Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 14:25
General
-
Target
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe
-
Size
2.9MB
-
MD5
490e1e2c51156303e8dcb5da19960e30
-
SHA1
240f9467766127a248adcaeb814ddc7cff461777
-
SHA256
e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8
-
SHA512
1f03f5abae55571a168476f2b21a8d14459ad47da5be340dd6d416f996b25f97fdfe6960d89cd1e0f048ba252249d4a836a690ae2a4c35b096b9c04a1eaca8cd
-
SSDEEP
49152:5esKAvZibeyiuftlobfTEBSUtGHjzUxSs/GS+1u:PKAAe/YtKbfTISYGDz6+E
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe"C:\Users\Admin\AppData\Local\Temp\e00f66823f6f9382ea63aaf1069c851122a4890395a494b828822fefb00d5cc8.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffe9330ceb8,0x7ffe9330cec4,0x7ffe9330ced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2304,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2252 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2528,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3948,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1032 /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2260-0-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/2260-1-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-11-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-5-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-13-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-14-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-12-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-9-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-8-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-10-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-4-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-7-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/2260-6-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-3-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-16-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-15-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-17-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-18-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-19-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-21-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-22-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-32-0x00000000048F0000-0x00000000048F2000-memory.dmpFilesize
8KB
-
memory/2260-24-0x0000000002DB0000-0x0000000003E3E000-memory.dmpFilesize
16.6MB
-
memory/2260-41-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB