sality | fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85a

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Size

137KB
MD5

b5188b98b7fc66b469e562953a69cd00
SHA1

4a8ad0a8daa964473424b3f0efdb078df17027fd
SHA256

fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85a
SHA512

ae1dc8d867361811d8b5bf0bd016560fc465bc5c37dc6a6903d87f0c608205e2c2881c8515037bd3b68c31ca0529d5830882146c4d563ad54a53ec53fb0a4b91
SSDEEP

3072:GLk39ahYXJYRZGpk3DX3GqmSDOfXJnUHVXjo/BIw3gBX5P/wD:GQTioa3GuDOf9URjo/n3gt5P/S

Score

10^/10

sality backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Deletes itself 1 IoCs

pid	Process
5076	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
5076	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
5076	Au_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4264-4-0x0000000002370000-0x00000000033A0000-memory.dmp	upx
behavioral2/memory/4264-5-0x0000000002370000-0x00000000033A0000-memory.dmp	upx
behavioral2/memory/4264-1-0x0000000002370000-0x00000000033A0000-memory.dmp	upx
behavioral2/memory/4264-28-0x0000000002370000-0x00000000033A0000-memory.dmp	upx
behavioral2/memory/5076-47-0x00000000069E0000-0x0000000007A10000-memory.dmp	upx
behavioral2/memory/5076-46-0x00000000069E0000-0x0000000007A10000-memory.dmp	upx
behavioral2/memory/5076-57-0x00000000069E0000-0x0000000007A10000-memory.dmp	upx
behavioral2/memory/5076-59-0x00000000069E0000-0x0000000007A10000-memory.dmp	upx
behavioral2/memory/5076-67-0x00000000069E0000-0x0000000007A10000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023b64-21.dat	nsis_installer_1
behavioral2/files/0x000a000000023b64-21.dat	nsis_installer_2
behavioral2/files/0x000a000000023b66-36.dat	nsis_installer_1
behavioral2/files/0x000a000000023b66-36.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
5076	Au_.exe
5076	Au_.exe
5076	Au_.exe
5076	Au_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Token: SeDebugPrivilege	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 764	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	8
PID 4264 wrote to memory of 768	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	9
PID 4264 wrote to memory of 336	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	13
PID 4264 wrote to memory of 2984	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	49
PID 4264 wrote to memory of 3052	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	51
PID 4264 wrote to memory of 2512	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	53
PID 4264 wrote to memory of 3468	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	56
PID 4264 wrote to memory of 3588	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	57
PID 4264 wrote to memory of 3776	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	58
PID 4264 wrote to memory of 3872	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	59
PID 4264 wrote to memory of 3940	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	60
PID 4264 wrote to memory of 4028	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	61
PID 4264 wrote to memory of 4128	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	62
PID 4264 wrote to memory of 4484	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	74
PID 4264 wrote to memory of 844	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	76
PID 4264 wrote to memory of 5076	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	82
PID 4264 wrote to memory of 5076	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	82
PID 4264 wrote to memory of 5076	4264	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe	82
PID 5076 wrote to memory of 764	5076	Au_.exe	8
PID 5076 wrote to memory of 768	5076	Au_.exe	9
PID 5076 wrote to memory of 336	5076	Au_.exe	13
PID 5076 wrote to memory of 2984	5076	Au_.exe	49
PID 5076 wrote to memory of 3052	5076	Au_.exe	51
PID 5076 wrote to memory of 2512	5076	Au_.exe	53
PID 5076 wrote to memory of 3468	5076	Au_.exe	56
PID 5076 wrote to memory of 3588	5076	Au_.exe	57
PID 5076 wrote to memory of 3776	5076	Au_.exe	58
PID 5076 wrote to memory of 3872	5076	Au_.exe	59
PID 5076 wrote to memory of 3940	5076	Au_.exe	60
PID 5076 wrote to memory of 4028	5076	Au_.exe	61
PID 5076 wrote to memory of 4128	5076	Au_.exe	62
PID 5076 wrote to memory of 4484	5076	Au_.exe	74
PID 5076 wrote to memory of 844	5076	Au_.exe	76

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3052

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2512

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Users\Admin\AppData\Local\Temp\fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe
  "C:\Users\Admin\AppData\Local\Temp\fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85aN.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - UAC bypass
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4128

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4484

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E576DBE_Rar\Au_.exe

Filesize
61KB

MD5
30d13baa7897797258bf2ba014d73af4

SHA1
241d78653f29e2658d200f6fe93db92e5668ea7b

SHA256
34011431303dd36eb624d4fb1385a47b48d9ec389ef61f97c61115be1e9f1a64

SHA512
c179782a031339259a7198168a84a7c68b72bcef6adfc5cb0c5dccf3afca9c34f74e05e910d5f95f902ed3976bc829d78082a82c2c02c2d62c44b1bef9725054

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6E2C.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
137KB

MD5
b5188b98b7fc66b469e562953a69cd00

SHA1
4a8ad0a8daa964473424b3f0efdb078df17027fd

SHA256
fbd002456b49aa1c9609ad4b515c54b3663ed95cc7663b47ef8bcd9a03f7e85a

SHA512
ae1dc8d867361811d8b5bf0bd016560fc465bc5c37dc6a6903d87f0c608205e2c2881c8515037bd3b68c31ca0529d5830882146c4d563ad54a53ec53fb0a4b91

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
5d2f00ed7af971ed38f43452676a1312

SHA1
751837ba1caba3c24fa45e0dd486a1045f9b84ff

SHA256
083b8f7236473e2bf38944c2e7b4203e9ac892db2bde4a98c1af8472eb462b14

SHA512
67a4b3faeda0a70849282b68cf251fd286f81b46b99a0681de18cf5ad3e37d14d946afebad8dd1fef71f4004eb709a964bddf83b6d682b4dbd6018b1046f6876

Download Submit
memory/4264-14-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/4264-5-0x0000000002370000-0x00000000033A0000-memory.dmp

Filesize
16.2MB

Download
memory/4264-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4264-9-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/4264-10-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4264-28-0x0000000002370000-0x00000000033A0000-memory.dmp

Filesize
16.2MB

Download
memory/4264-34-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4264-24-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/4264-1-0x0000000002370000-0x00000000033A0000-memory.dmp

Filesize
16.2MB

Download
memory/4264-11-0x00000000021B0000-0x00000000021B2000-memory.dmp

Filesize
8KB

Download
memory/4264-4-0x0000000002370000-0x00000000033A0000-memory.dmp

Filesize
16.2MB

Download
memory/5076-46-0x00000000069E0000-0x0000000007A10000-memory.dmp

Filesize
16.2MB

Download
memory/5076-55-0x0000000008190000-0x0000000008192000-memory.dmp

Filesize
8KB

Download
memory/5076-58-0x0000000008190000-0x0000000008192000-memory.dmp

Filesize
8KB

Download
memory/5076-57-0x00000000069E0000-0x0000000007A10000-memory.dmp

Filesize
16.2MB

Download
memory/5076-54-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/5076-47-0x00000000069E0000-0x0000000007A10000-memory.dmp

Filesize
16.2MB

Download
memory/5076-59-0x00000000069E0000-0x0000000007A10000-memory.dmp

Filesize
16.2MB

Download
memory/5076-67-0x00000000069E0000-0x0000000007A10000-memory.dmp

Filesize
16.2MB

Download
memory/5076-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download