Malware Analysis Report

2025-06-16 06:53

Sample ID 241104-dgby8svkak
Target e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1N
SHA256 e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1

Threat Level: Known bad

The file e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1N was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Sality family

Sality

UAC bypass

Modifies firewall policy service

Windows security bypass

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:58

Reported

2024-11-04 03:00

Platform

win7-20240903-en

Max time kernel

27s

Max time network

18s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f7695d9 C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
File created C:\Windows\f76e80e C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1804 wrote to memory of 2192 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76955d.exe
PID 2192 wrote to memory of 2112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76955d.exe
PID 2192 wrote to memory of 2112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76955d.exe
PID 2192 wrote to memory of 2112 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76955d.exe
PID 2112 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\taskhost.exe
PID 2112 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\Dwm.exe
PID 2112 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\Explorer.EXE
PID 2112 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\DllHost.exe
PID 2112 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\rundll32.exe
PID 2112 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2192 wrote to memory of 2828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7698c6.exe
PID 2192 wrote to memory of 2828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7698c6.exe
PID 2192 wrote to memory of 2828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7698c6.exe
PID 2192 wrote to memory of 2828 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7698c6.exe
PID 2192 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe
PID 2192 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe
PID 2192 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe
PID 2192 wrote to memory of 2716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe
PID 2112 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\taskhost.exe
PID 2112 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\Dwm.exe
PID 2112 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\Explorer.EXE
PID 2112 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Windows\system32\DllHost.exe
PID 2112 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Users\Admin\AppData\Local\Temp\f7698c6.exe
PID 2112 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Users\Admin\AppData\Local\Temp\f7698c6.exe
PID 2112 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe
PID 2112 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\f76955d.exe C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe
PID 2716 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe C:\Windows\system32\taskhost.exe
PID 2716 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe C:\Windows\system32\Dwm.exe
PID 2716 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe C:\Windows\Explorer.EXE
PID 2716 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76955d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1N.dll,#1

C:\Users\Admin\AppData\Local\Temp\f76955d.exe

C:\Users\Admin\AppData\Local\Temp\f76955d.exe

C:\Users\Admin\AppData\Local\Temp\f7698c6.exe

C:\Users\Admin\AppData\Local\Temp\f7698c6.exe

C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe

C:\Users\Admin\AppData\Local\Temp\f76b0b9.exe

Network

N/A

Files

memory/2192-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2192-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2192-3-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f76955d.exe

MD5 236c7418d5409697603b140fc21a8e69
SHA1 15c39e1637ff8968ce187e305320820ae9ce03a6
SHA256 b6d02eab6acbeb5720cef53b569adbbae263aaf2ab9320c7a11751176e0f7ba6
SHA512 7d798a7f4551047f65dfb84ad425cedb833c2e4e1aec3dfe6df50e56fcc630e27b9b296dc0e9eee41f534486d7564a3c5899c343d9d66cf84d79df05d85d0baf

memory/2192-11-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2112-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2192-6-0x0000000000110000-0x0000000000122000-memory.dmp

memory/2112-17-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-14-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-20-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-23-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-18-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-21-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-16-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-24-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-22-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-52-0x00000000017E0000-0x00000000017E2000-memory.dmp

memory/2112-19-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2828-62-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2192-61-0x00000000009A0000-0x00000000009B2000-memory.dmp

memory/2192-60-0x00000000009A0000-0x00000000009B2000-memory.dmp

memory/2192-51-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2112-50-0x00000000017E0000-0x00000000017E2000-memory.dmp

memory/2112-49-0x0000000004230000-0x0000000004231000-memory.dmp

memory/2192-42-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2192-41-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2192-39-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2192-38-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1112-30-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2112-63-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-64-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-65-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-67-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-66-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-69-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-70-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2192-82-0x0000000000110000-0x0000000000112000-memory.dmp

memory/2192-78-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2716-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2112-84-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-85-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-89-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2112-90-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2716-112-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2716-111-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2828-105-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2828-102-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2828-101-0x0000000000370000-0x0000000000371000-memory.dmp

memory/2828-131-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2112-153-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2112-152-0x0000000000590000-0x000000000164A000-memory.dmp

memory/2828-157-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 e3d0f50afa3c5c1dcfea5ac798bd3eab
SHA1 2beed7f2624767bdee8d469faf4a4fa6c0ec8a65
SHA256 26d7398736b1e19275e28721a38bfaabd92d08ac45cd92021f9694993c4558c0
SHA512 ccbd5275d9f5cf283c2831b9444521b1c3d4059d7480bc851b3c563a410f7f2f09f7baa4fd998800db4c0d6f8820d9fb48941d11e9f6324f9d8d6f3bb9127a25

memory/2716-182-0x0000000000920000-0x00000000019DA000-memory.dmp

memory/2716-208-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2716-207-0x0000000000920000-0x00000000019DA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:58

