Analysis
-
max time kernel
38s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
22-05-2024 23:39
General
-
Target
80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe.exe
-
Size
132KB
-
MD5
6e61786732b6f48298ece472af802c25
-
SHA1
89a1e36c6e7451081cca20351c2aac9c4c2672f8
-
SHA256
80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe
-
SHA512
1aa19e7c6cc18e653653ec5efd0ca86b045ff38efd4c92b89ba071cdf9434704d31278b7df922790a2242640e5ddfbec95e14d2f76613702bf73a5f95d99a220
-
SSDEEP
1536:DJf83W8W60IL26Ap8iJySzlme3pUy3TDq+NcawHbNBleOD6MlSoUljObrEF8EX4n:DJCD548iJHxfq+Ncaw3fuOUhPm+N
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs
-
UPX dump on OEP (original entry point) 35 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 10 IoCs
-
Drops file in Windows directory 35 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe.exe"C:\Users\Admin\AppData\Local\Temp\80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system\Fun.exeC:\Windows\system\Fun.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SVIQ.EXEC:\Windows\SVIQ.EXE4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\dc.exeC:\Windows\dc.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\dc.exeC:\Windows\dc.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\dc.exeC:\Windows\dc.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff89b692e98,0x7ff89b692ea4,0x7ff89b692eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2688 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2984 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2852 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5400 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SVIQ.EXEFilesize
132KB
MD56e61786732b6f48298ece472af802c25
SHA189a1e36c6e7451081cca20351c2aac9c4c2672f8
SHA25680376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe
SHA5121aa19e7c6cc18e653653ec5efd0ca86b045ff38efd4c92b89ba071cdf9434704d31278b7df922790a2242640e5ddfbec95e14d2f76613702bf73a5f95d99a220
-
C:\Windows\SYSTEM.INIFilesize
257B
MD50c9202673561fef3f03986e0abaee548
SHA1f3a5f6e417cf6868f0b5918bf4a2c91137304ce8
SHA256d909966f02e0ec672673cfb9dfa0573ecb38d421e99309bb4bdbd3eb469d4ef0
SHA512d678bee0d4ba7429da797998157c0ce2e81480cfa74a935098d24348246bdcf41074f68bb5e5c9a92ff38c83e166e25307df9a7379f0c2b9ed764ed2bfe7c284
-
C:\Windows\wininit.iniFilesize
41B
MD5e839977c0d22c9aa497b0b1d90d8a372
SHA1b5048e501399138796b38f3d3666e1a88c397e83
SHA256478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2
SHA5124c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d
-
C:\hawnn.exeFilesize
100KB
MD536ca8063e0e97972176e03a4eb36814c
SHA1874dec81c24556d7663f656152ee3c0e0f1659d1
SHA256cb4aa33b632dc96567ea5104ce64bc06d1827e0fc1fa7e9d8a4b627dd4372abf
SHA5121b78dee35b4b83439d5d4339c5cb256963632ee043971221f12c3ffc60fcc3a8dd07c743c9463cab027767d46402971d57c41baa7d3e2a0f85417622759f21a3
-
memory/2512-137-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/2992-108-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2992-99-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3752-107-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3752-97-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4352-134-0x0000000002CF0000-0x0000000002CF1000-memory.dmpFilesize
4KB
-
memory/4352-138-0x00000000020D0000-0x00000000020D2000-memory.dmpFilesize
8KB
-
memory/4352-70-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4964-13-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-5-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-18-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-19-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-10-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-35-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-1-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-14-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-46-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-45-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-6-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-7-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-16-0x0000000002C60000-0x0000000002C62000-memory.dmpFilesize
8KB
-
memory/4964-96-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-106-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-15-0x0000000002C60000-0x0000000002C62000-memory.dmpFilesize
8KB
-
memory/4964-12-0x0000000003F50000-0x0000000003F51000-memory.dmpFilesize
4KB
-
memory/4964-109-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-110-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-130-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-11-0x0000000002C60000-0x0000000002C62000-memory.dmpFilesize
8KB
-
memory/4964-0-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4964-3-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-149-0x0000000002C60000-0x0000000002C62000-memory.dmpFilesize
8KB
-
memory/4964-159-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4964-140-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4964-4-0x0000000002C80000-0x0000000003D0E000-memory.dmpFilesize
16.6MB
-
memory/4976-166-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-168-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-162-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-163-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-164-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-165-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-135-0x0000000002C00000-0x0000000002C02000-memory.dmpFilesize
8KB
-
memory/4976-169-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-132-0x0000000002C90000-0x0000000002C91000-memory.dmpFilesize
4KB
-
memory/4976-167-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-160-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-170-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-171-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-172-0x0000000003E60000-0x0000000004EEE000-memory.dmpFilesize
16.6MB
-
memory/4976-41-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB