Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 18:48
General
-
Target
02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b.exe
-
Size
6.3MB
-
MD5
355a3017a67756b3a9005581b30e3302
-
SHA1
780cf51638602ec79f59fb0b10d380f6cff1950d
-
SHA256
02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b
-
SHA512
6f828e40554590491eacddb187e6ee8705d8531f129b20a426ccd33e8eaabdb7e5de1e2a93621c81d5bb9f571e7d1a41ce449c5e0b2d23d5cca533c847d82a69
-
SSDEEP
196608:zMRDnuBotjJh2emr8L/YIsG7MOgqHG64:zMRDOotj+eBLJ7XF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 37 IoCs
-
UPX dump on OEP (original entry point) 38 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b.exe"C:\Users\Admin\AppData\Local\Temp\02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b.exe"C:\Users\Admin\AppData\Local\Temp\02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b.exe" -burn.unelevated BurnPipe.{431EE3F8-C6DA-4076-BAA3-6EB181802B9A} {66BF3A30-32C1-43D4-B6C2-144969C3878D} 47843⤵
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E573C3E_Rar\02aff1735adff594358dabd253ad50da33bd1b48280aab04843d8cb5fca6f56b.exeFilesize
6.2MB
MD5b066c8ce0290895d40601cfd086081a0
SHA13f6d13eb8f836429d9201808dbf77f21394a225b
SHA256f9e55c77db6d61219a927ca5bc4c60fcf7bd5aac7d15f23f5593a9fb15e57196
SHA51231e976b88b135b6f016374b5097ece3bb94c02216d2ea3856ec2c7d4af0a2794be32a0dbf2aa5dc6434e4ab9d2a046da2f9d21fefa92ca3fbb02cc99af535a4b
-
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Users\Admin\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dllFilesize
117KB
MD5a52e5220efb60813b31a82d101a97dcb
SHA156e16e4df0944cb07e73a01301886644f062d79b
SHA256e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e
-
C:\ogiidu.pifFilesize
97KB
MD53415e5a79fbea9ccad7c71891e311ec8
SHA1fb54abd5ec0f1ced5780db00b0f4a655eaae8d17
SHA2561c9b5eb832c8fcc8363e8d88031bc5b996d4c7801f1753c22b5941de2969eee9
SHA51216412dc10277e321fe897748f564fe4bc16f9f405cb8998d93754b422d900cd6d1788e414cf0b994738f8ed5e313363c6eec15c4b7f4997fe361c3f804fedc3f
-
memory/2288-9-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2288-29-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/2288-35-0x0000000002230000-0x0000000002232000-memory.dmpFilesize
8KB
-
memory/2288-93-0x0000000002230000-0x0000000002232000-memory.dmpFilesize
8KB
-
memory/4784-56-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-65-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-23-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-24-0x0000000003560000-0x0000000003561000-memory.dmpFilesize
4KB
-
memory/4784-26-0x00000000034D0000-0x00000000034D2000-memory.dmpFilesize
8KB
-
memory/4784-28-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-22-0x00000000034D0000-0x00000000034D2000-memory.dmpFilesize
8KB
-
memory/4784-36-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-37-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-48-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-49-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-51-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-52-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-53-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-54-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-55-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-8-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-58-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-59-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-60-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-62-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-12-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-67-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-69-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-72-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-74-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-76-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-78-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-80-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-82-0x00000000034D0000-0x00000000034D2000-memory.dmpFilesize
8KB
-
memory/4784-83-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-85-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-87-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-89-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-91-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-1-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-94-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-101-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-103-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-105-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-107-0x0000000002380000-0x000000000343A000-memory.dmpFilesize
16.7MB
-
memory/4784-0-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
