Analysis

  • max time kernel
    122s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 19:47

General

  • Target

    3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe

  • Size

    1.6MB

  • MD5

    607ee92a3b80545833c68f3a7616af40

  • SHA1

    3fa1395e28cc6b13ed988540d603016e1eb26e7d

  • SHA256

    3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31

  • SHA512

    84ce39d4482a7fe5dd1ca71f05ecc7ef5c752bf3785be192ae229afd0688a94b36e95a1b89b274ced7599f74da1a942c95b4a473951cd37b81a235deb2792771

  • SSDEEP

    49152:4L7VbCRbECQozfZEbEUd/dRDFwdkRtNWxPN:M7VuRbEGEgUp56kncH

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:760
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:768
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:60
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2628
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2652
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2868
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3496
                  • C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe
                    "C:\Users\Admin\AppData\Local\Temp\3369bb973d5d1daae3906076e826ef7d3568bac3e1a46466057fce348eccad31N.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Checks computer location settings
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Enumerates connected drives
                    • Drops autorun.inf file
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:752
                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe
                      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe"
                      3⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2924
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Activar.cmd" "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4104
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          5⤵
                            PID:2404
                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\7Loader.exe
                            7Loader.exe /silent /norestart /l=Default
                            5⤵
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of FindShellTrayWindow
                            PID:3508
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:3624
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3816
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3908
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3976
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:4052
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:3504
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                1⤵
                                  PID:684
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:3424

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EvoActivacion7.exe

                                    Filesize

                                    1.3MB

                                    MD5

                                    01a9427df69a25ccbe085d9be14a2762

                                    SHA1

                                    52c2a67c6f23b0b050908a4456b0c5118a1914ce

                                    SHA256

                                    3f81b56dc4a051a1d408170400246a8769f84855909d2a60769dc36852356861

                                    SHA512

                                    18be26ecf333a3a40174504128870e9717b193a8bb6eacf86d6551a44991b4e646ce7005f7a38d5284d12f97e9218c12df406140a932d3f764c3e33feab4c5bb

                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\7Loader.exe

                                    Filesize

                                    2.9MB

                                    MD5

                                    935576e21ffaf90ef782fed90c3421ff

                                    SHA1

                                    6f75e0932cdb4ab98667684c6868932d571de4e9

                                    SHA256

                                    c496c0e03fcfcb126a92121cf431df6a8b77e15f5ba4cf7e230492f9d18ff470

                                    SHA512

                                    2fa5d341901519f1f8bc0cd0c2007871923c7e7e4ad73833e49db7557bfdec2fbcdecdd4a1789f4c99d140fcc0791a83981b70cd72747f41d39c6eaa03c4e3c3

                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Activar.cmd

                                    Filesize

                                    397B

                                    MD5

                                    a2c3e139951719f09e483a37235f683f

                                    SHA1

                                    34590ad5c3e9e310491b9ac891071c58c5cf7622

                                    SHA256

                                    6135c3af068b400d2adef197ff7a8cf428e5f1ae7f5af6ed944333b6c124d89d

                                    SHA512

                                    c8414c08c8e60fe0dfff4750c921babc452febabb6d064eccd514c9f844931eec74cee2d85d487225522a554281dfd896273d10ee077442a4c43e4b5a44b54c5

                                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Keys.ini

                                    Filesize

                                    8KB

                                    MD5

                                    f7490dae3d51646651fd17fdf644ec18

                                    SHA1

                                    3af9362e812fe8f057b32335a0f7025b4609b495

                                    SHA256

                                    daaeafa6c595477a799b3d0d623afdbf36a68be3772191b8b375b8da9ec06ba2

                                    SHA512

                                    67918e6bc0540b764289890e54d94a816f893aece4fe0377d8b87baeed4fa3b2ce6ac373e2b7f18dba31f6ebb987379afc0aeaa985518248b46fa7588ff3ecf2

                                  • F:\dmiurb.exe

                                    Filesize

                                    100KB

                                    MD5

                                    b884deb05ba8dc6b33736aef993f162d

                                    SHA1

                                    bc845612e1a42e6cdb1098c78a3a92972f2ff60d

                                    SHA256

                                    d455c0ac7b3286f2b7748f4f87558b5b3ee3aff072b05406e0826eb2e44f3af9

                                    SHA512

                                    f88ae0f432dec538bfe46b25b741389a3b48d7d2378b6c007b539cfd7f34a36f3e5e8cd01520072f67ef0a8081fd6e25ddb7e956c51726c23b5c11efdbb6f409

                                  • memory/752-19-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-0-0x0000000000400000-0x000000000044E000-memory.dmp

                                    Filesize

                                    312KB

                                  • memory/752-9-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-14-0x00000000004E0000-0x00000000004E2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/752-11-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-3-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-7-0x0000000000640000-0x0000000000641000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/752-13-0x00000000004E0000-0x00000000004E2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/752-6-0x00000000004E0000-0x00000000004E2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/752-18-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-12-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-4-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-10-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-39-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-5-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-17-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-45-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-46-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-180-0x0000000000400000-0x000000000044E000-memory.dmp

                                    Filesize

                                    312KB

                                  • memory/752-8-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/752-120-0x00000000004E0000-0x00000000004E2000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/752-108-0x0000000002350000-0x00000000033DE000-memory.dmp

                                    Filesize

                                    16.6MB

                                  • memory/3508-44-0x0000000000400000-0x0000000000623000-memory.dmp

                                    Filesize

                                    2.1MB

                                  • memory/3508-48-0x00000000029B0000-0x00000000029C1000-memory.dmp

                                    Filesize

                                    68KB

                                  • memory/3508-64-0x0000000010000000-0x0000000010021000-memory.dmp

                                    Filesize

                                    132KB

                                  • memory/3508-72-0x0000000002D10000-0x0000000002D21000-memory.dmp

                                    Filesize

                                    68KB

                                  • memory/3508-80-0x0000000002D30000-0x0000000002D40000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/3508-129-0x0000000000400000-0x0000000000623000-memory.dmp

                                    Filesize

                                    2.1MB

                                  • memory/3508-88-0x0000000002D40000-0x0000000002D50000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/3508-56-0x0000000000AF0000-0x0000000000B00000-memory.dmp

                                    Filesize

                                    64KB