Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
27-05-2024 03:34
General
-
Target
ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe
-
Size
316KB
-
MD5
c7248067bc8c5a1f5c33c3d55cb12ac9
-
SHA1
6e2961c103372907db29a9b3e1cc939a54084ca1
-
SHA256
ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577
-
SHA512
691618e24ffc93fdceae880be28a771d6683708619255a298eccfc63e080db088bb722a72af525d274c685fefb5a53146dd448f7231b229786fa1c7e44580d0a
-
SSDEEP
3072:aOXQxG+IpQZQneFAMx3qe8UzT+nWwXjDRJWwXjDRgjDRbL7SCqO69Z7gnWYU7Wh:l4GlpQEQAMtqNUzC7OSeDh
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 20 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
UPX dump on OEP (original entry point) 23 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe"C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exeC:\Users\Admin\AppData\Local\Temp\ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c "C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\ghi.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt7⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp7⤵
-
-
C:\Windows\SysWOW64\net.exenet user7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user8⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators8⤵
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist7⤵
- Enumerates processes with tasklist
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo7⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"7⤵
-
-
C:\Windows\SysWOW64\find.exefind "REG_"7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo7⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo7⤵
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all7⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano7⤵
- Gathers network information
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a7⤵
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r7⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print8⤵
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print9⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet start7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start8⤵
-
-
-
C:\Windows\SysWOW64\net.exenet use7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"7⤵
-
-
C:\Windows\SysWOW64\net.exenet share7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share8⤵
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain7⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\s.log "7⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\t.log "7⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\s.log "7⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\t.log "7⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\s.log "7⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\MICROS~1\Windows\INETCA~1\\t.log "7⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"7⤵
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316KB
MD5c7248067bc8c5a1f5c33c3d55cb12ac9
SHA16e2961c103372907db29a9b3e1cc939a54084ca1
SHA256ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577
SHA512691618e24ffc93fdceae880be28a771d6683708619255a298eccfc63e080db088bb722a72af525d274c685fefb5a53146dd448f7231b229786fa1c7e44580d0a
-
Filesize
37.5MB
MD58479410d89540ef28ce83bcee8f23399
SHA14cc24a50b4465744360930ab30a06295c082a77b
SHA2562a90f21116dc17fe5e5f964a29e5e8b7fc0c6741a56b7c92ba3c8d84dcec0197
SHA5124499f6da685ea60faaaf94f2cac274401fcfa2eb118bb5fbd76dd25a4feceaab13bb880bb275ea00da730068786c0f915553a5ba0c41a3e6fcfe267cbf650f0c
-
Filesize
12KB
MD574e081b859d3b6cd81c684c1a29d0e5e
SHA14e5d0595d13bde24cdc17f35af4cd36b107693a8
SHA256f498071b9ced52559e083d49363b4c9bb927bc0e5bb67307da9089dd2dc9a56a
SHA512d6cedcff3be87cf3c13a384f37733e482fe2be0ced29fe120b68a46b5f056ab8695e5df69777df6abdd2e1c546a2ce67cf322b911569d8abae209adcfd5cc390
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
3KB
MD558a64905608130d77188e612e3972897
SHA1fd2c205c16330cbd77bf3c4ffa8db0e0f245db49
SHA2561ebd7eae014cf21830a64f251bf768e2935fa3de5223dcb86f3e69dc88c384c8
SHA512288968fbce883e1ec8ba764ed9e82aa9712d1390a8aa98c9f4c7a45247be59825b981c3236e309c5bbff5d075998b406e0a1c049ecb035b58668a1f3354020fe
-
Filesize
43B
MD572366e30e15d58411d52ccb84fcc03a5
SHA11cdd3084594b9832fef1678924e6e73cdf9b651e
SHA25657f3a3f7279f63c96f96194dd3fe6763008aa199cf9ce5b598b6fe1280059f5c
SHA5125313ac9d475fa762591c4186011ba814908434169556f4b6e570a7b6785a70899d6a9e902292041977f679e96907e41ffd96a80f5d43fe562971a8fc5fd9e6d7
-
Filesize
22KB
MD5fc083605963cff6afe20377b5af46251
SHA10dce2c3d68b4acad424f1320804236cb98a58d6d
SHA256c285eec3a392ce43d523794d2deb529a29785b835e2218644f89e7b86f127032
SHA512c5ed55f1ab92660ac22b480d75a15f4bc2c9b52777fdc3e6ccb7105dd04df9dbf497297c208c680645dc4c02b9fc17d89d7069916e539c706e25d1c04a46eb0c
-
Filesize
59B
MD5b4cfdcb9d43cb0a0dbc027dda83114a0
SHA1f4529c2c9f6995259ef10842c12c7764c6307ba3
SHA256a31dae29fef8c035c25ad6b869055484e60642297c50ccfcdbb8562dfe3f2938
SHA512d8c68d6e639d65568eab2874d20c6578dfe461686912a8ae8392805640096a9ab8a85f62e993912955b9a5fad000bd08daf1bc721e66afbb8f8d5e573edeea22
-
Filesize
255B
MD51a9835a96de85e23df7407fab840f033
SHA190440fa805fa9c15608bcb215dfa4eafa53a646f
SHA256daf2240daefc88af97ed80cc9d0b483620d6dbb19cb391ceca61f748ac492e56
SHA512ca460c82cb1d21d52d7f1ca6ccf5b5c55ebc9ec7444d21026df7bd8ede9c818a9007523a4b19456b28a4d5c5905fdbd138cc94dc5180f6227701c5ef7cd52061
-
Filesize
316KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
316KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
316KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB