Analysis
-
max time kernel
33s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-06-2024 20:19
General
-
Target
2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe
-
Size
327KB
-
MD5
6d6836a9d6b5f361024c3b8a69bd47bf
-
SHA1
f940bbf01e03c3dca256cd36b2f5dabc601bd3c4
-
SHA256
2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f
-
SHA512
ebff2244be4f1eada9ce81a91175807a15663fe53266af77528dc5780e249e923ddfbfbef02259e5a191f60a2ab3f491c3223c65962f9a5774880d36deaed00a
-
SSDEEP
6144:XsLqdufVUNDa3S5llllllllllllllllllllllllllllllllllllllllllllllllx:cFUNDa3S5llllllllllllllllllllllh
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe"C:\Users\Admin\AppData\Local\Temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exec:\users\admin\appdata\local\temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x258,0x7fffdd3dceb8,0x7fffdd3dcec4,0x7fffdd3dced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2588,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4312,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
7Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exeFilesize
192KB
MD544981b4bc4a2a86d97d9daa4dfdc56c9
SHA134de2285a03a85eabbe026dbde0a832472253df4
SHA256dab149bc4edcc9e8762df554bf96544cc70c0a549598a70f89b5064a4e557e53
SHA5120441f7685f812675ef28db2d622111a4a5a5362a659b553a2ed78a73abeed45580915bd2c5dd0e8ff77df2bab0e46cc60d2dfcd7427f8201c8029b9baf28af98
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5d4de75225f1b86039e70658414b08cda
SHA103d9a272df1d3432a79d87c50f709097d318e0e0
SHA2560b952c6ff91adaeb9bb8b3f1ad07846bfd46f193d9b9c511904c93f7219783cc
SHA512309a4eddeb5aa179b3a104bc9549c35d3b5441b367b0de2a7e230b7e986bb469836057fdf1e3305664cfb9b0593d0544326b03a10fbf29a75217952546065740
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD510bf281bd01dcdf7759c981fbf652071
SHA13954d13520598847ba6e907cf3a62b47c7ec75e1
SHA256603f4b2906e73b7a46d7312ae7441a8596817a67e8985030c782d109445f8812
SHA51291aaf2618eba99f6964b2e38d2735589a09c538342359ffb66161a72322b58d4e789ed09ccda771f8f519c63bbfaec2b87720bd2cc5837c1c24d7bbc589d1d1f
-
C:\Windows\SYSTEM.INIFilesize
257B
MD53a0f08ab39423066fe25e7c1f8d8f5c6
SHA1198fd8cca5855887de4c5f568b73e200aae57b65
SHA256689a2c3f07fad39bea95516ab96a0e33c511d48d1a62983cdc492a35ed0a794f
SHA512a2c7e2ede769a7e9625a64b75a0f7f53ef015ce3087b93b62964383bd70860cbafe1164cac0ce69a34c5ce443e7aa0603054fc7406bcf9d30bed8ac2d6082371
-
C:\gvtw.pifFilesize
100KB
MD5684beab22c2271dc6e215823ee095bee
SHA1e703cb2b4c586681ffc22c4e5322b0ae4568440c
SHA25621e0f15debdf120eec86d06b2d7e4da5e6a4dcdec36160b2ecb67a0563e63803
SHA512857e11c93cfc4a8a751089c7f7535c7f7d6a1f5e8973117e081c6b57e48604a71812fdd793600bbbd9f98b79fc165a6e10cd2626ce8d23d8cc234adb8a14e0c1
-
\??\c:\windows\resources\spoolsv.exeFilesize
135KB
MD58750e38c1396a5d7f71e05d99193dca9
SHA16958c9f8a9754405006e45e68f984a6af7b6bf19
SHA2562addb06defab45dc9120aa00234f5a580b33c5db8abfa68ff621f347f940f980
SHA512c4a35d63be602f43733e8fa34cb671293d05ee0491916597a47551b690584b1bafa9769dbdfb0e66b2f1810efbb43009e8cd36838b7ec897f5425b9c4a5518f8
-
\??\c:\windows\resources\svchost.exeFilesize
135KB
MD5f638e516847689a0f67145b1975689e1
SHA144f0673a6a549d4180a9e9c0ac4e6aa1f06e3b3c
SHA256b456409fa1af255ef4a50146b73ba92138952277fd9564d55bb94592b395fca4
SHA512ea4f95fabe0a46b5c5ea064292169d18d348502c658beb3ff78e421a1c052a2434067e756e29cd4c617379d2e46589a4ebb42115968d1c0d21a23acc7ef87396
-
memory/512-98-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-101-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-25-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-8-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/512-51-0x0000000001970000-0x0000000001971000-memory.dmpFilesize
4KB
-
memory/512-144-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-37-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-143-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/512-121-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-120-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-117-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-116-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-113-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-111-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-77-0x0000000000570000-0x0000000000572000-memory.dmpFilesize
8KB
-
memory/512-72-0x0000000000570000-0x0000000000572000-memory.dmpFilesize
8KB
-
memory/512-108-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-107-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-103-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-28-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-99-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-97-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-95-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-94-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-47-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-36-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-93-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-92-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-91-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-22-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-31-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-35-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/512-30-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/1056-66-0x0000000001F20000-0x0000000001F22000-memory.dmpFilesize
8KB
-
memory/1056-82-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1056-57-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB
-
memory/1056-71-0x0000000001F20000-0x0000000001F22000-memory.dmpFilesize
8KB
-
memory/1056-79-0x0000000001F20000-0x0000000001F22000-memory.dmpFilesize
8KB
-
memory/1056-42-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1608-106-0x0000000002DB0000-0x0000000002DB2000-memory.dmpFilesize
8KB
-
memory/1608-105-0x0000000003AE0000-0x0000000003AE1000-memory.dmpFilesize
4KB
-
memory/1608-67-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1632-64-0x0000000002060000-0x0000000002062000-memory.dmpFilesize
8KB
-
memory/1632-11-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1632-86-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1632-53-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/1632-83-0x0000000002060000-0x0000000002062000-memory.dmpFilesize
8KB
-
memory/1632-69-0x0000000002060000-0x0000000002062000-memory.dmpFilesize
8KB
-
memory/3144-78-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4336-55-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/4336-65-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/4336-70-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/4336-163-0x00000000005D0000-0x00000000005D2000-memory.dmpFilesize
8KB
-
memory/4692-63-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/4692-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4692-48-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/4692-87-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/4692-90-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4692-49-0x00000000020F0000-0x00000000020F1000-memory.dmpFilesize
4KB
-
memory/4692-68-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB