Malware Analysis Report

2024-11-16 13:14

Sample ID 240625-ym5hyszaqd
Target 30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134
SHA256 30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134

Threat Level: Known bad

The file 30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Modifies firewall policy service

Sality

UPX dump on OEP (original entry point)

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 19:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 19:55

Reported

2024-06-25 19:57

Platform

win7-20240611-en

Max time kernel

122s

Max time network

126s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f76c68a C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A
File created C:\Windows\f76760a C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1720 wrote to memory of 2084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76754f.exe
PID 2084 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76754f.exe
PID 2084 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76754f.exe
PID 2084 wrote to memory of 2332 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76754f.exe
PID 2332 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\system32\taskhost.exe
PID 2332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\system32\Dwm.exe
PID 2332 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\Explorer.EXE
PID 2332 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\system32\DllHost.exe
PID 2332 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\system32\rundll32.exe
PID 2332 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2084 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76783c.exe
PID 2084 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76783c.exe
PID 2084 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76783c.exe
PID 2084 wrote to memory of 2468 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76783c.exe
PID 2084 wrote to memory of 1652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76952e.exe
PID 2084 wrote to memory of 1652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76952e.exe
PID 2084 wrote to memory of 1652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76952e.exe
PID 2084 wrote to memory of 1652 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76952e.exe
PID 2332 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\system32\taskhost.exe
PID 2332 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\system32\Dwm.exe
PID 2332 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Windows\Explorer.EXE
PID 2332 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Users\Admin\AppData\Local\Temp\f76783c.exe
PID 2332 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Users\Admin\AppData\Local\Temp\f76783c.exe
PID 2332 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Users\Admin\AppData\Local\Temp\f76952e.exe
PID 2332 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\f76754f.exe C:\Users\Admin\AppData\Local\Temp\f76952e.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76754f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76783c.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76754f.exe

C:\Users\Admin\AppData\Local\Temp\f76754f.exe

C:\Users\Admin\AppData\Local\Temp\f76783c.exe

C:\Users\Admin\AppData\Local\Temp\f76783c.exe

C:\Users\Admin\AppData\Local\Temp\f76952e.exe

C:\Users\Admin\AppData\Local\Temp\f76952e.exe

Network

N/A

Files

memory/2084-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2084-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2084-2-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2084-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2084-7-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76754f.exe

MD5 bee317ce3f6683067aef3736de474d94
SHA1 ed9fb70af7261295f443055047cfb51b646c6aeb
SHA256 9f9d8b9e8c70b0e5d9ac21f09232ca7fb1bf668cef97c8fd8ad1460042788ce4
SHA512 fe40b179725c7a446b1c6d6ee215e018976e65827a16b17367f663f296b0a1ffdc81a0aec768b83e43273ecdc4abc4e00a0107d40351f1cdddb0dfe991a276af

memory/2332-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2084-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2084-56-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2084-59-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2084-58-0x00000000002E0000-0x00000000002F2000-memory.dmp

memory/2332-57-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

memory/2468-61-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-25-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-24-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-23-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-49-0x0000000002EF0000-0x0000000002EF2000-memory.dmp

memory/2332-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-47-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

memory/2084-46-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2332-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2084-38-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2084-37-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2332-62-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1104-31-0x0000000001BC0000-0x0000000001BC2000-memory.dmp

memory/2332-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-64-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-66-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-65-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-68-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-63-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-69-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-70-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1652-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2084-79-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2332-71-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-86-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-87-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2468-106-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2468-105-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/1652-104-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1652-103-0x0000000000260000-0x0000000000262000-memory.dmp

memory/1652-102-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2468-96-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2332-109-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-126-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2332-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2332-149-0x0000000000520000-0x00000000015DA000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b8a1e97b991ffc2a435d04928543f24e
SHA1 78676a205cc666626ecb09e568525d5ce5bc1298
SHA256 d8f86db6cee69df277406ef4b9820bcc45c991be05a89e830aee8d269be13cc6
SHA512 f7c1bb76316de2bb9c7e3e54d73505ad5eccc26fba86e2d158da6259cf719dfd6916746d76a2e67b0e3da733123433d5e1f27e90ab92c751f0a20a33667c7c08

memory/2468-168-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2468-175-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2468-174-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/1652-179-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 19:55

