Analysis
-
max time kernel
23s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-06-2024 19:31
General
-
Target
f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe
-
Size
287KB
-
MD5
763214b9365b3514da15e89e5aa36cad
-
SHA1
0c427a0142f62951fd2c818ec754f2b0b82179a2
-
SHA256
f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957
-
SHA512
c32e1e70bef83862cd5e4ad307cfbf8064a6edcd839355b93c64c109b9826ba4a69d20aaf1d1819ac35d80744d9fa3bfbbc66675497a836fd5c60656878bf0a5
-
SSDEEP
6144:TvEa2U+T6i5LirrllHy4HUcMQY6J27Ox0+MeyI:TEaN+T5xYrllrU7QY6A7ObMC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 37 IoCs
-
UPX dump on OEP (original entry point) 41 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe"C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 19:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 19:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
287KB
MD5d0f680855eb13f2a27e5bb7645b7d397
SHA15e81030282e95d4593704cb4d69027f167660ddd
SHA256156682bd349fbe3348ce68891dbf8f07a4c5063feea0f28240b8ad749ebd2953
SHA512bff20f308a7380d74cb072da35bf1a4f52271ca62f7030aec5812e0a1a4a68f012d915c60721e07e0b0f805a7381b94859c4827788f9febf17b1b74b3b60e580
-
C:\Windows\SYSTEM.INIFilesize
257B
MD55aaf82d4a06742ad34efaf4ca399855d
SHA12854e519eaa0e2bb97e1ff743d80440550a206f9
SHA256caf552b8112733ea8a49ee7c3abee5d1edc46501415ded23f309fdd20d5bb720
SHA512721afb905c66796e48b564a75275f9b7e84c605bbef088e82e7d27cfaa375ea122b13e1bf4ccbb5b5ae4ee2f549ac533bb1cf055ef175c8daad7d47c7c557f36
-
C:\Windows\System\spoolsv.exeFilesize
287KB
MD5c6dba8a6519b0c1db7959255da704ed7
SHA1cc4993c7396ef22e6012ceb404f96c3423975ed6
SHA256d289d3c2caedbcd01ddda6ce3bfed416528de05e303641f19ac9328bdacd7274
SHA51263c33b2fcee43e44ddadf601740029ec8f4d7174aec7175369233975382dd588b4c7f8ede10a480841a1513dbb0584f57c7035002d344ccd0892bf343b52e3cf
-
C:\Windows\System\svchost.exeFilesize
287KB
MD5311456298315bf7cdf99b6e0bcf90aa0
SHA1c5e395051599fb01656e042fb8ff0726b740df7f
SHA256ef91e8fca886157260a0ebaef3c54498e4006d1713e33735ffd0e3019c6dd391
SHA51296a1ca86018cba2799ac1064932877a86534271af4b7f18475c1f6ea654df29ea5beb924c6400e923669bfaf268abe8f24fb1a0b97868924ffab7375bc984d38
-
C:\qhwatj.exeFilesize
100KB
MD57c6ea3604756d4e0d4113fa422f411f5
SHA1f2231d0a91321ab20120fa1ba6b4e3720e0d8481
SHA25678ad660a2d4c21530032a37de21abae7390c402e2dc687a53b4fa88ca06bcd8c
SHA512ca28bc08cba4a462381c2ffbe825490e39d929b3577d5878748753848b842b6d08f55f6db3d1ce2772afc797118f243a6b7b16851682044639f903d485405dbe
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\windows\system\explorer.exeFilesize
287KB
MD5e20a214bc4b34f67f1ec20e8cb5b34d0
SHA1c6fd05c154acdc15d6ddc9550db99d6f0cbafb07
SHA2560b5cf2aca37eb8ceec5b24d3457f1ad9154878dd19768f0de0f7e56946b5702e
SHA5127da9fca822229756def3ffe1fa6653b213b69a93d089ceb3525231048110fbdadf78a0bbaecd7c91643dd26df3ca0dd098bcf9fb312883edfac6ccb034ff060c
-
memory/1236-55-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1236-34-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1548-90-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-78-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/1548-97-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-95-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-94-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-92-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-91-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-96-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-100-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-86-0x0000000000650000-0x0000000000652000-memory.dmpFilesize
8KB
-
memory/1548-89-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-88-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-99-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-23-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1548-81-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-103-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-72-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-104-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-76-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-75-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-107-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-74-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-82-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-83-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-85-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/1548-84-0x00000000035A0000-0x000000000462E000-memory.dmpFilesize
16.6MB
-
memory/2572-52-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3452-7-0x00000000021D0000-0x00000000021D2000-memory.dmpFilesize
8KB
-
memory/3452-14-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-71-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3452-59-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-62-0x00000000021D0000-0x00000000021D2000-memory.dmpFilesize
8KB
-
memory/3452-3-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-5-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-35-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-28-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-25-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-1-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3452-8-0x00000000021F0000-0x00000000021F1000-memory.dmpFilesize
4KB
-
memory/3452-6-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-10-0x00000000021D0000-0x00000000021D2000-memory.dmpFilesize
8KB
-
memory/3452-11-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-9-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-12-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/3452-13-0x00000000021D0000-0x00000000021D2000-memory.dmpFilesize
8KB
-
memory/3452-4-0x0000000002960000-0x00000000039EE000-memory.dmpFilesize
16.6MB
-
memory/4436-87-0x0000000002ED0000-0x0000000002ED2000-memory.dmpFilesize
8KB
-
memory/4436-44-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4436-80-0x0000000004010000-0x0000000004011000-memory.dmpFilesize
4KB