Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-12-2024 02:53
General
-
Target
bl4ke.exe
-
Size
469KB
-
MD5
5d9e7031a5d7498bf610633a3d0f6981
-
SHA1
f11cd03ef06dd53e1cef1ff15693efc919030ac3
-
SHA256
e056b9ff0256dd40dac919efe92006ee49a3f50d222ab17e755c7dcdbc34a4fc
-
SHA512
0d846e552d8f2f344257bd6e65e4f3fbfc5d41d90892c9d19af3abe4dc4074a3c73e6802269800fdaaa90a0b0deb78bad40f0c1b75a34a6c840144f316945975
-
SSDEEP
6144:igQ9ahMwdrlDDX3RtZL7bieYMy4rZEqwpgJCNXFhHcuci:igQsMkrl5t0jINggJMFOuci
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
C:\Users\Admin\AppData\Local\Temp\YOUR_FILES_ARE_FUCKED.HTA
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bl4ke.exe"C:\Users\Admin\AppData\Local\Temp\bl4ke.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG0AZgBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBPAFUAJwAnAFIARQAgAEYAVQBDAEsARQBEACAAQgBZACAAQgBMAEEASwBFACEAIQAhACAATABNAEEATwAgAEwATQBBAE8AIABMAE0AQQBPACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAagB5AHUAIwA+AA=="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAbAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAegBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZwB2ACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\gdihell.exe"C:\Users\Admin\AppData\Local\Temp\gdihell.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\Cronic.exe"C:\Users\Admin\AppData\Local\Temp\Cronic.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ApplicationDraw.exe"C:\Users\Admin\AppData\Local\Temp\ApplicationDraw.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\FUCKSCREEN.exe"C:\Users\Admin\AppData\Local\Temp\FUCKSCREEN.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\YOUR_FILES_ARE_FUCKED.HTA" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\hslshader.exe"C:\Users\Admin\AppData\Local\Temp\hslshader.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x410 0x4bc1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d584df872086c0f7442a664a33d38fe5
SHA1f0fad100fda4e8bb82ce5bc7d03953605ac53a5d
SHA256fdb68980ecdb4c9b464cc6a07ec410b2c7dda5b01240a0a8c860e9a94fe372bc
SHA5125232ebc39075096fa6ae5ae6d5b7b4580003e0be87779281c27fc1e0646500c76ca2178205ccc06e3b85df02a3a88ddb864723a3978cc97a9d63fa07196cdd79
-
Filesize
17KB
MD5b6fc43c869bdd84dd65fa885413ff8c0
SHA15b0d4baff1fa16671834258aca224ea1b352f9f4
SHA256de8c28b1ad1f390625ff6cfebaf339fd1c5cfd11b78a639d3a54f3efc8e74eaf
SHA5124b19ce925f77d09c62f77ace8c3a54bb900422110246a0053aabd74ce4331de8acae5085e200e8983ae79312a5b7c831f227351a700e00c1b516f5e681371638
-
Filesize
85KB
MD5d2f7ee8114edbcb9aa332c1d8bbb9488
SHA1d97e993f1eaf8e4c990f06e9afa4f47efd9a5b06
SHA2560cb621f367e9aa5c046760be200dd0b5aa9b6e45c92f28adc73b34b369702f82
SHA512268ea70de1dfc4e97e0d057bd625e5080dd139564224d41dc23293b1eaf8205b359e3ab934fcc0b6ae1f0995cb9761ac5a84cdc2a8c40d0afa164eb7c6601243
-
Filesize
14KB
MD5726d50c3e3dd789d43664aa5c3c3f9de
SHA1f69e053040b09e422a712c4bf31ce20875186e31
SHA2568a865d95f2c90c97fe3d762608ebc8040033cac5882e5534675b6b1f056e9c19
SHA512872b347a0dd0cdb46959b9b41ad20dfc7dcfaf3cee8a27aa90b33700a44147edf631e03c3bd7ca8867dbcb2b02efc6c05ee0e8dd31062770c39d2ad13a1db56a
-
Filesize
11KB
MD5c8d6c1b9d0ab8940e827cc7f0f96f4b4
SHA1cdc2d69d48748b8836d6e2a4e58a370aebb55288
SHA256e9f500615b06fdb6b4eb4cd4e1664ba1da33fe3c2fc1eb0b1e561e06a20f1fbd
SHA51286b1e836fb79cf81cf15f7b889d4fcbee9de9f64cca741d012c5fe49fbf1bfc532bbbdb04114672765eff6cecc4ec4dd118fc1d2b52af1595020f09e64665d2a
-
Filesize
64KB
MD5f97a6c9d463f7005d28c273f7f369744
SHA15a594b71f3254fdd8fa1575b7898cd7cb8d0506c
SHA256729a7e9dfff763b95cae12e25875cd14acb4c74236d17494e32a72078df9931f
SHA512b9a1b151b241977130fa7fd7b3ce183c7836c31cc1c5d82ae5d77d2683bb2771020bc438fb4faa8d24d151234c5adadbd87a58b3be0e9f9ff556d26aaa8c79c7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
38KB
MD565389a4a1a5ec277c42d0dfacd59999b
SHA15098c44ec3a0c1be4d6d8f3dc5ddeeef73848c2c
SHA2568476bbe92dd772b4397ecb33fed7286f1b9ef698812b921d0113d5ead4607990
SHA5126fef9575d945f761d31406ce528e820945cb6f970eb78dc91c7a7da6e9efe6b2dbb1b55b96911d8115ac98dd95cf1f73a0cec13ad4cbe9750fe33df08e88f8b6
-
Filesize
39KB
MD57aa1ce5f332f6bde0ab29720fb768020
SHA10c42cce17644b24b8144f60559dc491b542e957d
SHA2566947123f789c83df8c9f3487fb7a2404da6255ee7391aecaede51647205aaadd
SHA51242c42203c5ba9319848be6ad716369d55e73a05909d6288eb074ae2ef5330f0d72e48c16d475ae8420445b2b9acd69762b8d8bb2b270beff998bc48e0ba69bc8
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
96KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
80KB
-
Filesize
200KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
120KB
-
Filesize
68KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
600KB
-
Filesize
3.3MB