sality | ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2

General

Target

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Size

744KB
MD5

7b279432c17d041b0f923b1d84fbd3b5
SHA1

f6a2ef3a0030deaa01d38d28fd80304daa77a960
SHA256

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
SHA512

4b889f36b1eec440b54328d41e572200856ea6d11954830b7fda68574395f6ec342cdcf97e0a98ea106e41ad27ff425a944a3b70bb29725b8dfc60c250f2e33e
SSDEEP

12288:lTyjXW+48qWywrU4kGFezOAVuJ5PI1ww7F5DO3HYffXWWLeJG5rIlL:JIXW/8yw1ez54lIVF5SXYHXWWLeGClL

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rundll32.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

rundll32.exeee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 41 IoCs

Processes:

resource	yara_rule
behavioral2/memory/948-3-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-1-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-7-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-11-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-12-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-8-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-14-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-6-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-5-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-22-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-21-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-36-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/948-23-0x0000000002FD0000-0x000000000405E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-53-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-50-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-49-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-48-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-46-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-52-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-59-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-51-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-54-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-55-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-61-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-62-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-66-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-67-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-68-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-70-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-71-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-72-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-74-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-75-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-77-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-78-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-82-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-84-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-85-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-117-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
C:\alvryx.pif	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2928-144-0x0000000004FC0000-0x000000000604E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 42 IoCs

Processes:

resource	yara_rule
behavioral2/memory/948-3-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-1-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-7-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-11-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-12-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-8-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-14-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-6-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-5-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-22-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-21-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-36-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/948-42-0x0000000000400000-0x00000000004C2000-memory.dmp	UPX
behavioral2/memory/948-23-0x0000000002FD0000-0x000000000405E000-memory.dmp	UPX
behavioral2/memory/2928-53-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-50-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-49-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-48-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-46-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-52-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-59-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-51-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-54-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-55-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-61-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-62-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-66-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-67-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-68-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-70-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-71-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-72-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-74-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-75-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-77-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-78-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-82-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-84-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-85-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-117-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX
behavioral2/memory/2928-143-0x0000000000400000-0x00000000004C2000-memory.dmp	UPX
behavioral2/memory/2928-144-0x0000000004FC0000-0x000000000604E000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

rundll32.exe

pid process

2928 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

rundll32.exe

pid process

2928 rundll32.exe

pid	process
2928	rundll32.exe

pid	process
2928	rundll32.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/948-3-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-1-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-7-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-11-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-12-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-8-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-14-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-6-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-5-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-22-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-21-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-36-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/948-23-0x0000000002FD0000-0x000000000405E000-memory.dmp	upx
behavioral2/memory/2928-53-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-50-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-49-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-48-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-46-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-52-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-59-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-51-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-54-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-55-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-61-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-62-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-66-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-67-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-68-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-70-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-71-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-72-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-74-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-75-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-77-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-78-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-82-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-84-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-85-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-117-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx
behavioral2/memory/2928-144-0x0000000004FC0000-0x000000000604E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

rundll32.exeee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe

Drops file in Program Files directory 3 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	rundll32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	rundll32.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	rundll32.exe

Drops file in Windows directory 1 IoCs

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

pid	process
948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

description	pid	process
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Token: SeDebugPrivilege	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

pid process

948 ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
2928 rundll32.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

