Malware Analysis Report

2024-09-11 12:22

Sample ID 240614-fyw2vazgkp
Target e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217
SHA256 e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217

Threat Level: Known bad

The file e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Sality

Modifies firewall policy service

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Loads dropped DLL

UPX packed file

Windows security modification

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:17

Reported

2024-06-14 05:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5747f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576234.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5746cd C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4440 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4440 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe
PID 4900 wrote to memory of 460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe
PID 4900 wrote to memory of 460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57466f.exe
PID 460 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 460 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 460 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\dwm.exe
PID 460 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\sihost.exe
PID 460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 460 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\taskhostw.exe
PID 460 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\Explorer.EXE
PID 460 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 460 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\DllHost.exe
PID 460 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 460 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 460 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 460 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 460 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\rundll32.exe
PID 460 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SysWOW64\rundll32.exe
PID 460 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SysWOW64\rundll32.exe
PID 4900 wrote to memory of 4560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747f6.exe
PID 4900 wrote to memory of 4560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747f6.exe
PID 4900 wrote to memory of 4560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5747f6.exe
PID 4900 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576234.exe
PID 4900 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576234.exe
PID 4900 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576234.exe
PID 460 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 460 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\fontdrvhost.exe
PID 460 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\dwm.exe
PID 460 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\sihost.exe
PID 460 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 460 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\taskhostw.exe
PID 460 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\Explorer.EXE
PID 460 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\svchost.exe
PID 460 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\system32\DllHost.exe
PID 460 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 460 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 460 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 460 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Users\Admin\AppData\Local\Temp\e5747f6.exe
PID 460 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Users\Admin\AppData\Local\Temp\e5747f6.exe
PID 460 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Windows\System32\RuntimeBroker.exe
PID 460 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Users\Admin\AppData\Local\Temp\e576234.exe
PID 460 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\e57466f.exe C:\Users\Admin\AppData\Local\Temp\e576234.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57466f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57466f.exe

C:\Users\Admin\AppData\Local\Temp\e57466f.exe

C:\Users\Admin\AppData\Local\Temp\e5747f6.exe

C:\Users\Admin\AppData\Local\Temp\e5747f6.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576234.exe

C:\Users\Admin\AppData\Local\Temp\e576234.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\e57466f.exe

MD5 ef69789303cd24f775db0c3c0ef7526b
SHA1 a077e0238c5d5421c0ac462d437bd6d2544c34d0
SHA256 119d5b06df97a71caf0a052c4e5b0fdf02811d4e938c8d426d549f4de6f13b40
SHA512 2fb239d110a7a65647a14f3d523d89c4e4c2f74bee443e8b22d2ec658565f6dd9dd29751259a41f734a8a059c9435a76e7a4e1be8b7424542f0437c26e0114a8

memory/460-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4900-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/460-6-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-9-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-11-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-14-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-10-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-8-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-13-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-26-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-29-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4560-33-0x0000000000400000-0x0000000000412000-memory.dmp

memory/460-35-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4900-30-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

memory/460-28-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/4900-19-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

memory/460-18-0x0000000001B40000-0x0000000001B41000-memory.dmp

memory/460-27-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/4900-16-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/4900-15-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

memory/460-34-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-37-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-36-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-38-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-39-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-40-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-42-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-43-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4180-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/460-52-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-54-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-55-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4560-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4180-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4180-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4180-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4560-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4560-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/460-65-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-67-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-70-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-72-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-74-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-76-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-78-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-80-0x0000000001B30000-0x0000000001B32000-memory.dmp

memory/460-81-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-88-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/460-108-0x0000000000400000-0x0000000000412000-memory.dmp

memory/460-92-0x00000000007C0000-0x000000000187A000-memory.dmp

memory/4560-112-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4180-116-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:17

