Analysis
-
max time kernel
95s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:56
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
General
-
Target
Server.exe
-
Size
378KB
-
MD5
2259d80782439b55d0d44eb0a2b39a24
-
SHA1
a072494a995cdeeed9c38a8e4f0e9e02167283b9
-
SHA256
0b52cb6c4cda4706e62dd403e58626a911019c557b6a30cb1ec3fea27cc4a131
-
SHA512
12caff1c80f5a2291b3bd0b1e37c742cf24606093b82399bfaf71353b662a280cafee1acfb542890230d824bda29fe25600d3dc5795e7a3bf4c65b642adc9e70
-
SSDEEP
3072:bHxJqtiEbBIn6VVGxFYdCLYMywMKvIl3wpjM9jtXrMs5CH3ulOmT2oYZAsnGTW81:Mjjw3vIlGqtbMuCHZLyFa8H
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Server.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Server.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications Server.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Server.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe:*:enabled:@shell32.dll,-1" Server.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Server.exe -
resource yara_rule behavioral2/memory/4016-1-0x0000000002B30000-0x0000000003B60000-memory.dmp upx behavioral2/memory/4016-4-0x0000000002B30000-0x0000000003B60000-memory.dmp upx behavioral2/memory/4016-10-0x0000000002B30000-0x0000000003B60000-memory.dmp upx behavioral2/memory/4016-18-0x0000000002B30000-0x0000000003B60000-memory.dmp upx behavioral2/memory/4016-22-0x0000000002B30000-0x0000000003B60000-memory.dmp upx behavioral2/memory/4016-24-0x0000000002B30000-0x0000000003B60000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI Server.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2008 4016 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe 4016 Server.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe Token: SeDebugPrivilege 4016 Server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4016 Server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4016 wrote to memory of 612 4016 Server.exe 5 PID 4016 wrote to memory of 612 4016 Server.exe 5 PID 4016 wrote to memory of 612 4016 Server.exe 5 PID 4016 wrote to memory of 612 4016 Server.exe 5 PID 4016 wrote to memory of 612 4016 Server.exe 5 PID 4016 wrote to memory of 612 4016 Server.exe 5 PID 4016 wrote to memory of 676 4016 Server.exe 7 PID 4016 wrote to memory of 676 4016 Server.exe 7 PID 4016 wrote to memory of 676 4016 Server.exe 7 PID 4016 wrote to memory of 676 4016 Server.exe 7 PID 4016 wrote to memory of 676 4016 Server.exe 7 PID 4016 wrote to memory of 676 4016 Server.exe 7 PID 4016 wrote to memory of 776 4016 Server.exe 8 PID 4016 wrote to memory of 776 4016 Server.exe 8 PID 4016 wrote to memory of 776 4016 Server.exe 8 PID 4016 wrote to memory of 776 4016 Server.exe 8 PID 4016 wrote to memory of 776 4016 Server.exe 8 PID 4016 wrote to memory of 776 4016 Server.exe 8 PID 4016 wrote to memory of 780 4016 Server.exe 9 PID 4016 wrote to memory of 780 4016 Server.exe 9 PID 4016 wrote to memory of 780 4016 Server.exe 9 PID 4016 wrote to memory of 780 4016 Server.exe 9 PID 4016 wrote to memory of 780 4016 Server.exe 9 PID 4016 wrote to memory of 780 4016 Server.exe 9 PID 4016 wrote to memory of 792 4016 Server.exe 10 PID 4016 wrote to memory of 792 4016 Server.exe 10 PID 4016 wrote to memory of 792 4016 Server.exe 10 PID 4016 wrote to memory of 792 4016 Server.exe 10 PID 4016 wrote to memory of 792 4016 Server.exe 10 PID 4016 wrote to memory of 792 4016 Server.exe 10 PID 4016 wrote to memory of 892 4016 Server.exe 11 PID 4016 wrote to memory of 892 4016 Server.exe 11 PID 4016 wrote to memory of 892 4016 Server.exe 11 PID 4016 wrote to memory of 892 4016 Server.exe 11 PID 4016 wrote to memory of 892 4016 Server.exe 11 PID 4016 wrote to memory of 892 4016 Server.exe 11 PID 4016 wrote to memory of 948 4016 Server.exe 12 PID 4016 wrote to memory of 948 4016 Server.exe 12 PID 4016 wrote to memory of 948 4016 Server.exe 12 PID 4016 wrote to memory of 948 4016 Server.exe 12 PID 4016 wrote to memory of 948 4016 Server.exe 12 PID 4016 wrote to memory of 948 4016 Server.exe 12 PID 4016 wrote to memory of 1020 4016 Server.exe 13 PID 4016 wrote to memory of 1020 4016 Server.exe 13 PID 4016 wrote to memory of 1020 4016 Server.exe 13 PID 4016 wrote to memory of 1020 4016 Server.exe 13 PID 4016 wrote to memory of 1020 4016 Server.exe 13 PID 4016 wrote to memory of 1020 4016 Server.exe 13 PID 4016 wrote to memory of 388 4016 Server.exe 14 PID 4016 wrote to memory of 388 4016 Server.exe 14 PID 4016 wrote to memory of 388 4016 Server.exe 14 PID 4016 wrote to memory of 388 4016 Server.exe 14 PID 4016 wrote to memory of 388 4016 Server.exe 14 PID 4016 wrote to memory of 388 4016 Server.exe 14 PID 4016 wrote to memory of 908 4016 Server.exe 15 PID 4016 wrote to memory of 908 4016 Server.exe 15 PID 4016 wrote to memory of 908 4016 Server.exe 15 PID 4016 wrote to memory of 908 4016 Server.exe 15 PID 4016 wrote to memory of 908 4016 Server.exe 15 PID 4016 wrote to memory of 908 4016 Server.exe 15 PID 4016 wrote to memory of 1068 4016 Server.exe 16 PID 4016 wrote to memory of 1068 4016 Server.exe 16 PID 4016 wrote to memory of 1068 4016 Server.exe 16 PID 4016 wrote to memory of 1068 4016 Server.exe 16 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Server.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:780
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1020
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:792
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3148
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3944
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:4040
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:744
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:3516
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4164
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4564
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:2860
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:5080
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:1604
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1084
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2816
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵PID:2192
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1412
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2688
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1508
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2056
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2240
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2784
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3540
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 10403⤵
- Program crash
PID:2008
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3748
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4960
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:3760
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4016 -ip 40161⤵PID:4680
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3