2b6f492104640ada2b6ae687b5bf8e7494326f3bf83652

SHA512
714db1a1c99c0fb9eb0b57e92084ce4199ec3c892f1ecefaa4bb23afc0e5d10b9f1dc4f5b4aeb112612db8f36fa61c36f9c8d2a5802dc67cf3c7f08b46074946

Download Submit
memory/2128-14-0x00000000038F0000-0x00000000038F2000-memory.dmp

Filesize
8KB

Download
memory/2128-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2128-12-0x00000000038F0000-0x00000000038F2000-memory.dmp

Filesize
8KB

Download
memory/2128-27-0x00000000038F0000-0x00000000038F2000-memory.dmp

Filesize
8KB

Download
memory/2128-26-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/2284-41-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-68-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-33-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2284-103-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2284-11-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-28-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2284-31-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-34-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-10-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-36-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-35-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-16-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/2284-21-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-6-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-9-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-8-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-37-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-38-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-39-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-40-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2284-43-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-44-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-91-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/2284-53-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-55-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-56-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-84-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-83-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-81-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-79-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-77-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-75-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-66-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-25-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-71-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/2284-73-0x00000000007F0000-0x00000000018AA000-memory.dmp

Filesize
16.7MB

Download
memory/3872-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3872-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3872-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3872-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3872-107-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4576-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4576-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4576-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4576-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4576-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads