Analysis

  • max time kernel
    26s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2024, 03:56

General

  • Target

    19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe

  • Size

    317KB

  • MD5

    76e4c67f2f63c5b0cf1c17fb6c43c760

  • SHA1

    bcaccce30f728ba7efe489a16c8f14235347967f

  • SHA256

    19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

  • SHA512

    78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

  • SSDEEP

    6144:dNyZWJhe+9xwSp0Ksr8/Ddv/9zyKI20IBHqLw:dNbhe+9fp0VYDZ9G0DBK

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Windows security modification 2 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:796
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:804
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:332
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2552
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2564
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2700
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3484
                  • C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
                    "C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:556
                    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
                      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
                      3⤵
                      • Modifies firewall policy service
                      • UAC bypass
                      • Windows security bypass
                      • Deletes itself
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Windows security modification
                      • Checks whether UAC is enabled
                      • Enumerates connected drives
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:1028
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3588
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3800
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3920
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4028
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3364
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:3964
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:3896
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:772
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                  1⤵
                                    PID:4964
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                    1⤵
                                      PID:3016
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:1896
                                      • C:\Windows\System32\RuntimeBroker.exe
                                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                                        1⤵
                                          PID:2236

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\Local\Temp\0E578ADB_Rar\Un_A.exe

                                                Filesize

                                                249KB

                                                MD5

                                                0a5c25e3cd2be05bd66d913daf651928

                                                SHA1

                                                3077abd0e78b2c8c441944130e98df74b9843693

                                                SHA256

                                                7de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04

                                                SHA512

                                                aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283

                                              • C:\Users\Admin\AppData\Local\Temp\nsw8AEB.tmp\FindProcDLL.dll

                                                Filesize

                                                3KB

                                                MD5

                                                b4faf654de4284a89eaf7d073e4e1e63

                                                SHA1

                                                8efcfd1ca648e942cbffd27af429784b7fcf514b

                                                SHA256

                                                c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

                                                SHA512

                                                eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

                                              • C:\Users\Admin\AppData\Local\Temp\nsw8AEB.tmp\INetC.dll

                                                Filesize

                                                24KB

                                                MD5

                                                640bff73a5f8e37b202d911e4749b2e9

                                                SHA1

                                                9588dd7561ab7de3bca392b084bec91f3521c879

                                                SHA256

                                                c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

                                                SHA512

                                                39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

                                              • C:\Users\Admin\AppData\Local\Temp\nsw8AEB.tmp\System.dll

                                                Filesize

                                                12KB

                                                MD5

                                                cff85c549d536f651d4fb8387f1976f2

                                                SHA1

                                                d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

                                                SHA256

                                                8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

                                                SHA512

                                                531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

                                              • C:\Users\Admin\AppData\Local\Temp\nsw8AEB.tmp\UAC.dll

                                                Filesize

                                                14KB

                                                MD5

                                                adb29e6b186daa765dc750128649b63d

                                                SHA1

                                                160cbdc4cb0ac2c142d361df138c537aa7e708c9

                                                SHA256

                                                2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

                                                SHA512

                                                b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

                                              • C:\Users\Admin\AppData\Local\Temp\nsw8AEB.tmp\nsDialogs.dll

                                                Filesize

                                                9KB

                                                MD5

                                                6c3f8c94d0727894d706940a8a980543

                                                SHA1

                                                0d1bcad901be377f38d579aafc0c41c0ef8dcefd

                                                SHA256

                                                56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

                                                SHA512

                                                2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

                                              • C:\Users\Admin\AppData\Local\Temp\nsw8AEB.tmp\nsisFirewall.dll

                                                Filesize

                                                8KB

                                                MD5

                                                f5bf81a102de52a4add21b8a367e54e0

                                                SHA1

                                                cf1e76ffe4a3ecd4dad453112afd33624f16751c

                                                SHA256

                                                53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

                                                SHA512

                                                6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

                                              • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

                                                Filesize

                                                317KB

                                                MD5

                                                76e4c67f2f63c5b0cf1c17fb6c43c760

                                                SHA1

                                                bcaccce30f728ba7efe489a16c8f14235347967f

                                                SHA256

                                                19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

                                                SHA512

                                                78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

                                              • C:\Windows\SYSTEM.INI

                                                Filesize

                                                257B

                                                MD5

                                                ca46aec8d35d2f81e99a8b884f5f4753

                                                SHA1

                                                163678984c584316472325fadda93ea04795bb42

                                                SHA256

                                                0ce1a0ed79b9be8bbd23fea2133e22783785e5710b2e417b30167583fa7460f8

                                                SHA512

                                                ec0c77a11fdd63ffd5b6d03cea78453bf5c14aa1d2f6fdf4c85f6b0215e91426c8728e4c4a01a5046238bd2bf39ce40f3f5e9884181376b253fbf8aee9988228

                                              • C:\rktr.exe

                                                Filesize

                                                100KB

                                                MD5

                                                8574317c4c3979a8bd19af59d922ea60

                                                SHA1

                                                23b488f9483aedf19adfe577f1a210a59de4f682

                                                SHA256

                                                4c71f0ff226e1a0e7dfd03f48954bf03ce101b8eee795f67f0792815941b1c6b

                                                SHA512

                                                5eb665295031acf10d6ea8fa087c9c54ccec76f64b15f4db005c01fefbf61aea4ebabf7e6c89b1463b730a0cf1c8db09f025b3f1783d7d308a9501aa92ae54c6

                                              • memory/556-10-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-30-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/556-9-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-11-0x0000000003B70000-0x0000000003B72000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/556-4-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-5-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-8-0x00000000041B0000-0x00000000041B1000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/556-7-0x0000000003B70000-0x0000000003B72000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/556-6-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-19-0x0000000003B70000-0x0000000003B72000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/556-3-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-1-0x0000000002370000-0x00000000033FE000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/556-0-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1028-63-0x0000000003860000-0x0000000003862000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1028-103-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-61-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-54-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-52-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-60-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-59-0x0000000003860000-0x0000000003862000-memory.dmp

                                                Filesize

                                                8KB

                                              • memory/1028-55-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-53-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-65-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-66-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-67-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-56-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-58-0x0000000006160000-0x0000000006161000-memory.dmp

                                                Filesize

                                                4KB

                                              • memory/1028-50-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-99-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-100-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-62-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-104-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-105-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-107-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-108-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-110-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-112-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-115-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-117-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-119-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-120-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-122-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-125-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-127-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-129-0x0000000004BD0000-0x0000000005C5E000-memory.dmp

                                                Filesize

                                                16.6MB

                                              • memory/1028-29-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB

                                              • memory/1028-160-0x0000000000400000-0x0000000000471000-memory.dmp

                                                Filesize

                                                452KB