Analysis

  • max time kernel
    93s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 00:25

General

  • Target

    6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe

  • Size

    417KB

  • MD5

    ab36f011716ff8c3035c7201689f6896

  • SHA1

    3cb1fdd41fa4fd02faef7fccddc3d7aa62f83097

  • SHA256

    6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894

  • SHA512

    c2fe8867855be40f5e9551a3c89957f8d14808de83908dbe305dcc65c4f9c55dc55badd11cc1b38f1f7d33c521c20c9d124c3590ec823537d3d83a794415661d

  • SSDEEP

    6144:GWb6GdYJGY1CLKd6Gr5xZH8XL7k19X0eTLE9AIHR1y9X9bk/0fkU/ADpWE67:GWbvhLq6y3H8X3k1liabe0fk2AD8d

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:788
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:792
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:372
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2940
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:3052
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:1108
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3436
                  • C:\Users\Admin\AppData\Local\Temp\6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe
                    "C:\Users\Admin\AppData\Local\Temp\6d300578022f5d4e6f842375f9611ad4341fc75b644d6d67c76220a71268e894.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Checks computer location settings
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:3800
                    • C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
                      "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
                      3⤵
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:2984
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
                        4⤵
                          PID:1556
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                    1⤵
                      PID:3560
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3748
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3836
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          1⤵
                            PID:3900
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                              PID:3984
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:3872
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                1⤵
                                  PID:5016
                                • C:\Windows\System32\RuntimeBroker.exe
                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                  1⤵
                                    PID:880
                                  • C:\Windows\System32\RuntimeBroker.exe
                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                    1⤵
                                      PID:3064
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:3456

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

                                        Filesize

                                        358B

                                        MD5

                                        e06bd93e792698963f8a2b8bfd3aac0f

                                        SHA1

                                        db9c5ba11c437c6fe5aa93fcfff0eac106d18f06

                                        SHA256

                                        877287c4b272c02e0c5f0ab7d9b5c36f5ad8847310ef46226d43a6e745bd860a

                                        SHA512

                                        02209808cca202871ab8978871427332fc50577e7f2804d7b77c78951bcf75351eea3d509ac50f1bc03bcb793ad0c7b64f72b677cb5b5a40aca84cf1af360b4e

                                      • C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

                                        Filesize

                                        251KB

                                        MD5

                                        864c22fb9a1c0670edf01c6ed3e4fbe4

                                        SHA1

                                        bf636f8baed998a1eb4531af9e833e6d3d8df129

                                        SHA256

                                        b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

                                        SHA512

                                        ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

                                      • C:\Users\Admin\AppData\Local\Temp\Tmp14EC.tmp

                                        Filesize

                                        3KB

                                        MD5

                                        ec946860cff4f4a6d325a8de7d6254d2

                                        SHA1

                                        7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

                                        SHA256

                                        19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

                                        SHA512

                                        38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

                                      • C:\Users\Admin\AppData\Local\Temp\Tmp14FD.tmp

                                        Filesize

                                        3KB

                                        MD5

                                        fc2430057cb1be74c788f10c2d4540c8

                                        SHA1

                                        cab67ee8d5191fbf9f25545825e06c1a822af2f2

                                        SHA256

                                        dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

                                        SHA512

                                        4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

                                      • C:\Users\Admin\AppData\Local\Temp\Tmp1711.tmp

                                        Filesize

                                        3KB

                                        MD5

                                        a58599260c64cb41ed7d156db8ac13ef

                                        SHA1

                                        fb9396eb1270e9331456a646ebf1419fc283dc06

                                        SHA256

                                        aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

                                        SHA512

                                        6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

                                      • C:\Users\Admin\AppData\Local\Temp\TmpF879.tmp

                                        Filesize

                                        3KB

                                        MD5

                                        bbb796dd2b53f7fb7ce855bb39535e2f

                                        SHA1

                                        dfb022a179775c82893fe8c4f59df8f6d19bd2fd

                                        SHA256

                                        ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

                                        SHA512

                                        0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

                                      • memory/3800-5-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB

                                      • memory/3800-26-0x0000000000400000-0x000000000046D000-memory.dmp

                                        Filesize

                                        436KB

                                      • memory/3800-6-0x0000000003590000-0x0000000003592000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3800-7-0x00000000047B0000-0x00000000047B1000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3800-18-0x0000000003590000-0x0000000003592000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3800-19-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB

                                      • memory/3800-10-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB

                                      • memory/3800-12-0x0000000003590000-0x0000000003592000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3800-8-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB

                                      • memory/3800-0-0x0000000000400000-0x000000000046D000-memory.dmp

                                        Filesize

                                        436KB

                                      • memory/3800-9-0x0000000003590000-0x0000000003592000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/3800-4-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB

                                      • memory/3800-3-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB

                                      • memory/3800-1-0x0000000002370000-0x000000000342A000-memory.dmp

                                        Filesize

                                        16.7MB