Analysis

  • max time kernel
    91s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-05-2022 04:06

General

  • Target

    028693ded0839fd9d2b58441cdf1ec16c65edb7848b148f67c9c327fd9f56908.exe

  • Size

    126KB

  • MD5

    777be51c882ac8b00427dd4a8a176572

  • SHA1

    f829eed157893d16a243cda99b1b8a138805e143

  • SHA256

    028693ded0839fd9d2b58441cdf1ec16c65edb7848b148f67c9c327fd9f56908

  • SHA512

    6a5c6f29f10501903e424a2392832423007ad4ed3fad2c6d5dc43646e8b6abf74dcb7f514e6894ca9809a2ae8c6f129f3e838342afc8fce20edb915397ef2604

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\028693ded0839fd9d2b58441cdf1ec16c65edb7848b148f67c9c327fd9f56908.exe
    "C:\Users\Admin\AppData\Local\Temp\028693ded0839fd9d2b58441cdf1ec16c65edb7848b148f67c9c327fd9f56908.exe"
    1⤵
    • Modifies firewall policy service
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 708
      2⤵
      • Program crash
      PID:1468
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 4964
    1⤵
      PID:1028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Modify Registry

    5
    T1112

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4964-130-0x0000000000400000-0x0000000000497000-memory.dmp
      Filesize

      604KB

    • memory/4964-131-0x00000000024B0000-0x000000000353E000-memory.dmp
      Filesize

      16.6MB

    • memory/4964-132-0x0000000000400000-0x0000000000497000-memory.dmp
      Filesize

      604KB

    • memory/4964-133-0x00000000024B0000-0x000000000353E000-memory.dmp
      Filesize

      16.6MB

    • memory/4964-134-0x0000000000400000-0x0000000000497000-memory.dmp
      Filesize

      604KB