Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-12-2024 14:58
General
-
Target
4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe
-
Size
1.9MB
-
MD5
4ea6690811d8ade65266abc0fb454180
-
SHA1
2dcfea885823b13d27f69b3b74702698d444e613
-
SHA256
4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71
-
SHA512
728a24325081e4b2bbcc6103aab6c70c85ec4f3365e65464af60cb7f9b8bf95546e986744a50928cf7c5113ef765a8e7cf722686ad143437ec3a7f7f7745cc54
-
SSDEEP
49152:n8bTCwMrtxKCnFnQXBbrtgb/iQvu0UHOaYm6:n86ZxvWbrtUTrUHO26
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe"C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@AEB94D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AEB94D.tmp.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 45688⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe11⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe"C:\Users\Admin\AppData\Local\Temp\4e413d99447f93977c0ef71daa6b79f265e5043398dfc3ba01d686f43122fb71N.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5d77c5adb9faf7d53b1dace1c1a5226ba
SHA1a209af9fbd5d607a19c94dab60606842991e556f
SHA256445138ae86b88bfc312344aff461a9910594d9872b74ec4ecde0c7aa379656c5
SHA512030d4d0dfbd08ed4beb7a45a3b9bf3afd8c2b737f4be663b9a8f98656ba7f1cf11758d2273d93ce1e657224e7f85a403ac1436345514e0d727e4d253cab50b53
-
Filesize
134KB
MD58295485b2ac14cb7e113d0df275d0ba8
SHA12e23fe53857c56d40c586f4d7a0984e02d5d04e9
SHA2569b42c90c7311d224af9a653c3ca56ef429041206119956d1c902e7e9301149a2
SHA512a6a6281c62f8c031a62d9824131c69b7832e89fae23e2b726991ec966ae7fe762ec63c04f0e6b1cdd17f73ec7cdda0c47efbde24c1846516a8c51e643f25a700
-
Filesize
1.8MB
MD54f72c4ad306998d35ec494f5b04e1205
SHA1e88ff9f9c72f915fe102ee94bff074fe64cb35c1
SHA2565464a9ba9b20e0f322fab398b7508b192dfa243632553a2388f37119680dc313
SHA512b629756f9a08bde63d4832804461519de29f08adb708ff3350d603dcbc04b64dcf3faaccaff13e7b55fe2eae079c79bafe690250939ac066525009c073137477
-
Filesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
Filesize
120KB
MD5f558c76b0376af9273717fa24d99ebbf
SHA1f84bcece5c6138b62ef94e9d668cf26178ee14cc
SHA25601631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a
SHA5122092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d
-
Filesize
126KB
MD502ae22335713a8f6d6adf80bf418202b
SHA14c40c11f43df761b92a5745f85a799db7b389215
SHA256ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4
SHA512727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c
-
Filesize
89KB
MD509203a9741b91f3a9ed01c82dcb8778d
SHA113e6f3fb169cd6aa5e4d450417a7e15665a2e140
SHA25663149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2
SHA5129e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846
-
Filesize
99KB
MD59a27bfb55dd768ae81ca8716db2da343
SHA155da0f4282bd838f72f435a5d4d24ac15b04482b
SHA2565ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26
SHA512d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c
-
Filesize
172KB
MD52634fa3a332c297711cb59d43f54ffce
SHA18e2b68d0ee4e792efb1945ba86eceb87f07087d2
SHA25627c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740
SHA51284e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53
-
Filesize
276KB
MD5e07c6a9e595f045fadc463dfda44ab16
SHA1e6b199272ade02613f2003c365a4cb1487431e23
SHA256d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc
SHA512f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf
-
Filesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
Filesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
Filesize
1.8MB
MD514f8d7cdc6c605e96b2ba9fc8e6005b1
SHA100dba7701327d11c216aec9b4ec1b6ad0ea1afed
SHA256640f8da2d12e2f677a0939afc87608d187ef6eea97a223c3fc305c7a5d542ca4
SHA5121013609de674d17330932a04839739cb2e8cb09a510d2daba8b900e82b517518082d1cf341929b8e85eebf9ba5731bac09a61e2bc6738b3f05b968ccc5b1de20
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
126B
MD504770bc172aa3cd2d04c36b57cfaeb2d
SHA1ff7c670dcbf37eecab9cf05f018c9d8510f7f88d
SHA25605bab3bd45bba0c3e1c39c8899bbae20285a456b13a4859baf6c1140446494fb
SHA5122d7cf5e17e227f6aaeb01450cf438e0e5418c8e226288fe5ea6981a19c61bc5e666edb6c238c91ba2999a906cf25e65a98621b1cb7c67b667584369345a9d29e
-
Filesize
196B
MD5370c34d1c60b459fc4c042632455f455
SHA1b402df5a0ab925ea3535d1d18bb9c882b6d73390
SHA25624a06d31239a4ecc64a4e1ab65da1b90f2a0dbdc08417891b6a9fa30012334ad
SHA512ced7f6b9979a2a077ea2a82e0e717e619db83935d48f7618cf2c5e66aa520876cad9172209ede56fb0754bbf5dfc45d67645810424d37d752bf1a5200a1a4f74
-
Filesize
102B
MD53ca08f080a7a28416774d80552d4aa08
SHA10b5f0ba641204b27adac4140fd45dce4390dbf24
SHA2564e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0
SHA5120c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01
-
Filesize
388KB
MD58d7db101a7211fe3309dc4dc8cf2dd0a
SHA16c2781eadf53b3742d16dab2f164baf813f7ac85
SHA25693db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a
SHA5128b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83
-
Filesize
257B
MD5bed19a74ee672ed61499614548107046
SHA1fcc0db693c5f739cbd780ed3040abf431d594d0f
SHA25639a37a40128a08603936bb8587deb18720f9d9105a924c1ca960b46e0347672a
SHA512243b3741784354411c8c3ad343eab6405a86f3b6910f129a34b29e8b0e045b9befe4606df1ee848bad4c770264d2ad4a5679307c334074a6bf904d614f7f58fd
-
Filesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
16.7MB
-
Filesize
84KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
300KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB