Malware Analysis Report

2025-06-16 06:56

Sample ID 241104-ffls6avcmq
Target cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827N
SHA256 cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827
Tags
sality backdoor discovery evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827

Threat Level: Known bad

The file cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827N was found to be: Known bad.

Malicious Activity Summary

sality backdoor discovery evasion trojan upx

Sality family

UAC bypass

Windows security bypass

Sality

Modifies firewall policy service

Loads dropped DLL

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 04:48

Reported

2024-11-04 04:51

Platform

win10v2004-20241007-en

Max time kernel

29s

Max time network

118s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
File created C:\Windows\e5812f6 C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
File created C:\Windows\e57c023 C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57c747.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e57eaae.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 3672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 3672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 3672 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3672 wrote to memory of 792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57bf58.exe
PID 3672 wrote to memory of 792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57bf58.exe
PID 3672 wrote to memory of 792 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57bf58.exe
PID 792 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\fontdrvhost.exe
PID 792 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\fontdrvhost.exe
PID 792 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\dwm.exe
PID 792 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\sihost.exe
PID 792 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\svchost.exe
PID 792 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\taskhostw.exe
PID 792 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\Explorer.EXE
PID 792 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\svchost.exe
PID 792 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\DllHost.exe
PID 792 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 792 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 792 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 792 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 792 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 792 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\rundll32.exe
PID 792 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SysWOW64\rundll32.exe
PID 792 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SysWOW64\rundll32.exe
PID 792 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 3672 wrote to memory of 4260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57c747.exe
PID 3672 wrote to memory of 4260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57c747.exe
PID 3672 wrote to memory of 4260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57c747.exe
PID 3672 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eaae.exe
PID 3672 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eaae.exe
PID 3672 wrote to memory of 3496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eaae.exe
PID 3672 wrote to memory of 4992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe
PID 3672 wrote to memory of 4992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe
PID 3672 wrote to memory of 4992 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe
PID 792 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\fontdrvhost.exe
PID 792 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\fontdrvhost.exe
PID 792 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\dwm.exe
PID 792 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\sihost.exe
PID 792 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\svchost.exe
PID 792 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\taskhostw.exe
PID 792 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\Explorer.EXE
PID 792 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\svchost.exe
PID 792 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\DllHost.exe
PID 792 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 792 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 792 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 792 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 792 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\system32\backgroundTaskHost.exe
PID 792 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Users\Admin\AppData\Local\Temp\e57c747.exe
PID 792 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Users\Admin\AppData\Local\Temp\e57c747.exe
PID 792 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Windows\System32\RuntimeBroker.exe
PID 792 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Users\Admin\AppData\Local\Temp\e57eaae.exe
PID 792 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Users\Admin\AppData\Local\Temp\e57eaae.exe
PID 792 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe
PID 792 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\e57bf58.exe C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe
PID 4992 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe C:\Windows\system32\fontdrvhost.exe
PID 4992 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe C:\Windows\system32\fontdrvhost.exe
PID 4992 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe C:\Windows\system32\dwm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57bf58.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827N.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57bf58.exe

C:\Users\Admin\AppData\Local\Temp\e57bf58.exe

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Users\Admin\AppData\Local\Temp\e57c747.exe

C:\Users\Admin\AppData\Local\Temp\e57c747.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\e57eaae.exe

C:\Users\Admin\AppData\Local\Temp\e57eaae.exe

C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe

C:\Users\Admin\AppData\Local\Temp\e57eb2b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3672-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57bf58.exe

MD5 3f4855e34ca66d4a8d94da47ea4b3cbc
SHA1 0ff399f134c2bd145b036be821422c2103d5edb0
SHA256 57aaf3e40638ea3b12e7c2b5626d777125d2a484ddefec767271132195842fb0
SHA512 42e89070a4dcdaae7368b3543a3bf5a7750872ac3405f66478def13d3a33db9799fee767c312fa1e13190ee9caee8db194e551631900bb868e04f6d6244a7be3

memory/792-5-0x0000000000400000-0x0000000000412000-memory.dmp

memory/792-6-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-8-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-9-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-10-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-11-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-12-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-14-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-13-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-15-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-16-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/3672-22-0x0000000000B30000-0x0000000000B32000-memory.dmp

memory/792-30-0x0000000004220000-0x0000000004222000-memory.dmp

memory/4260-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/792-31-0x0000000004220000-0x0000000004222000-memory.dmp

memory/3672-29-0x0000000000B30000-0x0000000000B32000-memory.dmp

memory/792-27-0x0000000004370000-0x0000000004371000-memory.dmp

memory/3672-25-0x0000000003880000-0x0000000003881000-memory.dmp

memory/3672-23-0x0000000000B30000-0x0000000000B32000-memory.dmp

memory/792-35-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-36-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-37-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-38-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-39-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/4992-52-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3496-51-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4992-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4260-55-0x0000000000460000-0x0000000000461000-memory.dmp

memory/4992-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/3496-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4260-60-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/3496-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4260-63-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/3496-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4992-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/792-66-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-67-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-68-0x0000000004220000-0x0000000004222000-memory.dmp

memory/792-70-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-71-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-72-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-75-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-76-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-92-0x0000000000820000-0x00000000018DA000-memory.dmp

memory/792-97-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 2da620dac9082628369bcf12b0247526
SHA1 90249f16d9486ebe19a312888869abacc6c1011c
SHA256 dfaad4a90ab1f5a44ebd6335de11e90b1440204ea1bdfc513e845c196f9424fb
SHA512 c5f27c1f75a4af0f3f3c363518b8bbabca85148164d397fc790f0de3fdb24e98abe6deccb9733e1abdfb019e120fd22422f0b80888689f36094431be4c9f5fa1

memory/4992-114-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/4260-120-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3496-154-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4992-156-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4992-155-0x0000000000B20000-0x0000000001BDA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 04:48

