Analysis
-
max time kernel
21s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
30-05-2024 18:15
General
-
Target
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe
-
Size
287KB
-
MD5
a9300349e56df396f27110591c3c4e8a
-
SHA1
91d6b1133ac0cb5115fbaf99be8d3bc0af138574
-
SHA256
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a
-
SHA512
51c9994735350821cf03c26d170ae0f5de6a7837d1cccce8ba7c114b9fa1005a95719458a02c531873fb59ff58c6eeb646fb47c7df3f80f7d8b9a1b30df2996f
-
SSDEEP
6144:dvE72U+T6i5LirrllHy4HUcMQY6A+5Y+21Eqe:9E7N+T5xYrllrU7QY6A+LX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 36 IoCs
-
UPX dump on OEP (original entry point) 39 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 35 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe"C:\Users\Admin\AppData\Local\Temp\042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 18:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD51f34a06f0d34eb0ca983c66c4107ace7
SHA1a8d93746f29565903a2eae07e028937f7ca43d91
SHA2569e3bde1b37cc5efb387171a4aec602664ce772fa8fd71ea0f6f3b9043612d0c9
SHA5120ca21df767f11fdc31005970629227152503a41784864801b650fcdc756db45d750555a1707aacf3b02a0ffa1863e986d7f4aa0e4a63eab59037e24fb81c5dc0
-
Filesize
256B
MD536958c0091467a28ec3abc1cebf7f1dd
SHA1cbcab47200410d4d33b11803a9433ceac8613583
SHA256fbf08d534e30a4ce2bc45a261f93ee2e338621ae4ec693c08d822a5a05035272
SHA512df5333f963853ed2c4c7970de65e35acd9f9f31b9b37ff178884952bff59b8e8577d6d12fb3f2d06bcbab2a7dce17c0f68a8aed762ba979a09d780e7198b1a16
-
Filesize
287KB
MD5df01c9d50965fae182c59480838d379a
SHA1adcf255442222007bd2a46fa1e10261a75b4b674
SHA2565c76957b18fecce67aec7e3f88af32f6246f27aae7661b8f03f672a7cdc97b65
SHA512992550393995bd6d344aa34b669e48a356bf0b307a032b7b1b7b736e1dd6e7f2b09790a31bf20b44fd1005b39ba2944163e2763c4f1c5504589f9b452dbbc3b7
-
Filesize
287KB
MD5e7b434b849dcca171235ba6cd0b77b08
SHA15d58b5c59dd2a7e3c816f7c68a63d82c476ca751
SHA2565b6d20e3f7e0cd81d91687e1dc5d54791df7b28cc03e53cbc80c03c2c64e4e36
SHA512e5ed4d77ca1c7f85142c8f102a2103e559755940bac2e74e689a10a06cb9a97ac65c246a1f1e8c778979f74921ec6d7eb2997e0db92e34654f5ec4f4c906e287
-
Filesize
100KB
MD5b16822fb84ca8970500aa26a0a81b458
SHA183481e14dc4bb95359975b1ddbb1358db02c6e46
SHA25671c14d4036fe9b8f72f9b96e2a76169a8f572c0d62565ff171cf182bb5e71366
SHA5128eb3de69a85d4d37ede2ce220eb46855ba0810e68aa114317d7b731cf18e3900741127f3fcf579f421ef0109a0392947e3a6e1f8477a39225b6b7189f202ffca
-
Filesize
287KB
MD5569d41cf2eaea595432d8e4cd5f940cc
SHA139ad6fef56befd95122305c5f79d8929e5509587
SHA2564e5134d486b0452e3b299d64b9d2bd5eda12a2dc0154442756b8c38d236a074f
SHA512c01e176a764bbbf7b061b09ca649ab3ae44277a12da7f9f2bdf054de6beaced6a775e1d33b959484904f75bde1a02e65a1891f8d309651dacc6428a9d9ee42c0
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
260KB