Analysis
-
max time kernel
26s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
-
submitted
30-03-2024 00:53
General
-
Target
bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568.exe
-
Size
292KB
-
MD5
71849dbf584ce55ae3c22785deab0140
-
SHA1
0c1625163f6c21b0557c579d1d89c31d697aa7f7
-
SHA256
bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568
-
SHA512
d976e515c7d1c8494715504b16c5680990a3366f90dd3254c03a694a9ae57a3ee381437c8f122163f00a94ca30c2458f707416d820195ee43ba80c2e7184f019
-
SSDEEP
6144:0vEF2U+T6i5LirrllHy4HUcMQY6NdgykIduVr/GASXET7:mEFN+T5xYrllrU7QY6NLkIo6A97
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 38 IoCs
-
UPX dump on OEP (original entry point) 44 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568.exe"C:\Users\Admin\AppData\Local\Temp\bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 00:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 00:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 00:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7fffd2535fd8,0x7fffd2535fe4,0x7fffd2535ff02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1996 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2040 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2564 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5352 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5564 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2000,i,9877262470271371196,11878025205711850266,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
3.9MB
MD55ac5ddc4c27ecc203b2ed62bbe8fb8b9
SHA1a3c06b947549921d60d59917575df5ee5dfc472a
SHA256431c7c80c02e8e328d3056ddd6a7c59a254b8cc084d35380342a5df33a4f2f9a
SHA5129834cdcc648b438fb3e3d7df333bbe1c344aef2059ba5cfe92fb37d246bbbaa8b3cef3f0c95e15e2b876971a180f6275eb6170ebf9db991cbc4e874e91436c62
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
292KB
MD554533416447e662c6b4238133b055f70
SHA121a32bde7a4f6e91a8d43489ff8c3783f984567a
SHA256140e32765e946634972b72160ee0c07df8775ea5776412e4925cbdca4f87b7e1
SHA5127607e489afe3b10e578813506de5591fdeebdb118b99a56deb093232774526e0a7d17a9a840498d3c52e6762f2b498a719ad4e64461d49fcf2c3ee5bb2d2cf2f
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d66b782e20f1990a2fd7bfad29d3dd89
SHA151a85243e3a377e351fb92adfea1844cb805fd4a
SHA256d98369b04f4c6e8a479902e72ee875e0fdacc401195164a9e6926de7ea35e0da
SHA512732af3d78c244ec2dade9889cfe3e00f30e14a98ec7732b84e9190572f716e43efd86d9518ff6c8443851a2a205433a2f92f1ed826a33d436dd28e3342bade38
-
C:\Windows\System\svchost.exeFilesize
292KB
MD53e9b75ba71c1936a9e7c9fbd5d13510e
SHA17c25cf4ee8de0feaa04cf912e859d697b64684c0
SHA256372819e4a469f918ec935f78e754136ee1cd7c93e26cce08b7a34ed7dc42c109
SHA512d9ada7c97b1a2ecceb63496df03030e274a8e886bcbb3d3694fc880419e29390863ac2fe7a66ffc437dc22b990ddd23afaf2ba6817d4b76acebce57c85a9ed91
-
C:\vgqf.exeFilesize
100KB
MD524027b155228e753c6de5d0d5495b853
SHA144fe15b32b2b698254df9403621b9f092f8fbc63
SHA2567ac1a7122bbd7c81fa59e2aa368bdde0e670e770ea2cbeab93f2d54559138dc5
SHA512446ba1e3844ad59e3990cdc1221a6ca3e9dc6adf4769e798b06aff6a25d27fa083f7acd3dd326355c4951dabd7e4eb9f6ed54bb46953804c38cf4dc16f25bbac
-
\??\c:\windows\system\explorer.exeFilesize
292KB
MD5d069bf4b987aa488f704b00bd89248c3
SHA16a42cc935433e8e62db9a15a6e80472f5fad678f
SHA25657785888275cf5a58a854acf668218a28bffd1bde306224b9ced1c2bd8db1ea1
SHA512d7c88ecedacdd72f356f2d0468985e499987a448c7ed5cd31ed30ecb567a41442fcb1b276750acb3337d467e194e15c3c26e3576e4ebc48979089e490b10e528
-
\??\c:\windows\system\spoolsv.exeFilesize
292KB
MD5a4cdc333a5990c01e055985a521a6b59
SHA167861f2cfccc05364d40f80ee91126056f399ad2
SHA2566e9acd7817f1f1412d49c270434c3312d082d1b99f74ba646c374c3cbad1d5e2
SHA51246cd1f597dc0cb6420810eb0ca481b0ca0ebe17abad602f15b0ef184649363f9296677c428ef13cd8cc79e5c9fa30ecab32a8c1443b298c0755e679af263f943
-
memory/556-52-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/556-46-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2004-93-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-98-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-154-0x0000000001FF0000-0x0000000001FF2000-memory.dmpFilesize
8KB
-
memory/2004-145-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-111-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-110-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-108-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-106-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-103-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-101-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-18-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2004-100-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-97-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-96-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-94-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-92-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-91-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-90-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-89-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-72-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-88-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-74-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-77-0x0000000003280000-0x0000000003281000-memory.dmpFilesize
4KB
-
memory/2004-75-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-80-0x0000000001FF0000-0x0000000001FF2000-memory.dmpFilesize
8KB
-
memory/2004-87-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-86-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-79-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2004-85-0x0000000003510000-0x000000000459E000-memory.dmpFilesize
16.6MB
-
memory/2532-48-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-1-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-9-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/2532-12-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/2532-69-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-61-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-63-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/2532-0-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-50-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-8-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-21-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-7-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-15-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/2532-39-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-5-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-19-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-34-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2532-24-0x0000000002B80000-0x0000000003C0E000-memory.dmpFilesize
16.6MB
-
memory/2992-84-0x0000000002ED0000-0x0000000002ED2000-memory.dmpFilesize
8KB
-
memory/2992-41-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2992-82-0x0000000004010000-0x0000000004011000-memory.dmpFilesize
4KB
-
memory/2992-155-0x0000000002ED0000-0x0000000002ED2000-memory.dmpFilesize
8KB
-
memory/4888-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4888-55-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB