Malware Analysis Report

2024-09-11 12:11

Sample ID 240615-2bsxkaxapg
Target 666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585
SHA256 666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585

Threat Level: Known bad

The file 666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Sality

Modifies firewall policy service

UAC bypass

Windows security bypass

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

UPX packed file

Loads dropped DLL

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 22:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 22:24

Reported

2024-06-15 22:27

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f768d42 C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
File created C:\Windows\f76209b C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
File created C:\Windows\f76712a C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2892 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76202e.exe
PID 2892 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76202e.exe
PID 2892 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76202e.exe
PID 2892 wrote to memory of 3052 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76202e.exe
PID 3052 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\system32\taskhost.exe
PID 3052 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\system32\Dwm.exe
PID 3052 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\Explorer.EXE
PID 3052 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\system32\DllHost.exe
PID 3052 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\system32\rundll32.exe
PID 3052 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\SysWOW64\rundll32.exe
PID 3052 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\SysWOW64\rundll32.exe
PID 2892 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762202.exe
PID 2892 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762202.exe
PID 2892 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762202.exe
PID 2892 wrote to memory of 2408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f762202.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2892 wrote to memory of 1456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 3052 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\system32\taskhost.exe
PID 3052 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\system32\Dwm.exe
PID 3052 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Windows\Explorer.EXE
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Users\Admin\AppData\Local\Temp\f762202.exe
PID 3052 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Users\Admin\AppData\Local\Temp\f762202.exe
PID 3052 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 3052 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\f76202e.exe C:\Users\Admin\AppData\Local\Temp\f763eb5.exe
PID 2408 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe C:\Windows\system32\taskhost.exe
PID 2408 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe C:\Windows\system32\Dwm.exe
PID 2408 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f762202.exe C:\Windows\Explorer.EXE
PID 1456 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe C:\Windows\system32\taskhost.exe
PID 1456 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe C:\Windows\system32\Dwm.exe
PID 1456 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\f763eb5.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f763eb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76202e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f762202.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76202e.exe

C:\Users\Admin\AppData\Local\Temp\f76202e.exe

C:\Users\Admin\AppData\Local\Temp\f762202.exe

C:\Users\Admin\AppData\Local\Temp\f762202.exe

C:\Users\Admin\AppData\Local\Temp\f763eb5.exe

C:\Users\Admin\AppData\Local\Temp\f763eb5.exe

Network

N/A

Files

memory/2892-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2892-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2892-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2892-7-0x0000000000180000-0x0000000000192000-memory.dmp

memory/2892-5-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76202e.exe

MD5 40a53d43eaf67f2ed5f2b1ff41914c4d
SHA1 44a4d0445572a838e8929016853174c02425b727
SHA256 d6b7bbacc52c79fefc58f49f5ed816898c4474234c3a3b1030f13440f1799eaf
SHA512 1b5d24aa25eb44782bcae24f6e85afa03e2b9780247e58c8e8dc0821b106ce800b93070bdcf756a6f33f20395ce65826c5c6d218f6ddb2f988498170911235e0

memory/3052-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2892-13-0x0000000000180000-0x0000000000192000-memory.dmp

memory/3052-15-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-19-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-22-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-21-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-18-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-24-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-17-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-25-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-54-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2892-61-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/3052-53-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/3052-51-0x0000000003D20000-0x0000000003D21000-memory.dmp

memory/2892-50-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2892-41-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2892-40-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/1068-31-0x0000000000390000-0x0000000000392000-memory.dmp

memory/3052-23-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-20-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-63-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-64-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2408-67-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2892-66-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2892-65-0x00000000001E0000-0x00000000001F2000-memory.dmp

memory/3052-68-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-69-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-70-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-72-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-73-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-74-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-75-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/2892-86-0x0000000000200000-0x0000000000212000-memory.dmp

memory/3052-90-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/3052-91-0x0000000000620000-0x00000000016DA000-memory.dmp

memory/1456-107-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2408-101-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1456-112-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2408-113-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/3052-131-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/3052-156-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3052-155-0x0000000000620000-0x00000000016DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3e1721b7e486dd1634f4a27909641ef8
SHA1 1202dae10d9d3e97d920c6c4cdadbcd5d26d45f5
SHA256 7ebbe5c03ebd2d704ef367080ea952998b6025f0407c873aec3435e3e15d2216
SHA512 e6ef91f9b6ea4ff024e568bbac7534c094034db234443a09d14f2d4939631f3ff8ed3f8929622fbf877bcb581e9534d47dbf6a5e507a597d0c90f88062b0d221

memory/2408-177-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2408-190-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2408-191-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/1456-225-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 22:24

