Analysis

  • max time kernel
    36s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 03:53

General

  • Target

    19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe

  • Size

    317KB

  • MD5

    76e4c67f2f63c5b0cf1c17fb6c43c760

  • SHA1

    bcaccce30f728ba7efe489a16c8f14235347967f

  • SHA256

    19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

  • SHA512

    78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

  • SSDEEP

    6144:dNyZWJhe+9xwSp0Ksr8/Ddv/9zyKI20IBHqLw:dNbhe+9fp0VYDZ9G0DBK

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Windows security modification 2 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:780
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:788
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:336
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2684
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2696
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2908
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3436
                  • C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
                    "C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:4068
                    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
                      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
                      3⤵
                      • Modifies firewall policy service
                      • UAC bypass
                      • Windows security bypass
                      • Deletes itself
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Windows security modification
                      • Checks whether UAC is enabled
                      • Enumerates connected drives
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3492
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3572
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3752
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3848
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3916
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4008
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4232
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:2416
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:1268
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                  1⤵
                                    PID:1584
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:2268
                                    • C:\Windows\system32\BackgroundTaskHost.exe
                                      "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                      1⤵
                                        PID:4240
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                          PID:1436
                                        • C:\Windows\System32\RuntimeBroker.exe
                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                          1⤵
                                            PID:2312

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Temp\0E57B1DB_Rar\Un_A.exe

                                                  Filesize

                                                  249KB

                                                  MD5

                                                  0a5c25e3cd2be05bd66d913daf651928

                                                  SHA1

                                                  3077abd0e78b2c8c441944130e98df74b9843693

                                                  SHA256

                                                  7de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04

                                                  SHA512

                                                  aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283

                                                • C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\FindProcDLL.dll

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  b4faf654de4284a89eaf7d073e4e1e63

                                                  SHA1

                                                  8efcfd1ca648e942cbffd27af429784b7fcf514b

                                                  SHA256

                                                  c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

                                                  SHA512

                                                  eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

                                                • C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\INetC.dll

                                                  Filesize

                                                  24KB

                                                  MD5

                                                  640bff73a5f8e37b202d911e4749b2e9

                                                  SHA1

                                                  9588dd7561ab7de3bca392b084bec91f3521c879

                                                  SHA256

                                                  c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

                                                  SHA512

                                                  39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

                                                • C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\System.dll

                                                  Filesize

                                                  12KB

                                                  MD5

                                                  cff85c549d536f651d4fb8387f1976f2

                                                  SHA1

                                                  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

                                                  SHA256

                                                  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

                                                  SHA512

                                                  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

                                                • C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\UAC.dll

                                                  Filesize

                                                  14KB

                                                  MD5

                                                  adb29e6b186daa765dc750128649b63d

                                                  SHA1

                                                  160cbdc4cb0ac2c142d361df138c537aa7e708c9

                                                  SHA256

                                                  2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

                                                  SHA512

                                                  b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

                                                • C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\nsDialogs.dll

                                                  Filesize

                                                  9KB

                                                  MD5

                                                  6c3f8c94d0727894d706940a8a980543

                                                  SHA1

                                                  0d1bcad901be377f38d579aafc0c41c0ef8dcefd

                                                  SHA256

                                                  56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

                                                  SHA512

                                                  2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

                                                • C:\Users\Admin\AppData\Local\Temp\nsxB1EC.tmp\nsisFirewall.dll

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  f5bf81a102de52a4add21b8a367e54e0

                                                  SHA1

                                                  cf1e76ffe4a3ecd4dad453112afd33624f16751c

                                                  SHA256

                                                  53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

                                                  SHA512

                                                  6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

                                                • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

                                                  Filesize

                                                  317KB

                                                  MD5

                                                  76e4c67f2f63c5b0cf1c17fb6c43c760

                                                  SHA1

                                                  bcaccce30f728ba7efe489a16c8f14235347967f

                                                  SHA256

                                                  19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

                                                  SHA512

                                                  78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

                                                • C:\Windows\SYSTEM.INI

                                                  Filesize

                                                  257B

                                                  MD5

                                                  c49772446d4a57b9a8a7b09847fe5553

                                                  SHA1

                                                  4f6217a648478a2f8436c6598f9d1e9ddf6dc916

                                                  SHA256

                                                  16f8bb0efed92c0d44e3bb591cfa2b495b2b42697250195bd5024e85a74c83f7

                                                  SHA512

                                                  6066c717ebe250251e68e5c3034df41ac7a2dd282602163043a7b2b1e6a5e5a147c7c7e93b56927fb965697ab0886eb0102e2abfdab134f0b0dcc4ea4685966a

                                                • C:\jkehu.pif

                                                  Filesize

                                                  100KB

                                                  MD5

                                                  119c4dd6a29bcc6cd20a755d763f3971

                                                  SHA1

                                                  6d0e186b29ff0d5cb09da04e852556af5afc4e46

                                                  SHA256

                                                  c2f61814043eb744d2192557e0e543f275731073309c699d6df07632d76a3940

                                                  SHA512

                                                  797782156b7da9eb7a144bdf70c1abb092c21c3d94a2cc8c39be867a9a9e0e1077ecfd879eede4f5e903939c9e4e6f571e36117198746cf069cf21483571a5de

                                                • memory/3492-105-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-112-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-162-0x0000000000400000-0x0000000000471000-memory.dmp

                                                  Filesize

                                                  452KB

                                                • memory/3492-133-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-30-0x0000000000400000-0x0000000000471000-memory.dmp

                                                  Filesize

                                                  452KB

                                                • memory/3492-132-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-128-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-129-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-127-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-126-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-118-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-57-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-62-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-61-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-64-0x0000000003860000-0x0000000003862000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3492-56-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-54-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-55-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-59-0x0000000006160000-0x0000000006161000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3492-53-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-51-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-60-0x0000000003860000-0x0000000003862000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3492-63-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-67-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-66-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-115-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-68-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-113-0x0000000003860000-0x0000000003862000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/3492-111-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-101-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-100-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-104-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-109-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-107-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/3492-108-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-5-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-1-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-7-0x0000000003C70000-0x0000000003C72000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4068-9-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-13-0x0000000003C70000-0x0000000003C72000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4068-11-0x0000000003C70000-0x0000000003C72000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/4068-10-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-0-0x0000000000400000-0x0000000000471000-memory.dmp

                                                  Filesize

                                                  452KB

                                                • memory/4068-4-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-21-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-31-0x0000000000400000-0x0000000000471000-memory.dmp

                                                  Filesize

                                                  452KB

                                                • memory/4068-3-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-6-0x0000000002270000-0x00000000032FE000-memory.dmp

                                                  Filesize

                                                  16.6MB

                                                • memory/4068-8-0x0000000004070000-0x0000000004071000-memory.dmp

                                                  Filesize

                                                  4KB