Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-06-2024 10:51
General
-
Target
dil.exe
-
Size
104KB
-
MD5
1c4eae5ef3e10ce0676618418ea9ed65
-
SHA1
26e7f992746b0e9b783d360c8cf9e475bd1ce015
-
SHA256
b9c3adeb63e6be94b581a68b3b675737501283db663484bfc7e14bdecfc7e940
-
SHA512
d459f72f5403941a7c1666dc91911446ac608faba8cae0a44ab8a2324536ed8db25f5a8c9e80cfcffd09df61a541ba181f94545404e62cf23f5e67e896bc2645
-
SSDEEP
1536:sKSowsA2YQWZzF90K/m2eMJN6tOwSDW7tyQPjccFl3kvQhMuJlAGGk/l:s1JsACe3uNM6tXb7tyOjtb3OQrEDW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 41 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\dil.exe"C:\Users\Admin\AppData\Local\Temp\dil.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\slpm.exeFilesize
100KB
MD533a3f9158599153d387e1bbe2018f4b8
SHA10bb34212d4f0eb8f30aee8af67fb8391c0ace343
SHA25644f546a034fcea930761d319daf23f6b2230d920e53919b6c2536a98ccf959f9
SHA512ae6ce4b50144c6be44f2f9f5a79fe4df0e2dfed801af30e712f8ea9ad389a4a68419957f8d4de24b55f0e17e78439664c3a88c0d4014ba005a96630aaeb84448
-
memory/1672-29-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-64-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-7-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-14-0x0000000003270000-0x0000000003272000-memory.dmpFilesize
8KB
-
memory/1672-15-0x0000000003270000-0x0000000003272000-memory.dmpFilesize
8KB
-
memory/1672-12-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-9-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-5-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-11-0x0000000004110000-0x0000000004111000-memory.dmpFilesize
4KB
-
memory/1672-10-0x0000000003270000-0x0000000003272000-memory.dmpFilesize
8KB
-
memory/1672-13-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-3-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-6-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-16-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-17-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-18-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-19-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-20-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-22-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-23-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-24-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-26-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-70-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-8-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-37-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-33-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-35-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-31-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-39-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-40-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-42-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-44-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-45-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-51-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-54-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-55-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-58-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-59-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-60-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-61-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-62-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-0-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1672-67-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-68-0x0000000003270000-0x0000000003272000-memory.dmpFilesize
8KB
-
memory/1672-69-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-27-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/1672-1-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB