Analysis Overview
SHA256
327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbf
Threat Level: Known bad
The file 327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN was found to be: Known bad.
Malicious Activity Summary
Sality family
Windows security bypass
Sality
Modifies firewall policy service
UAC bypass
Drops file in Drivers directory
Windows security modification
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Runs net.exe
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 07:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 07:32
Reported
2024-11-07 07:34
Platform
win7-20240903-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe
"C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe"
Network
Files
memory/2492-0-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2492-1-0x0000000000400000-0x0000000000451000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 07:32
Reported
2024-11-07 07:34
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Sality
Sality family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\e577455 | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| File created | C:\Windows\uninstall\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe
"C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe"
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7918.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2584-0-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2584-1-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-7-0x0000000001C40000-0x0000000001C42000-memory.dmp
memory/2584-5-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-11-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-10-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-12-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-22-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-23-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-21-0x0000000001C30000-0x0000000001C35000-memory.dmp
memory/2584-20-0x0000000001C40000-0x0000000001C42000-memory.dmp
memory/2584-19-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-6-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-9-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-13-0x0000000001C40000-0x0000000001C42000-memory.dmp
memory/2584-4-0x0000000000870000-0x000000000192A000-memory.dmp
memory/2584-8-0x0000000001C90000-0x0000000001C91000-memory.dmp
memory/2584-42-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2584-33-0x0000000000870000-0x000000000192A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\327460355af18a75d2d946f1db37e7f6453da512d825a7fd0a1f15b9d65f2dbfN.exe.exe
| MD5 | 531e001b83f09f53dda0b5990300c5a4 |
| SHA1 | 7e15b43cc3d587485178499f87c49f5ae58f8bf0 |
| SHA256 | 58491307311b5997a352d302f390b86456c32a5df8c907fb65ac44eff93aab80 |
| SHA512 | 21062e16bcddb68a3667afb80979d54983972ac3a638e7aa3af3a42f33ba87abe9752eeb4e16fa30a4672272f2b3899efd56bd24a227d5bb5621706dbae7828c |
C:\Users\Admin\AppData\Local\Temp\$$a7918.bat
| MD5 | ac5a9805be5f8e31cb9084cb64673ccf |
| SHA1 | cea4a1436cc071deed41ca7960873b6b0da50a17 |
| SHA256 | 0efedcc27a21baceabd3029f1649f49587a03f65b0774ef9d1685ed2110cc2d1 |
| SHA512 | 3de8067653007641e0446150e8a880160657973d2b1f4f8a0d8f56796db62ba6a8048f72258fd1e81aa635efad9737baaaaba6ea01a158db5319814db72d7069 |