Reported

2024-11-04 04:51

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A

Sality

backdoor sality

Sality family

sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f77034b C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
File created C:\Windows\f7753cb C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2144 wrote to memory of 2800 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770290.exe
PID 2144 wrote to memory of 2800 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770290.exe
PID 2144 wrote to memory of 2800 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770290.exe
PID 2144 wrote to memory of 2800 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770290.exe
PID 2800 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\taskhost.exe
PID 2800 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\Dwm.exe
PID 2800 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\DllHost.exe
PID 2800 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\rundll32.exe
PID 2800 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\SysWOW64\rundll32.exe
PID 2800 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\SysWOW64\rundll32.exe
PID 2144 wrote to memory of 2628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770500.exe
PID 2144 wrote to memory of 2628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770500.exe
PID 2144 wrote to memory of 2628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770500.exe
PID 2144 wrote to memory of 2628 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f770500.exe
PID 2144 wrote to memory of 2128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f771ddd.exe
PID 2144 wrote to memory of 2128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f771ddd.exe
PID 2144 wrote to memory of 2128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f771ddd.exe
PID 2144 wrote to memory of 2128 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f771ddd.exe
PID 2800 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\taskhost.exe
PID 2800 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\Dwm.exe
PID 2800 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Windows\system32\DllHost.exe
PID 2800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Users\Admin\AppData\Local\Temp\f770500.exe
PID 2800 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Users\Admin\AppData\Local\Temp\f770500.exe
PID 2800 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Users\Admin\AppData\Local\Temp\f771ddd.exe
PID 2800 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\f770290.exe C:\Users\Admin\AppData\Local\Temp\f771ddd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770290.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f770500.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827N.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbcc142fa4a7e960109f9643e56edcb989ad47063539aa6c20348a05355dc827N.dll,#1

C:\Users\Admin\AppData\Local\Temp\f770290.exe

C:\Users\Admin\AppData\Local\Temp\f770290.exe

C:\Users\Admin\AppData\Local\Temp\f770500.exe

C:\Users\Admin\AppData\Local\Temp\f770500.exe

C:\Users\Admin\AppData\Local\Temp\f771ddd.exe

C:\Users\Admin\AppData\Local\Temp\f771ddd.exe

Network

N/A

Files

memory/2144-0-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2144-3-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2144-2-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f770290.exe

MD5 3f4855e34ca66d4a8d94da47ea4b3cbc
SHA1 0ff399f134c2bd145b036be821422c2103d5edb0
SHA256 57aaf3e40638ea3b12e7c2b5626d777125d2a484ddefec767271132195842fb0
SHA512 42e89070a4dcdaae7368b3543a3bf5a7750872ac3405f66478def13d3a33db9799fee767c312fa1e13190ee9caee8db194e551631900bb868e04f6d6244a7be3

memory/2800-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2144-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2144-7-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2144-1-0x0000000010000000-0x0000000010020000-memory.dmp

memory/2800-15-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-17-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-22-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/1104-24-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2144-33-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2144-53-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2144-56-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2144-55-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2800-43-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2628-57-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2144-34-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2800-42-0x0000000001600000-0x0000000001601000-memory.dmp

memory/2800-23-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-21-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-44-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-58-0x00000000015F0000-0x00000000015F2000-memory.dmp

memory/2800-20-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-19-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2144-45-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2800-18-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-64-0x00000000015F0000-0x00000000015F2000-memory.dmp

memory/2800-66-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-65-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-67-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-68-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-69-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-71-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2144-76-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2800-84-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-85-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-87-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-90-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2128-107-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2128-108-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2128-106-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2628-104-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2628-103-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2628-100-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2628-132-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2800-156-0x0000000000520000-0x00000000015DA000-memory.dmp

memory/2800-155-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 a0a1ad5c2ee08f1599cd63ce149f3bf7
SHA1 cd674e586b411bbc94bf2577944631e8d09c8cd7
SHA256 d2d3c6d7b21f83091f34d6cd2806cf8f0c55c1d5043102ce756577179517fd7d
SHA512 9b0f95402da0eee0a950594b3295d3e31288558c4352cbc526cb59b0e4acd70a58db467b5a6451567a78258c271fc3033aa0c47164f5c47c0b9fdf117cbd5f4c

memory/2628-175-0x0000000000910000-0x00000000019CA000-memory.dmp

memory/2628-179-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2128-183-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2628-184-0x0000000000910000-0x00000000019CA000-memory.dmp