Analysis
-
max time kernel
160s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 21:14
General
-
Target
954505447f1621e49c762a63e3e1ebfe94cc95a54ab236dcfa8ea516934e31ab.exe
-
Size
1.0MB
-
MD5
df2d170f275cf20637bd8fa5c4530718
-
SHA1
6b565cf423dcff905bdb96ea270fb64bf8e875ef
-
SHA256
954505447f1621e49c762a63e3e1ebfe94cc95a54ab236dcfa8ea516934e31ab
-
SHA512
9b716b6098ce21919d6743aa81e8acc8e62b1d90c2495ada2a5e4d1dd4b617052427b101e89e2a2a129dcfccc56db6bf0bbee78b7ed2f1da40a68fe0946990f0
-
SSDEEP
24576:OYo115g/HdWvWnxFnRzKisy9iJFu6mZuKxB7P/3F:03g/Hd2WnxFTsy9w1mZuKxZ3F
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\954505447f1621e49c762a63e3e1ebfe94cc95a54ab236dcfa8ea516934e31ab.exe"C:\Users\Admin\AppData\Local\Temp\954505447f1621e49c762a63e3e1ebfe94cc95a54ab236dcfa8ea516934e31ab.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2264-132-0x0000000000AD0000-0x0000000001B5E000-memory.dmpFilesize
16.6MB
-
memory/2264-133-0x0000000000400000-0x0000000000640000-memory.dmpFilesize
2.2MB
-
memory/2264-134-0x0000000000400000-0x0000000000640000-memory.dmpFilesize
2.2MB
-
memory/2264-135-0x0000000000400000-0x0000000000640000-memory.dmpFilesize
2.2MB
-
memory/2264-136-0x0000000008EB0000-0x0000000009454000-memory.dmpFilesize
5.6MB
-
memory/2264-137-0x0000000077E40000-0x0000000077FE3000-memory.dmpFilesize
1.6MB
-
memory/2264-138-0x0000000008DD0000-0x0000000008E62000-memory.dmpFilesize
584KB
-
memory/2264-139-0x0000000009670000-0x000000000967A000-memory.dmpFilesize
40KB
-
memory/2264-140-0x0000000000400000-0x0000000000640000-memory.dmpFilesize
2.2MB
-
memory/2264-141-0x0000000000AD0000-0x0000000001B5E000-memory.dmpFilesize
16.6MB
-
memory/2264-142-0x0000000077E40000-0x0000000077FE3000-memory.dmpFilesize
1.6MB