Analysis
-
max time kernel
80s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-06-2024 00:33
General
-
Target
7ab7069f70bb86b19ea0c9a63c736a39c9d9ac1c99fccc9c58988d3310d8be2d.exe
-
Size
1.5MB
-
MD5
c1c171d7f7050bb58837b085d81b7ba5
-
SHA1
c2980b2a79ebf3e67d47a8379ed590623392de68
-
SHA256
7ab7069f70bb86b19ea0c9a63c736a39c9d9ac1c99fccc9c58988d3310d8be2d
-
SHA512
8f6d7e0aa499f16ff7c039281d35a73d51586731e81a04274f98a46649f3c41154c83355c0b76dedd012c0097174528897c15a0a7e0841cd15abc654fec5e85a
-
SSDEEP
24576:7adEpF0SpVkxrnJUjX/2/BffZVt+xd3voH/m6y4YxqXqaHBkBcM2lE4ZEbL0HzCv:7zrZeZfjy4YxrahplEmApFV9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7ab7069f70bb86b19ea0c9a63c736a39c9d9ac1c99fccc9c58988d3310d8be2d.exe"C:\Users\Admin\AppData\Local\Temp\7ab7069f70bb86b19ea0c9a63c736a39c9d9ac1c99fccc9c58988d3310d8be2d.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E5778CA_Rar\7ab7069f70bb86b19ea0c9a63c736a39c9d9ac1c99fccc9c58988d3310d8be2d.exeFilesize
1.5MB
MD5b01f1da99b6081357891ac1c1cdee3b7
SHA123996f12844a67471a4beb00e4f5dc7fa30b5fc4
SHA256f3d98a2cf0a651fcf6ea808ff6d1bc3b89ab40651b726556fdab3b31302b9364
SHA512e4cfa039b824f7d90a9df00abf69def01ab694db334d449abdc8ec91ee1155989a987e6ed78c15ef5e4bc44fc37eebebb89aab7fae5d759d8280065ff80c8f51
-
C:\Users\Admin\Desktop\desktop.iniFilesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
memory/3740-0-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3740-6-0x0000000003DA0000-0x0000000003DA1000-memory.dmpFilesize
4KB
-
memory/3740-5-0x0000000000830000-0x0000000000832000-memory.dmpFilesize
8KB
-
memory/3740-3-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-1-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-16-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-11-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-23-0x0000000004690000-0x0000000004691000-memory.dmpFilesize
4KB
-
memory/3740-18-0x0000000000830000-0x0000000000832000-memory.dmpFilesize
8KB
-
memory/3740-22-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-17-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-24-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-8-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-7-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-4-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-9-0x0000000000830000-0x0000000000832000-memory.dmpFilesize
8KB
-
memory/3740-25-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-26-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-27-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-28-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-29-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-30-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-32-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-33-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-35-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-36-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-37-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-39-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-40-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-43-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-83-0x0000000010000000-0x0000000010102000-memory.dmpFilesize
1.0MB
-
memory/3740-82-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3740-79-0x0000000010000000-0x0000000010102000-memory.dmpFilesize
1.0MB
-
memory/3740-78-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-85-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-86-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-88-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-90-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-91-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-100-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-101-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3740-103-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-104-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-106-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-107-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-108-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-110-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-111-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-115-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3740-133-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3740-134-0x0000000010000000-0x0000000010102000-memory.dmpFilesize
1.0MB