Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-12-2024 00:47
General
-
Target
56b29e6cfc65618539437b9d58231d1b733362fdcb6f30e7435adc3dcdf215bdN.exe
-
Size
1.8MB
-
MD5
fd21acd09d1d06345672d9dc7564b2d0
-
SHA1
a3bdfa50f61c3bee187f741336e3908a609c9e00
-
SHA256
56b29e6cfc65618539437b9d58231d1b733362fdcb6f30e7435adc3dcdf215bd
-
SHA512
28361e8bd30e25dd50190b35b7489caeb280e39cdc18bcf447bae7002e0dc08d5a3222b18be19a9c6f335bbe8cfb41fcd08506f7883ed33f016395cfed386618
-
SSDEEP
49152:sbTC9RxKCnFnQXBbrtgb/iQvu0UHOaYmLCm:s6zxvWbrtUTrUHO2h
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\56b29e6cfc65618539437b9d58231d1b733362fdcb6f30e7435adc3dcdf215bdN.exe"C:\Users\Admin\AppData\Local\Temp\56b29e6cfc65618539437b9d58231d1b733362fdcb6f30e7435adc3dcdf215bdN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 45326⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe9⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5f2114795161403684cbbd19e790bd62b
SHA1387d92ccc41a97ecb2cf9a7b5b4e950087a69cee
SHA256c1f094a0afac833bbf5ac1f0a43a842e5a195510d30c24a94faaa5dbf77026f6
SHA512c3ac7c9606a83ff54ef9e0d262f1ee81e5087bc00142948b7858f9104933193856cf2639db04737bcca8fd8208338bee6690d9b22749486cfbfa957983e8e17d
-
Filesize
1.7MB
MD59bccf8405c34b8f03cd8fb1beb830172
SHA1a889180ff54c47943d5086db282b8bc5f497ceb6
SHA2569f43eeedbff03659d555fe05e37a2c3128f37c1b0fc8b7eedf2230062a2325b9
SHA512aebe598dd1294caa3caee06ec985de3cb3fd5180f82a26f86fba44b731633c759488a836b4508eb26964abdbc8a72ce4b041463c37c68797dfb3114dc09fb28e
-
Filesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
Filesize
120KB
MD5a1b1063f57137fd40f2a52206465fd7c
SHA1f39e46b41998cf31ae637cb8e821867f1f42aa63
SHA256250650040534767cd1a87864246caeace0a9fc53870b0269331e952d00a6190c
SHA5122febbbf1ecd0d7f1f2338586ef3515bb70557c07f9744c24e346021587ebd9a90c9c975281ce9b6801041371f7c7e311595d1b38406fc59ccab9279f1ee2fba6
-
Filesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
Filesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
Filesize
1.8MB
MD56f8abfd68b55ac014126f1016a45c3d7
SHA152dd923cf4ae67f207e61e19ca0f43104413433d
SHA256bd17689f31cb35c82cd0a004d2e4506cb565a15c1eb022aa0e9abe6e230d408f
SHA51230e09a1ce6c7b6a90b2b0893d6fa3f8b744805faa39d64c4f84394a156f1fb52d376ebdc186e681c4926a97356dd8f8b4a669e6d51cfabfc00c4c14b1c441e84
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
304B
MD5499a71df3dc2257404c588cf1557850e
SHA1be2ea739a45849c425057f1c0b7fbb08dd0bfbc5
SHA256a2e556f51a33a0caef60f782de377be599e487fc550a53d2b6bde0b68b29a15b
SHA51290fffbf0309a0b2f702a7a77d2269d93f13f06c8e7f777f4e1bd9b74c783cc24b3a4ecdb51871be2736b453381b131e56716e2a6dd4e090645dc25aa01474d15
-
Filesize
126B
MD5b16a1087ba3315fe496a45d432e0da63
SHA1465dc486ae09abb37d57acadd7a6ab76faf5fc17
SHA256545cd468d723c64383aa5dd39aa4ac2a005ffcccbf0180460539b80426b5fad9
SHA51215b5effc339b2553abbb11071d3e915c088038c88a41f2af5843c5a0cdf71f6079012a468baad74538c8edafd2288b4146f64e332d6882ed4a653bf796eba608
-
Filesize
102B
MD53ca08f080a7a28416774d80552d4aa08
SHA10b5f0ba641204b27adac4140fd45dce4390dbf24
SHA2564e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0
SHA5120c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01
-
Filesize
388KB
MD58d7db101a7211fe3309dc4dc8cf2dd0a
SHA16c2781eadf53b3742d16dab2f164baf813f7ac85
SHA25693db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA5128b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83
-
Filesize
388KB
MD5e1e47695a0b98432911311352b63eaed
SHA1836142e550301e0fc13c1a047aae5a2f4481d7cd
SHA256c67ed34d9254b31e611ee830125c3f2572a1e686f82deb69e1580fb9a4614cd0
SHA512da49234ee2e1d8f9956ba59d4a49fe04d3ab154f5dd60cf7a6c72e9d42defe8a4b0aeb38845444fe3a8d9c80976467d2101f7c992a48f98f6a9317d0e61ca961
-
Filesize
256B
MD5de5747ed722e034ab9748dda1ceb4490
SHA1aa4e42f19983c55bc68e728b01206e52a273cca1
SHA256e0ce3c20c87b6ed6643f724e5d25191a7bda88e34a890cdbdba16f4e9f9420b7
SHA512536eb2d187f8a6fb079875e635a5f567f4318f00162547116142a0af3352e59ca3d6bcdb39f2113656c169d8a070e40d56e534f65b71ec022d79785bdf9e4000
-
Filesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
308KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
308KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
84KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
308KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB