Analysis
-
max time kernel
123s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 14:21
General
-
Target
cda7dcba92b6479ecae68e92de6f900c38c61f4cda28e18c8210903a9eff50b1.exe
-
Size
2.1MB
-
MD5
7132789b3afd31bbd8a9ca9fd05b190c
-
SHA1
b536d55d4a1eef0f144b788eec426dc3aa3f942a
-
SHA256
cda7dcba92b6479ecae68e92de6f900c38c61f4cda28e18c8210903a9eff50b1
-
SHA512
ae90cc1647ac0d064c6bea9f48d6cf2bee46df9c389ac39ca098bab6af0439648bfb807cd4576dea6f6bad007e1d824a4a0082676ec1168f98d55cd60ede92fc
-
SSDEEP
24576:tpzKTGA8fRfabohqemWaxxVWnU7CCGEqIGEdu11/gJH+6z4YfuHIpl:TKizfQO9axf6FCGE4TgJVz4K
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\cda7dcba92b6479ecae68e92de6f900c38c61f4cda28e18c8210903a9eff50b1.exe"C:\Users\Admin\AppData\Local\Temp\cda7dcba92b6479ecae68e92de6f900c38c61f4cda28e18c8210903a9eff50b1.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a499C.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\cda7dcba92b6479ecae68e92de6f900c38c61f4cda28e18c8210903a9eff50b1.exe"C:\Users\Admin\AppData\Local\Temp\cda7dcba92b6479ecae68e92de6f900c38c61f4cda28e18c8210903a9eff50b1.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828KB
MD5ceff10f7244ed9d3a163a78368f888e0
SHA1ff2065cdf913251319075dccf030e8abb4644b9c
SHA25652e7f9954a32ed18b1d349cfcef2c35c875ed76da055517d528f1dadb480ca8c
SHA512b2d6fea66bb29f0eb28e9e2b7947666a0607b1306f57eb8a21d7f6fb5d3a5c0b7979f3505db26aae1f6fae14f7bc83f4f114ca252d5fad9e91ca28cf29406246
-
Filesize
252KB
MD56735a16d04dfac1f92f7ab89c64b071f
SHA1502eaa755229fc80b186faf533cf827c322bab66
SHA2563a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8
-
Filesize
571KB
MD5bab747a805ee67f925718f2624d54a11
SHA13f6fa0fe958f3a43e38c66014443e0c261f46bcc
SHA25603078980fff7ce8873b7e46fd8b79c2a86bb0354fc65268eac2aeff6d981e73e
SHA51265edbfebdfdf27c496f596bac45f63cd4834dbfb171bd2683a15a3d207b489ee65a045a0b78729005b457f551f128f444fba45baa63c8fe8748f422f48431c14
-
Filesize
637KB
MD59cba1e86016b20490fff38fb45ff4963
SHA1378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA5122f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765
-
Filesize
722B
MD5248b01b647ed022d5294dd1430dd591c
SHA196fee09bc251c79c0ca6048746647c6efa7e8038
SHA256a5ff8a1c0709253faec83dbc4d78d5aa39150767c00086fe209028b167d88084
SHA512ddd7903c17ca16090a5ab55a96f2f0eeaf583f03b19de09b9dc68fe0e3c1b4efb82989db27957edf345b1ae3c8a255496f9e729fc499f8bfac424e734ec2f9d1
-
Filesize
2.1MB
MD5ee08915d35bd9ba7a52bbd08d1d2edc8
SHA1e423311d4b3591017de4661bbee3a243a3752f86
SHA256dc5fef25861b770992583104a067bbc1ff5b91788a9cde405b18c47e02563a39
SHA512fa56b74254a91d5b2ad82100a14d17ccc2902f1997a12b4ad47c98d72e69b7984bda12154ce488fbc38cb3c002ed4114743850042f0ac1da38f4da3e7d0c21f1
-
Filesize
27KB
MD52b90d375fad4e39663e1c00356e9206b
SHA15c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA5127c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f
-
Filesize
9B
MD5de299d58575b595bc358a5c5edd0767d
SHA10d30c906a5b5647289c7788d31dd3afd642350a4
SHA25632ef1af1131d89e96d59ac0d3f8e232e839355587a679a2df2479b5277a704e3
SHA512c8e20bb98c427a3a0eea8769df090d59353f0b484321e82b381cfca18b111bd1d782713f2f5bf815e5832a0e12ec909a0324fe9ba013c626327cabf27a464bbc
-
Filesize
97KB
MD5666710dcbce883fa868832ccb4c7711a
SHA1fc8f21be96cc7c43b2ab831a03bc13f136826f00
SHA2565074f1dbf8b5aae61990e33513907a3210eef3e88de1630c0c3d79f0a7fd2666
SHA512ee3d5d073590690ebcfbd34a5419c044a8d7e922d448ea5f648b789d6a256a5d2182b4f6fa42fa0ab0efe4073802ffd5a27baf41ed993d5e02e4cb23ae47e600
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
212KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
2.1MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
2.1MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
2.1MB
-
Filesize
16.7MB