Analysis
-
max time kernel
124s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
29-06-2024 01:22
General
-
Target
20094baa7d8b851ac5bfe49e8552cafe5801895885ad2dffea5d45787630a5b4.exe
-
Size
616KB
-
MD5
727f67fba318b7d7651896af6fc6fdd5
-
SHA1
0c0902ca0cb4fdc8a24bbba37f85b99187e52364
-
SHA256
20094baa7d8b851ac5bfe49e8552cafe5801895885ad2dffea5d45787630a5b4
-
SHA512
834b2d3c9ed2b6121f5ecb3240117524f74dfad4b6bfdf6a95ced40e42ac7c768db6be1fabc9a61104326362c2fe86723b658a42f60f8243eda8ee4e976f7901
-
SSDEEP
12288:RijxRW6eWZ/JsjFomeUkyej14ek9wMnw9F:KPeWZmFFeUHFek9dw9F
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 38 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\20094baa7d8b851ac5bfe49e8552cafe5801895885ad2dffea5d45787630a5b4.exe"C:\Users\Admin\AppData\Local\Temp\20094baa7d8b851ac5bfe49e8552cafe5801895885ad2dffea5d45787630a5b4.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\tgqtp.pifFilesize
97KB
MD5a6c97bdda1329268e8f5bfa401adfb40
SHA1f8d05200e35cdde4a44ec6173c9dd607a3b50136
SHA2560fe193646b7ab190222ad4f18f02fd8d3f0f4587765da1958e0011486c6757c7
SHA512ca4ee253e5cf89676fca5b380b465455e3d1bb403c83ab97d5b61612227bd53e6138b08e3a57690bc23f269b7df57e9399b940eea0e95dcd1cad738edbafac1f
-
memory/1108-33-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-73-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-13-0x0000000077470000-0x0000000077480000-memory.dmpFilesize
64KB
-
memory/1108-15-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-16-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-23-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-22-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-25-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/1108-24-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/1108-7-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-21-0x0000000077332000-0x0000000077333000-memory.dmpFilesize
4KB
-
memory/1108-20-0x0000000077470000-0x0000000077480000-memory.dmpFilesize
64KB
-
memory/1108-19-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/1108-18-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/1108-17-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-5-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-4-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-26-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-27-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-28-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-30-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-29-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-81-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-6-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-40-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-36-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-37-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-34-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-42-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-43-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-46-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-49-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-51-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-52-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-54-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-57-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-63-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-66-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-67-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-68-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-71-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-0-0x0000000000400000-0x000000000049E000-memory.dmpFilesize
632KB
-
memory/1108-74-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-76-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-78-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/1108-32-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB
-
memory/1108-1-0x00000000022F0000-0x00000000033AA000-memory.dmpFilesize
16.7MB