description	pid	process	target process
PID 948 wrote to memory of 820	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	fontdrvhost.exe
PID 948 wrote to memory of 828	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	fontdrvhost.exe
PID 948 wrote to memory of 384	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	dwm.exe
PID 948 wrote to memory of 2560	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	sihost.exe
PID 948 wrote to memory of 2588	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	svchost.exe
PID 948 wrote to memory of 2748	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	taskhostw.exe
PID 948 wrote to memory of 3552	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	Explorer.EXE
PID 948 wrote to memory of 3688	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	svchost.exe
PID 948 wrote to memory of 3856	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	DllHost.exe
PID 948 wrote to memory of 3948	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	StartMenuExperienceHost.exe
PID 948 wrote to memory of 4016	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	RuntimeBroker.exe
PID 948 wrote to memory of 1016	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	SearchApp.exe
PID 948 wrote to memory of 3620	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	RuntimeBroker.exe
PID 948 wrote to memory of 372	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	RuntimeBroker.exe
PID 948 wrote to memory of 4828	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	TextInputHost.exe
PID 948 wrote to memory of 2160	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	backgroundTaskHost.exe
PID 948 wrote to memory of 4352	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	backgroundTaskHost.exe
PID 948 wrote to memory of 2928	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	rundll32.exe
PID 948 wrote to memory of 2928	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	rundll32.exe
PID 948 wrote to memory of 2928	948	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe	rundll32.exe
PID 2928 wrote to memory of 820	2928	rundll32.exe	fontdrvhost.exe
PID 2928 wrote to memory of 828	2928	rundll32.exe	fontdrvhost.exe
PID 2928 wrote to memory of 384	2928	rundll32.exe	dwm.exe
PID 2928 wrote to memory of 2560	2928	rundll32.exe	sihost.exe
PID 2928 wrote to memory of 2588	2928	rundll32.exe	svchost.exe
PID 2928 wrote to memory of 2748	2928	rundll32.exe	taskhostw.exe
PID 2928 wrote to memory of 3552	2928	rundll32.exe	Explorer.EXE
PID 2928 wrote to memory of 3688	2928	rundll32.exe	svchost.exe
PID 2928 wrote to memory of 3856	2928	rundll32.exe	DllHost.exe
PID 2928 wrote to memory of 3948	2928	rundll32.exe	StartMenuExperienceHost.exe
PID 2928 wrote to memory of 4016	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 1016	2928	rundll32.exe	SearchApp.exe
PID 2928 wrote to memory of 3620	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 372	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 4828	2928	rundll32.exe	TextInputHost.exe
PID 2928 wrote to memory of 2160	2928	rundll32.exe	backgroundTaskHost.exe
PID 2928 wrote to memory of 1652	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 1116	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 820	2928	rundll32.exe	fontdrvhost.exe
PID 2928 wrote to memory of 828	2928	rundll32.exe	fontdrvhost.exe
PID 2928 wrote to memory of 384	2928	rundll32.exe	dwm.exe
PID 2928 wrote to memory of 2560	2928	rundll32.exe	sihost.exe
PID 2928 wrote to memory of 2588	2928	rundll32.exe	svchost.exe
PID 2928 wrote to memory of 2748	2928	rundll32.exe	taskhostw.exe
PID 2928 wrote to memory of 3552	2928	rundll32.exe	Explorer.EXE
PID 2928 wrote to memory of 3688	2928	rundll32.exe	svchost.exe
PID 2928 wrote to memory of 3856	2928	rundll32.exe	DllHost.exe
PID 2928 wrote to memory of 3948	2928	rundll32.exe	StartMenuExperienceHost.exe
PID 2928 wrote to memory of 4016	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 1016	2928	rundll32.exe	SearchApp.exe
PID 2928 wrote to memory of 3620	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 372	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 4828	2928	rundll32.exe	TextInputHost.exe
PID 2928 wrote to memory of 2160	2928	rundll32.exe	backgroundTaskHost.exe
PID 2928 wrote to memory of 1652	2928	rundll32.exe	RuntimeBroker.exe
PID 2928 wrote to memory of 1116	2928	rundll32.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	rundll32.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:820

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:828

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2588

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2748

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
"C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe"
2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:948

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:372

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4828

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2160

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

8

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E574C3B_Rar\rundll32.exe
Filesize
664KB

MD5
9f4ad2e1a21330ed5442d666e37a3b47

SHA1
af241db65197924eab63e20fd481bbdd8aafb053

SHA256
d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783

SHA512
c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
Filesize
744KB

MD5
7b279432c17d041b0f923b1d84fbd3b5

SHA1
f6a2ef3a0030deaa01d38d28fd80304daa77a960

SHA256
ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2

SHA512
4b889f36b1eec440b54328d41e572200856ea6d11954830b7fda68574395f6ec342cdcf97e0a98ea106e41ad27ff425a944a3b70bb29725b8dfc60c250f2e33e

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
9e19af823b490dcd28a0ce4e6b624094

SHA1
a998ace5fded07d3fde6e29440580d067c133b1a

SHA256
5ca6b54541a1396a92226aac4cd4e1e7b7e9698999a9dab376c4fc6efcf68ffa

SHA512
882eef18df09046826d433705e640f27cc40c81c9de5025839bf013af7afb6a619ca886c8a840286438978d9aa355cc3cdf68a4c01d30a13801a5a80777600cd

Download Submit
C:\alvryx.pif
Filesize
100KB

MD5
414984de22f7e6b9c1a3260ced4b744a

SHA1
9d47eb498b0c386827fa0cc804ac4f918089e6bc

SHA256
5b524bb7378d6f3062b1ae5c7deab6a6dd07fe41eadf0ea253f9b97794af26c9

SHA512
eb99a5404f59b77ca9462350253c35166bfef9b4dd5018e4a86d7ffbbad4617b01606df74b5b5c0e306773c0486345ce25116a4fbafdbd0315dbda83a2044f11

Download Submit
memory/948-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/948-3-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-1-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-7-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-11-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-12-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-8-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-15-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/948-14-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-13-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/948-6-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-5-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-10-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/948-9-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/948-22-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-21-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-36-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-42-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/948-23-0x0000000002FD0000-0x000000000405E000-memory.dmp

Filesize
16.6MB

Download
memory/948-31-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/2928-27-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2928-53-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-50-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-49-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-48-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-46-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-52-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-60-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/2928-59-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-58-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/2928-51-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-57-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2928-54-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-55-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-61-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-62-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-66-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-67-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-68-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-70-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-71-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-72-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-74-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-75-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-77-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-78-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-82-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-84-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-85-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-117-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download
memory/2928-119-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/2928-143-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2928-144-0x0000000004FC0000-0x000000000604E000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads