Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27-05-2024 02:40
General
-
Target
迅雷极速版1.0.1.16星空不寂寞优化本地VIP6版/迅雷极速版1.0.1.16星空不寂寞优化本地VIP6版.exe
-
Size
18.0MB
-
MD5
e252feaf7743218c0c64abbd4c9b057a
-
SHA1
458027ac825b4f7063f1f80c984b477a4dc99644
-
SHA256
54a14caa48d87a1be852320f8cedf5dbe0bc78a3bfb3e1ac06686b80d8e36351
-
SHA512
3a733d32b71b28a2661d355b387842f8362e57a170aa3bffa8beb6e84611be8f273cc4b2b4277f704051e00d9e735b57d904a97c3353e48b8c25b896dd1081b1
-
SSDEEP
393216:qqez5RytyjmvB3ny5sexXZj8JY4YGUTa1U3fdaPS:qqe9RytuoJny5vJRAY4YAy315
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\迅雷极速版1.0.1.16星空不寂寞优化本地VIP6版\迅雷极速版1.0.1.16星空不寂寞优化本地VIP6版.exe"C:\Users\Admin\AppData\Local\Temp\迅雷极速版1.0.1.16星空不寂寞优化本地VIP6版\迅雷极速版1.0.1.16星空不寂寞优化本地VIP6版.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/212-0-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/212-3-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-5-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-12-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-6-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-15-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/212-13-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-11-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-7-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-10-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/212-9-0x00000000040D0000-0x00000000040D1000-memory.dmpFilesize
4KB
-
memory/212-8-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB
-
memory/212-4-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-1-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-14-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-17-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-16-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-18-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-19-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-20-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-22-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-23-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/212-41-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/212-33-0x0000000003F50000-0x0000000003F52000-memory.dmpFilesize
8KB