Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
01-08-2022 14:43
General
-
Target
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
-
Size
567KB
-
MD5
742fa4d87468c0627133ec45629c692d
-
SHA1
d9bb92a9b3a050394f8008d76e94eb8cffb82787
-
SHA256
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
-
SHA512
70218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows\svhost.exe.lnk" /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Roaming\Windows\svhost.exeFilesize
567KB
MD5742fa4d87468c0627133ec45629c692d
SHA1d9bb92a9b3a050394f8008d76e94eb8cffb82787
SHA2565c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
SHA51270218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4
-
memory/2572-132-0x0000000000000000-mapping.dmp
-
memory/3696-140-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-135-0x0000000000000000-mapping.dmp
-
memory/3696-136-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-142-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-141-0x0000000003610000-0x000000000469E000-memory.dmpFilesize
16.6MB
-
memory/3696-145-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3696-146-0x0000000003610000-0x000000000469E000-memory.dmpFilesize
16.6MB
-
memory/4700-133-0x0000000000000000-mapping.dmp
-
memory/4956-131-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4956-130-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB
-
memory/4956-147-0x00000000752E0000-0x0000000075891000-memory.dmpFilesize
5.7MB