Analysis
-
max time kernel
121s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
31-05-2024 19:43
General
-
Target
2504b17fd083e873064fc7ee9ce9d012bd0e46db80fa35ee75cbda519b311210.exe
-
Size
888KB
-
MD5
089595a683bbd93298336f88a9adcbb7
-
SHA1
13aa6e9830caec6542102c33eb5d228e006a51bc
-
SHA256
2504b17fd083e873064fc7ee9ce9d012bd0e46db80fa35ee75cbda519b311210
-
SHA512
e0ad0f44b62b4abc7b3830a0309097cfb6319f350bc427ff444501854603b895e155fa30515bd146382d8f3246cd1a44afd803129b666ddf7e6140b7b4c6862d
-
SSDEEP
12288:BwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4khozEY888888888888W88888888:FNzCtUpQ9WWPBSSRMTEpFNXFG3ny
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 40 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
Drops startup file 1 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2504b17fd083e873064fc7ee9ce9d012bd0e46db80fa35ee75cbda519b311210.exe"C:\Users\Admin\AppData\Local\Temp\2504b17fd083e873064fc7ee9ce9d012bd0e46db80fa35ee75cbda519b311210.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD538b41d03e9dfcbbd08210c5f0b50ba71
SHA12fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9
-
Filesize
4KB
MD53ea9bcbc01e1a652de5a6fc291a66d1a
SHA1aee490d53ee201879dff37503a0796c77642a792
SHA256a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c
SHA5127c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501
-
Filesize
4KB
MD5fc27f73816c9f640d800cdc1c9294751
SHA1e6c3d8835d1de4e9606e5588e741cd1be27398f6
SHA2563cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05
SHA5129e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4
-
Filesize
824KB
MD5a11215f9df502968eea3e67caf9c7458
SHA1761fcb90b137ed1ebcdacaa4a0a5247132dfded2
SHA256bb3d9b3011b5451318c57033d93c4a6027bf07361740a196939e7d68e5e6cffb
SHA5128dadfc1825197e290a31144832367541fa142acb2299d9c1f1adcd6dad0660574a0922ef39d148f3dbe0aeef5d5d8e0ca7a68a1c7c1c05a189134ebb100436f7
-
Filesize
102B
MD55513829683bff23161ca7d8595c25c72
SHA19961b65bbd3bac109dddd3a161fc30650e8a7096
SHA25694e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6
-
Filesize
97KB
MD5b36b0b916c1875e2955cc57a76050b32
SHA12dce73327a121de32963fa59f7ec4c8ed5f342bd
SHA25643927efeba1d7381f8f417cbbe52fe3e252eafb744746817e3a4e74ec13aa71c
SHA512ccdf8ae63a11027adc5b8c7e9f6be2fb25be6f3e02379a1f3036bb9465cc27e1cebfd0128246b5e07d17b99811bcba893147c32eb1e52d8f3372f17e50b201c6
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
940KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
940KB