Analysis
-
max time kernel
122s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 04:28
General
-
Target
e8f3acf0323e4a90ac99f6b94830c6e1c48bb40cd4555a05c75e1167fceedadd.exe
-
Size
162KB
-
MD5
68d5c13d4255d338325546b94abd4965
-
SHA1
cc96d2fb4ff18a14a95bed50b61be9c6a64c007f
-
SHA256
e8f3acf0323e4a90ac99f6b94830c6e1c48bb40cd4555a05c75e1167fceedadd
-
SHA512
f3723170faa4802a818e1ad51bdb3e2d418bc56b7b73b34e5f1178fb11f49e8df7073900c6b26eb542884bbdb5f5d409298c8fdc6d11ab9875bdc76a4773300f
-
SSDEEP
3072:ewehu9aakInFGILeYpoj8qMnaz32GCTEEBrm:eVhuUI8k2jGvoEBS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 41 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e8f3acf0323e4a90ac99f6b94830c6e1c48bb40cd4555a05c75e1167fceedadd.exe"C:\Users\Admin\AppData\Local\Temp\e8f3acf0323e4a90ac99f6b94830c6e1c48bb40cd4555a05c75e1167fceedadd.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\e8f3acf0323e4a90ac99f6b94830c6e1c48bb40cd4555a05c75e1167fceedadd3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\xawn.exeFilesize
97KB
MD518c13c34414157f06fdf2498dc466ab7
SHA1b56a72efc4096576def4902a5bcb5e51e5f8452f
SHA256fc12650d65efde83d7a60c678f8210dd6a2f2e16c19952386251246d4acfcc77
SHA512947ae0ea928090ef5c83d3ed69376848050fb91265897fcfcb79290ddedbd26d4230e0fb15187ff1344995845e4cbe16a34cf91ec2193e926ff28c0c29b0d690
-
F:\$RECYCLE.BIN.exeFilesize
162KB
MD568d5c13d4255d338325546b94abd4965
SHA1cc96d2fb4ff18a14a95bed50b61be9c6a64c007f
SHA256e8f3acf0323e4a90ac99f6b94830c6e1c48bb40cd4555a05c75e1167fceedadd
SHA512f3723170faa4802a818e1ad51bdb3e2d418bc56b7b73b34e5f1178fb11f49e8df7073900c6b26eb542884bbdb5f5d409298c8fdc6d11ab9875bdc76a4773300f
-
memory/208-36-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-83-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-6-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-5-0x00000000042A0000-0x00000000042A2000-memory.dmpFilesize
8KB
-
memory/208-9-0x00000000042A0000-0x00000000042A2000-memory.dmpFilesize
8KB
-
memory/208-7-0x00000000038A0000-0x00000000038A1000-memory.dmpFilesize
4KB
-
memory/208-10-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-16-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-19-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-20-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-21-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-22-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-23-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-24-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-25-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-26-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/208-29-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-30-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-3-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-31-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-35-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-44-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-4-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-27-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-46-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-49-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-51-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-53-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-55-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-57-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-59-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-61-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-63-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-64-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-70-0x00000000042A0000-0x00000000042A2000-memory.dmpFilesize
8KB
-
memory/208-71-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-72-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-73-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-74-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-75-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-77-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-79-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-81-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-39-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB
-
memory/208-1-0x00000000021B0000-0x000000000326A000-memory.dmpFilesize
16.7MB