Reported

2024-06-25 19:57

Platform

win10v2004-20240508-en

Max time kernel

52s

Max time network

62s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
File created C:\Windows\e57a836 C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A
File created C:\Windows\e5752d3 C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 3148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 3148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 3148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 4816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575294.exe
PID 3148 wrote to memory of 4816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575294.exe
PID 3148 wrote to memory of 4816 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e575294.exe
PID 4816 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\fontdrvhost.exe
PID 4816 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\fontdrvhost.exe
PID 4816 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\dwm.exe
PID 4816 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\sihost.exe
PID 4816 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\svchost.exe
PID 4816 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\taskhostw.exe
PID 4816 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\Explorer.EXE
PID 4816 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\svchost.exe
PID 4816 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\DllHost.exe
PID 4816 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4816 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\System32\RuntimeBroker.exe
PID 4816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4816 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\System32\RuntimeBroker.exe
PID 4816 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\rundll32.exe
PID 4816 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SysWOW64\rundll32.exe
PID 4816 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SysWOW64\rundll32.exe
PID 3148 wrote to memory of 3336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57536f.exe
PID 3148 wrote to memory of 3336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57536f.exe
PID 3148 wrote to memory of 3336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57536f.exe
PID 4816 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\fontdrvhost.exe
PID 4816 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\fontdrvhost.exe
PID 4816 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\dwm.exe
PID 4816 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\sihost.exe
PID 4816 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\svchost.exe
PID 4816 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\taskhostw.exe
PID 4816 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\Explorer.EXE
PID 4816 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\svchost.exe
PID 4816 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\DllHost.exe
PID 4816 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4816 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\System32\RuntimeBroker.exe
PID 4816 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4816 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\System32\RuntimeBroker.exe
PID 4816 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4816 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Windows\system32\rundll32.exe
PID 4816 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Users\Admin\AppData\Local\Temp\e57536f.exe
PID 4816 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\e575294.exe C:\Users\Admin\AppData\Local\Temp\e57536f.exe
PID 3148 wrote to memory of 3836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5780c9.exe
PID 3148 wrote to memory of 3836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5780c9.exe
PID 3148 wrote to memory of 3836 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5780c9.exe
PID 3836 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\fontdrvhost.exe
PID 3836 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\fontdrvhost.exe
PID 3836 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\dwm.exe
PID 3836 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\sihost.exe
PID 3836 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\svchost.exe
PID 3836 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\taskhostw.exe
PID 3836 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\Explorer.EXE
PID 3836 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\svchost.exe
PID 3836 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\system32\DllHost.exe
PID 3836 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3836 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\System32\RuntimeBroker.exe
PID 3836 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3836 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\System32\RuntimeBroker.exe
PID 3836 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\e5780c9.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e575294.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5780c9.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\30145c92a641a4a40f04066651b4093cc1aeca7914062e2f1b8e9a117ef08134.dll,#1

C:\Users\Admin\AppData\Local\Temp\e575294.exe

C:\Users\Admin\AppData\Local\Temp\e575294.exe

C:\Users\Admin\AppData\Local\Temp\e57536f.exe

C:\Users\Admin\AppData\Local\Temp\e57536f.exe

C:\Users\Admin\AppData\Local\Temp\e5780c9.exe

C:\Users\Admin\AppData\Local\Temp\e5780c9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3148-1-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e575294.exe

MD5 bee317ce3f6683067aef3736de474d94
SHA1 ed9fb70af7261295f443055047cfb51b646c6aeb
SHA256 9f9d8b9e8c70b0e5d9ac21f09232ca7fb1bf668cef97c8fd8ad1460042788ce4
SHA512 fe40b179725c7a446b1c6d6ee215e018976e65827a16b17367f663f296b0a1ffdc81a0aec768b83e43273ecdc4abc4e00a0107d40351f1cdddb0dfe991a276af

memory/4816-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4816-6-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-8-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-10-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3336-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4816-26-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-33-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-25-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-12-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-30-0x0000000003520000-0x0000000003522000-memory.dmp

memory/3148-29-0x0000000000830000-0x0000000000832000-memory.dmp

memory/4816-27-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4816-11-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3148-19-0x0000000000830000-0x0000000000832000-memory.dmp

memory/4816-17-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/3148-15-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/4816-9-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3148-14-0x0000000000830000-0x0000000000832000-memory.dmp

memory/4816-34-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-35-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-36-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-37-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-38-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-39-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/3336-43-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3336-42-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3336-44-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3148-51-0x0000000000830000-0x0000000000832000-memory.dmp

memory/3836-50-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4816-54-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-55-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-57-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-58-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-60-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-61-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-64-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-66-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-76-0x0000000003520000-0x0000000003522000-memory.dmp

memory/4816-70-0x00000000007A0000-0x000000000185A000-memory.dmp

memory/4816-87-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3336-91-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a9f2d46b43c44d9146b4935c55cf0dd8
SHA1 fc2a0838ab306ae560074d6ef20810ed439f211e
SHA256 2cd4c308205f6dcdd72f9e0f9bf6a46b74f5e4dd02b16dd79442bdf59aef032d
SHA512 9c5aafb6a0781be496c307c615bd8508aa60f7e8fda7154129c07499c163b56353b395fe4ddc01445b13f15e0ef6e315232040c4b93b76abf1c08c9089b4f3cf

memory/3836-103-0x0000000000790000-0x000000000184A000-memory.dmp

memory/3836-112-0x0000000001AF0000-0x0000000001AF2000-memory.dmp

memory/3836-113-0x0000000001B00000-0x0000000001B01000-memory.dmp

memory/3836-146-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3836-147-0x0000000000790000-0x000000000184A000-memory.dmp