Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-06-2024 15:49
General
-
Target
033056e2a4dc8e10c9ba7d7ec078376a565d02046bb632bcd6c3be336a92a36e.exe
-
Size
703KB
-
MD5
a77d393d861eb34e71b888e7d9a97115
-
SHA1
9b29e115e3fb4c8e175bf70459657c65652fbeba
-
SHA256
033056e2a4dc8e10c9ba7d7ec078376a565d02046bb632bcd6c3be336a92a36e
-
SHA512
6784b8eb35086e809287c7b8448f0a23f066bd73bf0de3bad0baecd4394269a00b3f9a8782c416a589963eef5d4b31787143d7a5a9c44626d129c52645998234
-
SSDEEP
12288:/JFZqYMOaQ0q9nV/zsnK23KHVI6nodVdyMLiqyVcxwtVxgpMiuzOTN90gQE:BFZqhOBnVyK23C6OoYMLiVcKtVx4MiuC
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\033056e2a4dc8e10c9ba7d7ec078376a565d02046bb632bcd6c3be336a92a36e.exe"C:\Users\Admin\AppData\Local\Temp\033056e2a4dc8e10c9ba7d7ec078376a565d02046bb632bcd6c3be336a92a36e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffbf00fceb8,0x7ffbf00fcec4,0x7ffbf00fced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2288,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1384,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:82⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\uryn.pifFilesize
96KB
MD5d7a9a1e92a61108b21f83ae32f7821bf
SHA1077eb6316fd069538dff5ad8fc9c8fe7d2d6e24d
SHA2565f4728fc96de7d844826a15a7b6ece2b6b54ebdeaf94ad5bfa6cdcde36c5b49e
SHA5124cdb2226ddaed65ce4b36dd53b2d715a5898aea5161a4628d34e7a73a012b07b3e1db2bd8f01f8134fae0138e5b27a558ebb2d3744416b2e885e98564fd5514f
-
memory/1912-30-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-69-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-3-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-11-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/1912-10-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-4-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-8-0x0000000000B20000-0x0000000000B21000-memory.dmpFilesize
4KB
-
memory/1912-7-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/1912-6-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-14-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-9-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-12-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-13-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/1912-15-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-28-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-20-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-21-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-23-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-22-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-25-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-26-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1912-27-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-19-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-5-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-49-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-33-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-34-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-37-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-40-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-43-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-45-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-48-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-32-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-50-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-51-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-52-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-58-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-59-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-63-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-64-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-66-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-67-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-0-0x0000000000400000-0x00000000005A8000-memory.dmpFilesize
1.7MB
-
memory/1912-72-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-74-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-75-0x0000000000720000-0x0000000000722000-memory.dmpFilesize
8KB
-
memory/1912-76-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB
-
memory/1912-1-0x0000000002400000-0x000000000348E000-memory.dmpFilesize
16.6MB