Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-05-2024 02:22
General
-
Target
bf70cd422fb3771839abe10d861f022f311c28ad9f52aa9d1219462164531a81.exe
-
Size
1.8MB
-
MD5
b38b7365267b8fbea7781384bc638013
-
SHA1
3c035caa90b2118a6ed1acbb557e9745e10e3981
-
SHA256
bf70cd422fb3771839abe10d861f022f311c28ad9f52aa9d1219462164531a81
-
SHA512
c027e8cd2ab6400b4cacbf138bf4d589206028e728b625abacdce605c7284207c021c4ebee0ff7b49763a71911fd605ad85c13a6e99e72e29b20fe6f33495132
-
SSDEEP
49152:KbTCfQxKCnFnQXBbrtgb/iQvu0UHOW96f:K6oxvWbrtUTrUHON
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 32 IoCs
-
UPX dump on OEP (original entry point) 34 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bf70cd422fb3771839abe10d861f022f311c28ad9f52aa9d1219462164531a81.exe"C:\Users\Admin\AppData\Local\Temp\bf70cd422fb3771839abe10d861f022f311c28ad9f52aa9d1219462164531a81.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 48166⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "7⤵
-
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E575081_Rar\bf70cd422fb3771839abe10d861f022f311c28ad9f52aa9d1219462164531a81.exeFilesize
1.8MB
MD501ea2932a9695962450e9bca14c6be0d
SHA19e4a175939e06fa5ae8d2e139a5d41560b096ca5
SHA2567db7ec3f9ec9b4b78f2127e4fec63675efd153c3c084f143feb4357a3748035b
SHA5121c6ae9444097140d0987a2035ca8e95455ea93bd7ad31033ef7d024aa8a40e8936f9c820ece50ceb5af588695db67c39d81520dea05ab4d4d77a6d44c092374c
-
C:\Users\Admin\AppData\Local\Temp\0E578741_Rar\WdExt.exeFilesize
1.8MB
MD581c6e318341363e6e0cde6a5adbcbccb
SHA13e6dca0d13127bc7fafa24203fc991849d6ff16d
SHA25670bf5e9301ba7a08a2fe5f8ba9e8e9c7cbcd54e19daa4fc4b21c81fb6c813048
SHA5120ad4ffa599b7c4734cf74f3506cf49a9fd437c5633104517cf3013af1ad97fc7afb6161202e986b2c6cf434332958354d3eed10f3eeb234394e4ee6d5fad78b7
-
C:\Users\Admin\AppData\Local\Temp\C41B.tmpFilesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
C:\Users\Admin\AppData\Local\Temp\wtmps.exeFilesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exeFilesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exeFilesize
1.8MB
MD550babaf6956a8239cd4f10252d47a2c2
SHA1d17c00e4faa2544e79a65e4af78dd376396ad27c
SHA2560aa913abc5e136eff67028b74e152bb064ca1110b06cdff6031dae0001ee2252
SHA5120914e25ce93125b811046fb8581f2d9f7443010380b4fa7e272a8bdd41d01af3f4cedf5f22ab90239cc8592b8f326f37df81bbbb17cf8a60cddec7291fa51024
-
C:\Users\Admin\AppData\Roaming\Temp\Admin0.batFilesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
C:\Users\Admin\AppData\Roaming\Temp\Admin1.batFilesize
126B
MD52c59b323bb82967f08745aa45a7d731a
SHA18ceccb3e06fe180a9754b2f17a1b66fc6c3d83d3
SHA256c166ef8ea6172c791d26fcc26270c4e96bee97af8e6d14a0bedad719cddaddad
SHA51240c66902764294dd0a998a9e8c0afad5190b4649036a36c61e80822f530a78b02afd1c1e476bebd71b7cfc896f57f5ec75e66693d4153da2d5510cd6ad17f9c2
-
C:\Users\Admin\AppData\Roaming\Temp\Admin1.batFilesize
302B
MD50abb8063efcf49582c2b6c4844a65a66
SHA1791e56cbe333ffda54764163f704eaa526dae42b
SHA256bcf28def71e964b8fe8254b0eb12e74d62f1bfccb28c184a3a09082a0ba1b169
SHA512fda7d8c553bd8ffd7400e2441d702e3c8cf6d35a24670d8333d3caa6c3651329a0cb206ce68a4809787a406c599c0f7073462d8c1159057f7dc369509edd6169
-
C:\Users\Admin\AppData\Roaming\Temp\Admin2.batFilesize
102B
MD53ca08f080a7a28416774d80552d4aa08
SHA10b5f0ba641204b27adac4140fd45dce4390dbf24
SHA2564e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0
SHA5120c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01
-
C:\Users\Admin\AppData\Roaming\Temp\mydll.dllFilesize
388KB
MD5e1e47695a0b98432911311352b63eaed
SHA1836142e550301e0fc13c1a047aae5a2f4481d7cd
SHA256c67ed34d9254b31e611ee830125c3f2572a1e686f82deb69e1580fb9a4614cd0
SHA512da49234ee2e1d8f9956ba59d4a49fe04d3ab154f5dd60cf7a6c72e9d42defe8a4b0aeb38845444fe3a8d9c80976467d2101f7c992a48f98f6a9317d0e61ca961
-
C:\Users\Admin\AppData\Roaming\Temp\mydll.dllFilesize
388KB
MD58d7db101a7211fe3309dc4dc8cf2dd0a
SHA16c2781eadf53b3742d16dab2f164baf813f7ac85
SHA25693db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA5128b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83
-
C:\Windows\SYSTEM.INIFilesize
257B
MD54700cc3e352695670f40867c480ac1bb
SHA1e76a1361fdd440acf8d13c5c0e3e341a4390aec3
SHA256343c5fe41968f96c72e8b4566a0e867f1edec257bc6a01804a94c9adac5fab9c
SHA5123510f2eef87c30c9aaa381566a0284af7dff73cbca43e7395bd675f6d0259700eed89c04127346461c4d0ec7606896ea6b378fe79c81eb7644f2b0489288bb10
-
C:\Windows\SysWOW64\mscaps.exeFilesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
memory/1480-51-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-693-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/1480-53-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-141-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-181-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-292-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-291-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-293-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-678-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-679-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-52-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-6-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-704-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1480-101-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/1480-102-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/1480-54-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-142-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/1480-94-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-143-0x0000000000600000-0x0000000000602000-memory.dmpFilesize
8KB
-
memory/1480-93-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-87-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-1-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1480-2-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/1480-0-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/3116-776-0x0000000001680000-0x0000000001682000-memory.dmpFilesize
8KB
-
memory/3116-777-0x00000000016D0000-0x00000000016D1000-memory.dmpFilesize
4KB
-
memory/3116-890-0x0000000001680000-0x0000000001682000-memory.dmpFilesize
8KB
-
memory/3116-889-0x0000000001680000-0x0000000001682000-memory.dmpFilesize
8KB
-
memory/4360-1858-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/4816-1401-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-1853-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-722-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-779-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/4816-727-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-784-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-775-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-781-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-783-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-1400-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-1846-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-797-0x00000000021B0000-0x00000000021B2000-memory.dmpFilesize
8KB
-
memory/4816-1852-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-845-0x00000000021B0000-0x00000000021B2000-memory.dmpFilesize
8KB
-
memory/4816-782-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-780-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-1877-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4816-1866-0x00000000021B0000-0x00000000021B2000-memory.dmpFilesize
8KB
-
memory/4816-716-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-718-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-711-0x0000000002230000-0x00000000032EA000-memory.dmpFilesize
16.7MB
-
memory/4816-709-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB