Analysis
-
max time kernel
132s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
23-04-2024 05:18
General
-
Target
eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe
-
Size
2.3MB
-
MD5
f904bc04d3860f4a5b2656668d1d89db
-
SHA1
bf723e0e11def54fdc70356007d021f83fe8211a
-
SHA256
eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970
-
SHA512
566908fdc5583b2f3bf6129a14b8734c073f7ddea505aa2db4ed5d352090da247e08bc75e9e40144acf4529c0cfbdf65436e8d0749f7dc3adfca5529291500a5
-
SSDEEP
49152:coN2skpzPXDFBjWRJTCAIHuDeeaJ98mjRC9YC2Ns+/X0h54GEewKQl:cy2bz/5YvpI2eey98CRC4L0ZRbe
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs
-
UPX dump on OEP (original entry point) 39 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe"C:\Users\Admin\AppData\Local\Temp\eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\ab8866286305f541a90c8f4b\install.exec:\ab8866286305f541a90c8f4b\.\install.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffe83262e98,0x7ffe83262ea4,0x7ffe83262eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2896 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2916 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5284 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5480 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E5815F4_Rar\eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exeFilesize
2.3MB
MD5a31dc1a74f1dee5caf63aec8ebb5fe20
SHA15580072a056fdd50cdf93d470239538636f8f3a9
SHA256baaaeddc17bcda8d20c0a82a9eb1247be06b509a820d65dda1342f4010bdb4a0
SHA512fc65d9c85503ff2a3444a6b57abe376ad78d8f476ebbc1d51e7f4bbbbc7e3a3ae1fdf4d00ef9198e4f9a356585fbdff1d932ffd95606a575dfc192fb26e40cf9
-
C:\ab8866286305f541a90c8f4b\eula.1031.txtFilesize
17KB
MD59147a93f43d8e58218ebcb15fda888c9
SHA18277c722ba478be8606d8429de3772b5de4e5f09
SHA256a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded
SHA512cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705
-
\??\c:\ab8866286305f541a90c8f4b\eula.1033.txtFilesize
9KB
MD599c22d4a31f4ead4351b71d6f4e5f6a1
SHA173207ebe59f6e1073c0d76c8835a312c367b6104
SHA25693a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41
SHA51247b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94
-
\??\c:\ab8866286305f541a90c8f4b\globdata.iniFilesize
1KB
MD50a6b586fabd072bd7382b5e24194eac7
SHA160e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA2567912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4
-
\??\c:\ab8866286305f541a90c8f4b\install.exeFilesize
835KB
MD5e015a2d8890e2a96a93ca818f834c45b
SHA130bda2b4464b1c41210cba367e444aed56502360
SHA256dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d
SHA51220a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123
-
\??\c:\ab8866286305f541a90c8f4b\install.iniFilesize
843B
MD50da9ab4977f3e7ba8c65734df42fdab6
SHA1b4ed6eea276f1a7988112f3bde0bd89906237c3f
SHA256672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605
SHA5121ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144
-
\??\c:\ab8866286305f541a90c8f4b\install.res.1033.dllFilesize
88KB
MD543fb29e3a676d26fcbf0352207991523
SHA1c485159b01baa676167c414fd15f1026e3ae7c14
SHA2564107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7
SHA512ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4
-
\??\c:\ab8866286305f541a90c8f4b\vc_red.msiFilesize
236KB
MD5d53737cea320b066c099894ed1780705
SHA1d8dc8c2c761933502307a331660bd3fb7bd2c078
SHA256be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240
SHA5120af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe
-
\??\c:\ab8866286305f541a90c8f4b\vcredist.bmpFilesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd
-
memory/1160-133-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/1160-78-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/1804-82-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-91-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-17-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-15-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-20-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-21-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-14-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-13-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-11-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-12-0x00000000006D0000-0x00000000006D2000-memory.dmpFilesize
8KB
-
memory/1804-7-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-10-0x00000000006D0000-0x00000000006D2000-memory.dmpFilesize
8KB
-
memory/1804-9-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/1804-8-0x00000000006D0000-0x00000000006D2000-memory.dmpFilesize
8KB
-
memory/1804-76-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-6-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-81-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-0-0x0000000001000000-0x0000000001268000-memory.dmpFilesize
2.4MB
-
memory/1804-84-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-85-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-86-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-88-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-89-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-16-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-93-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-96-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-98-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-100-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-102-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-104-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-106-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-107-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-108-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-110-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-116-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-117-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-119-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-121-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-123-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-125-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-127-0x00000000006D0000-0x00000000006D2000-memory.dmpFilesize
8KB
-
memory/1804-128-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-130-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-132-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1804-2-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
