Analysis
-
max time kernel
85s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 15:19
General
-
Target
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe
-
Size
124KB
-
MD5
4aaf75b56c518b82039bef2396941bdc
-
SHA1
fd53de3ac5b4cf593de2e9edad450efb145f20ac
-
SHA256
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d
-
SHA512
3f708f09192d3279d0ca13fd7b4b1f70061bbf6973291f2b11d33c01621c38937c92b0b2f4834438db370be1d3d9e98e48feff76cab5e26af7460b7edac73fdb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Windows security modification 2 TTPs 20 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies data under HKEY_USERS 27 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe"C:\Users\Admin\AppData\Local\Temp\30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe"2⤵
- Windows security bypass
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\SysWOW64\rwnlws.exeC:\Windows\SysWOW64\rwnlws.exe1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\gei33.dllFilesize
134KB
MD50126196eb29bba67faa5f3e2fbff6cf7
SHA1e6ccbfd4e2fab4a80855c641844ea45145278146
SHA2568bc50d8964d5ac502128a8e800162d96e1a7f76a6594d4672478d24a8fedfb89
SHA512c4e25c82948c6719458a8b239063e34f5e5843a05ff654a27f345194ed16d821e97d5df0ba2200db51261edb3c70d860588af5ebb23d626fb581603c19af01bd
-
C:\Windows\SysWOW64\rwnlws.exeFilesize
124KB
MD54aaf75b56c518b82039bef2396941bdc
SHA1fd53de3ac5b4cf593de2e9edad450efb145f20ac
SHA25630509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d
SHA5123f708f09192d3279d0ca13fd7b4b1f70061bbf6973291f2b11d33c01621c38937c92b0b2f4834438db370be1d3d9e98e48feff76cab5e26af7460b7edac73fdb
-
C:\Windows\SysWOW64\rwnlws.exeFilesize
124KB
MD54aaf75b56c518b82039bef2396941bdc
SHA1fd53de3ac5b4cf593de2e9edad450efb145f20ac
SHA25630509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d
SHA5123f708f09192d3279d0ca13fd7b4b1f70061bbf6973291f2b11d33c01621c38937c92b0b2f4834438db370be1d3d9e98e48feff76cab5e26af7460b7edac73fdb
-
memory/2232-134-0x0000000000EF0000-0x0000000001F7E000-memory.dmpFilesize
16.6MB
-
memory/2232-136-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2232-139-0x0000000000EF0000-0x0000000001F7E000-memory.dmpFilesize
16.6MB
-
memory/2232-141-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4740-130-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4740-131-0x0000000002260000-0x00000000032EE000-memory.dmpFilesize
16.6MB
-
memory/4740-135-0x0000000002260000-0x00000000032EE000-memory.dmpFilesize
16.6MB
-
memory/4740-138-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4740-140-0x0000000002260000-0x00000000032EE000-memory.dmpFilesize
16.6MB