Reported

2024-06-15 22:27

Platform

win10v2004-20240611-en

Max time kernel

96s

Max time network

132s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e574a47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57493e C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
File created C:\Windows\e57bad4 C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 4448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1332 wrote to memory of 4448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1332 wrote to memory of 4448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5748ff.exe
PID 4448 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5748ff.exe
PID 4448 wrote to memory of 2456 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5748ff.exe
PID 2456 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\fontdrvhost.exe
PID 2456 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\fontdrvhost.exe
PID 2456 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\dwm.exe
PID 2456 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\sihost.exe
PID 2456 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\svchost.exe
PID 2456 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\taskhostw.exe
PID 2456 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\svchost.exe
PID 2456 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\DllHost.exe
PID 2456 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2456 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2456 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2456 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2456 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2456 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\rundll32.exe
PID 2456 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SysWOW64\rundll32.exe
PID 4448 wrote to memory of 4424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574a47.exe
PID 4448 wrote to memory of 4424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574a47.exe
PID 4448 wrote to memory of 4424 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e574a47.exe
PID 4448 wrote to memory of 4576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576b6c.exe
PID 4448 wrote to memory of 4576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576b6c.exe
PID 4448 wrote to memory of 4576 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e576b6c.exe
PID 2456 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\fontdrvhost.exe
PID 2456 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\fontdrvhost.exe
PID 2456 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\dwm.exe
PID 2456 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\sihost.exe
PID 2456 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\svchost.exe
PID 2456 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\taskhostw.exe
PID 2456 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\Explorer.EXE
PID 2456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\svchost.exe
PID 2456 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\DllHost.exe
PID 2456 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2456 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2456 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2456 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2456 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2456 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Users\Admin\AppData\Local\Temp\e574a47.exe
PID 2456 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Users\Admin\AppData\Local\Temp\e574a47.exe
PID 2456 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Windows\System32\RuntimeBroker.exe
PID 2456 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Users\Admin\AppData\Local\Temp\e576b6c.exe
PID 2456 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\e5748ff.exe C:\Users\Admin\AppData\Local\Temp\e576b6c.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5748ff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e576b6c.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\666dddd2d684049dcca22ce8876f86e36d516025c3f46714492a14a4b428a585.dll,#1

C:\Users\Admin\AppData\Local\Temp\e5748ff.exe

C:\Users\Admin\AppData\Local\Temp\e5748ff.exe

C:\Users\Admin\AppData\Local\Temp\e574a47.exe

C:\Users\Admin\AppData\Local\Temp\e574a47.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e576b6c.exe

C:\Users\Admin\AppData\Local\Temp\e576b6c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.186:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 186.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4448-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e5748ff.exe

MD5 40a53d43eaf67f2ed5f2b1ff41914c4d
SHA1 44a4d0445572a838e8929016853174c02425b727
SHA256 d6b7bbacc52c79fefc58f49f5ed816898c4474234c3a3b1030f13440f1799eaf
SHA512 1b5d24aa25eb44782bcae24f6e85afa03e2b9780247e58c8e8dc0821b106ce800b93070bdcf756a6f33f20395ce65826c5c6d218f6ddb2f988498170911235e0

memory/2456-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2456-6-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-10-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-13-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-15-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4424-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2456-32-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/4448-31-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

memory/2456-30-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4448-27-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

memory/2456-24-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-26-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/2456-14-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-19-0x00000000019C0000-0x00000000019C1000-memory.dmp

memory/4448-17-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4448-16-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

memory/2456-9-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-8-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-25-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-37-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-36-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-38-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-40-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-39-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4576-48-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4576-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4424-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4576-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4424-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2456-50-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/4424-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4576-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2456-59-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-60-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-62-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-64-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-65-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-67-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-69-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-71-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-73-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-80-0x00000000019B0000-0x00000000019B2000-memory.dmp

memory/2456-77-0x00000000007B0000-0x000000000186A000-memory.dmp

memory/2456-94-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4424-98-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ab07f425e7f00f96d1c8bb4cb3e7aca2
SHA1 0a2b34b53248d81e42d7b3ba90484aaff48609cb
SHA256 646f2cfd5406ef64b672e82feec8c8672d7c9435fd709618e192bc42685c99d0
SHA512 36ded446af16c1e75d4b647f50b2c65407f0c916f66d1f13e6881fefb78b66d5fa5993b9486c4b6bb18f61d70bccb3cd842efa66bbf8da2f01b775de25258435

memory/4576-115-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4576-113-0x0000000000B90000-0x0000000001C4A000-memory.dmp