Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:03
General
-
Target
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe
-
Size
883KB
-
MD5
1a0cc91e3e90d89d7a717fd6d3787c64
-
SHA1
ce4323bc4033f2f81ee3903ac2fb7873f6bd0ade
-
SHA256
36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a
-
SHA512
d67c64c1ac8a8935990ae86ffda9cf208348a29db0ccf1e513c550fe5b91beb55ab9700253d4f5030acd87765229a7971237ae38844e924a9a68b01dbb432b85
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe"C:\Users\Admin\AppData\Local\Temp\36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/656-55-0x0000000001F50000-0x000000000300A000-memory.dmpFilesize
16.7MB
-
memory/656-57-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/656-56-0x0000000001F50000-0x000000000300A000-memory.dmpFilesize
16.7MB
-
memory/656-58-0x0000000005F80000-0x0000000006A3A000-memory.dmpFilesize
10.7MB