Reported

2024-11-04 03:01

Platform

win10v2004-20241007-en

Max time kernel

106s

Max time network

112s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57a49c C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57a623.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57bf87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 2284 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 3596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe
PID 2284 wrote to memory of 3596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe
PID 2284 wrote to memory of 3596 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a42f.exe
PID 3596 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\fontdrvhost.exe
PID 3596 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\fontdrvhost.exe
PID 3596 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\dwm.exe
PID 3596 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\svchost.exe
PID 3596 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\sihost.exe
PID 3596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\taskhostw.exe
PID 3596 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\Explorer.EXE
PID 3596 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\svchost.exe
PID 3596 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\DllHost.exe
PID 3596 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3596 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3596 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3596 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3596 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3596 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\rundll32.exe
PID 3596 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a623.exe
PID 2284 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a623.exe
PID 2284 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57a623.exe
PID 2284 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57bf87.exe
PID 2284 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57bf87.exe
PID 2284 wrote to memory of 2276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57bf87.exe
PID 3596 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\fontdrvhost.exe
PID 3596 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\fontdrvhost.exe
PID 3596 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\dwm.exe
PID 3596 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\svchost.exe
PID 3596 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\sihost.exe
PID 3596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\taskhostw.exe
PID 3596 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\Explorer.EXE
PID 3596 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\svchost.exe
PID 3596 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\DllHost.exe
PID 3596 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3596 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3596 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3596 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3596 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Users\Admin\AppData\Local\Temp\e57a623.exe
PID 3596 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Users\Admin\AppData\Local\Temp\e57a623.exe
PID 3596 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Windows\System32\RuntimeBroker.exe
PID 3596 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Users\Admin\AppData\Local\Temp\e57bf87.exe
PID 3596 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\e57a42f.exe C:\Users\Admin\AppData\Local\Temp\e57bf87.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57a42f.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1483fd2a8a670c00ed419aea7fcdf4c9059a8f35c6f3056bb62d2240ae891f1N.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57a42f.exe

C:\Users\Admin\AppData\Local\Temp\e57a42f.exe

C:\Users\Admin\AppData\Local\Temp\e57a623.exe

C:\Users\Admin\AppData\Local\Temp\e57a623.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57bf87.exe

C:\Users\Admin\AppData\Local\Temp\e57bf87.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2284-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57a42f.exe

MD5 236c7418d5409697603b140fc21a8e69
SHA1 15c39e1637ff8968ce187e305320820ae9ce03a6
SHA256 b6d02eab6acbeb5720cef53b569adbbae263aaf2ab9320c7a11751176e0f7ba6
SHA512 7d798a7f4551047f65dfb84ad425cedb833c2e4e1aec3dfe6df50e56fcc630e27b9b296dc0e9eee41f534486d7564a3c5899c343d9d66cf84d79df05d85d0baf

memory/3596-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3596-9-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-8-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-10-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-11-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-22-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-26-0x0000000001970000-0x0000000001972000-memory.dmp

memory/2284-24-0x0000000000810000-0x0000000000812000-memory.dmp

memory/3596-16-0x0000000003E70000-0x0000000003E71000-memory.dmp

memory/2284-14-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2284-13-0x0000000000810000-0x0000000000812000-memory.dmp

memory/3596-32-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-12-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-23-0x0000000000750000-0x000000000180A000-memory.dmp

memory/4736-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3596-33-0x0000000000750000-0x000000000180A000-memory.dmp

memory/2284-29-0x0000000000810000-0x0000000000812000-memory.dmp

memory/3596-28-0x0000000001970000-0x0000000001972000-memory.dmp

memory/3596-35-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-36-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-37-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-38-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-40-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-39-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-42-0x0000000000750000-0x000000000180A000-memory.dmp

memory/2284-46-0x0000000000810000-0x0000000000812000-memory.dmp

memory/3596-50-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-51-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-53-0x0000000001970000-0x0000000001972000-memory.dmp

memory/3596-54-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-55-0x0000000000750000-0x000000000180A000-memory.dmp

memory/2276-60-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4736-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2276-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4736-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2276-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4736-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3596-65-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-67-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-70-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-71-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-74-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-81-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-84-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-83-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-85-0x0000000000750000-0x000000000180A000-memory.dmp

memory/3596-86-0x0000000000750000-0x000000000180A000-memory.dmp

memory/2276-88-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4736-87-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3596-98-0x0000000001970000-0x0000000001972000-memory.dmp

memory/3596-107-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4736-111-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2276-116-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2276-117-0x0000000000B30000-0x0000000001BEA000-memory.dmp

memory/2276-118-0x0000000000B30000-0x0000000001BEA000-memory.dmp