Reported

2024-06-14 05:19

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762146.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761d9e C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
File created C:\Windows\f767159 C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1676 wrote to memory of 3020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d02.exe
PID 3020 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d02.exe
PID 3020 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d02.exe
PID 3020 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761d02.exe
PID 2332 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\system32\taskhost.exe
PID 2332 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\system32\Dwm.exe
PID 2332 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\Explorer.EXE
PID 2332 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\system32\DllHost.exe
PID 2332 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\system32\rundll32.exe
PID 2332 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762146.exe
PID 3020 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762146.exe
PID 3020 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762146.exe
PID 3020 wrote to memory of 2584 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762146.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76387e.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76387e.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76387e.exe
PID 3020 wrote to memory of 2420 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76387e.exe
PID 2332 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\system32\taskhost.exe
PID 2332 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\system32\Dwm.exe
PID 2332 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Windows\Explorer.EXE
PID 2332 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Users\Admin\AppData\Local\Temp\f762146.exe
PID 2332 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Users\Admin\AppData\Local\Temp\f762146.exe
PID 2332 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Users\Admin\AppData\Local\Temp\f76387e.exe
PID 2332 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\f761d02.exe C:\Users\Admin\AppData\Local\Temp\f76387e.exe
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe C:\Windows\system32\taskhost.exe
PID 2420 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe C:\Windows\system32\Dwm.exe
PID 2420 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f76387e.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761d02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76387e.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e4e64888c542336d3c9570c9b9b70de3fbdfcfc359d7f5e92f73fe3b56742217.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761d02.exe

C:\Users\Admin\AppData\Local\Temp\f761d02.exe

C:\Users\Admin\AppData\Local\Temp\f762146.exe

C:\Users\Admin\AppData\Local\Temp\f762146.exe

C:\Users\Admin\AppData\Local\Temp\f76387e.exe

C:\Users\Admin\AppData\Local\Temp\f76387e.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\f761d02.exe

MD5 ef69789303cd24f775db0c3c0ef7526b
SHA1 a077e0238c5d5421c0ac462d437bd6d2544c34d0
SHA256 119d5b06df97a71caf0a052c4e5b0fdf02811d4e938c8d426d549f4de6f13b40
SHA512 2fb239d110a7a65647a14f3d523d89c4e4c2f74bee443e8b22d2ec658565f6dd9dd29751259a41f734a8a059c9435a76e7a4e1be8b7424542f0437c26e0114a8

memory/3020-9-0x0000000000140000-0x0000000000152000-memory.dmp

memory/3020-8-0x0000000000140000-0x0000000000152000-memory.dmp

memory/3020-7-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2332-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-13-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-15-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-23-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/3020-49-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2332-41-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/3020-35-0x0000000000180000-0x0000000000181000-memory.dmp

memory/3020-34-0x0000000000180000-0x0000000000181000-memory.dmp

memory/3020-33-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1112-24-0x0000000000310000-0x0000000000312000-memory.dmp

memory/2584-53-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3020-52-0x0000000000170000-0x0000000000172000-memory.dmp

memory/3020-51-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/2332-55-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2332-56-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/3020-70-0x0000000000140000-0x0000000000142000-memory.dmp

memory/3020-68-0x0000000000170000-0x0000000000172000-memory.dmp

memory/3020-67-0x0000000000240000-0x0000000000252000-memory.dmp

memory/3020-66-0x0000000000240000-0x0000000000252000-memory.dmp

memory/2332-76-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-75-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-77-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-78-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-79-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2420-96-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2420-95-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2584-97-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2584-90-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2584-89-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2332-99-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-100-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-101-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-103-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-105-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-132-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2332-131-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2584-136-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2f2235a025dfbc408de74100c217cc84
SHA1 f414f8c00aac8c87a8d9a60d5d2a2e1bc78d165e
SHA256 b0d366a7fc1d4d712528a89cfcc97d3a6edfdbcf05a08dad5a612b9251a126aa
SHA512 1c05d386b89c3f411e1defddb9acdaa2a30fecb21651f887d78ce8768b18bf486053b9749c6b76a2e7467a72587ac6989c65a1e8514be7462127bf1b66361de1

memory/2420-148-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2420-185-0x00000000009A0000-0x0000000001A5A000-memory.dmp

memory/2420-184-0x0000000000400000-0x0000000000412000-memory.dmp