Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
18-05-2024 08:45
General
-
Target
1408_cn_V8.3.0.0/1408_cn_8.3.0.0/DVR Player.exe
-
Size
652KB
-
MD5
ac92ddcd004d45551749cada041690da
-
SHA1
7dab7a193f5b37a39fa97fa9aaef948b1bd3eced
-
SHA256
c93ba430f498527e38cd144582eea82f535c1156c94ab8c42f113347cf94363e
-
SHA512
e94af2a0e2e222f5867dca52fde601b88db2dbfc57dbc5b9a4318b2d22886da694eebbd8219ea12cdd9f05d7098b0ee74125d774fbd51addeec2069e6723475a
-
SSDEEP
12288:yQHgAZ26oWvXP254EuWxkJWWWHLgW8WmWWWWUW3W2WWVXWWWWkWnWWWWWWWWWWWR:dHtZ26Dvf25GWxkJWWWHLgW8WmWWWWUP
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies registry class 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1408_cn_V8.3.0.0\1408_cn_8.3.0.0\DVR Player.exe"C:\Users\Admin\AppData\Local\Temp\1408_cn_V8.3.0.0\1408_cn_8.3.0.0\DVR Player.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x4f81⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1204-70-0x0000000000640000-0x0000000000657000-memory.dmpFilesize
92KB
-
memory/1204-71-0x0000000000640000-0x0000000000657000-memory.dmpFilesize
92KB
-
memory/1280-16-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-34-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-11-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1280-14-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1280-9-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/1280-8-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1280-10-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-15-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-0-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1280-28-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-31-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-6-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-36-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-38-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-63-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-67-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-69-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1280-4-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-1-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-72-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB
-
memory/1280-76-0x00000000023F0000-0x0000000003423000-memory.dmpFilesize
16.2MB