Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-06-2024 23:09
General
-
Target
6b6788a98d3e207cbb894ca21f244d94d9ad605c2e299b1af5673de7ae446bd2.exe
-
Size
2.1MB
-
MD5
c6c25d0e580e0cb0038b40f310a489e1
-
SHA1
607b33dccc785dac27627831b63628f97175d6b5
-
SHA256
6b6788a98d3e207cbb894ca21f244d94d9ad605c2e299b1af5673de7ae446bd2
-
SHA512
aee036a03d62f799421aa0bb7046612b2cecc3b7352864d9163cb32c997057f4f9e2b11af406fe9790c94475b72b5caee40a66400ea9807262f85389d69a8cea
-
SSDEEP
49152:mJXfy0ooUGxgjYKS/WSkY7c8B7x+ROhiyCSR7vJOYXb:30BUI+3LqLXb
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 7 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 39 IoCs
-
UPX dump on OEP (original entry point) 40 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 16 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6b6788a98d3e207cbb894ca21f244d94d9ad605c2e299b1af5673de7ae446bd2.exe"C:\Users\Admin\AppData\Local\Temp\6b6788a98d3e207cbb894ca21f244d94d9ad605c2e299b1af5673de7ae446bd2.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system.iniFilesize
256B
MD5b020abb9bc9b823c53e952725ab7e1ae
SHA1a09cea9c731114d7f5b1f46cbc7cde357671c2ba
SHA256cc8c64659c8859e15cd4edfb6a04b6c16cc25a82de458fd045f68113025003c5
SHA51211a53e7255f6b7220c18bf9b1cc8b54d442cb9c7a071b123dbe636eef7b56bd87f895b1656cba08189e5493d5dbe2cbeacefff2b3bc4d176de2bcae5ed5cef72
-
C:\cmtyo.pifFilesize
123KB
MD58c3664ea2df03ab082a6585fb45631b9
SHA17b466b2bde9163c3424dfd5e59063b799cc49377
SHA25645f8b87f87afe2bb50c3fdfcc1a9dc97969ff951523ff03767bf5167fe832c51
SHA512622cee93be35f138c1228e5da22130a310a383b3e126ef6870afcb2b351dd5cb04d7e17915b19d0b3e71e907a95ee45abd14190b70f4110d3e5d16a53303ac39
-
memory/444-33-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-7-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-3-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-42-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-4-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-8-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-6-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-15-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-19-0x00000000046F0000-0x00000000046F1000-memory.dmpFilesize
4KB
-
memory/444-18-0x0000000003620000-0x0000000003622000-memory.dmpFilesize
8KB
-
memory/444-16-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-20-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-21-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-22-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/444-24-0x00000000779E3000-0x00000000779E4000-memory.dmpFilesize
4KB
-
memory/444-17-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-23-0x00000000779E2000-0x00000000779E3000-memory.dmpFilesize
4KB
-
memory/444-25-0x0000000003620000-0x0000000003622000-memory.dmpFilesize
8KB
-
memory/444-26-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/444-27-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/444-28-0x0000000003620000-0x0000000003622000-memory.dmpFilesize
8KB
-
memory/444-29-0x0000000073F20000-0x0000000073F59000-memory.dmpFilesize
228KB
-
memory/444-30-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-0-0x0000000000400000-0x0000000000620000-memory.dmpFilesize
2.1MB
-
memory/444-95-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-5-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-14-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-43-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-44-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-46-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-47-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-49-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-51-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-54-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-56-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-58-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-61-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-62-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-64-0x0000000000400000-0x0000000000620000-memory.dmpFilesize
2.1MB
-
memory/444-65-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-67-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-69-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-71-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-72-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-86-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-88-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-90-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-92-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-94-0x0000000003620000-0x0000000003622000-memory.dmpFilesize
8KB
-
memory/444-34-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-97-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB
-
memory/444-1-0x0000000002520000-0x00000000035DA000-memory.dmpFilesize
16.7MB