Analysis
-
max time kernel
150s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 06:40
General
-
Target
4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe
-
Size
221KB
-
MD5
90af628b9c7875599eb32e093310c8b1
-
SHA1
56163f9470a0880b516a9347335bb61864301274
-
SHA256
4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664
-
SHA512
30292178bb237ceee8faf3b06250e28b95ee24d91bcf0f5d0509f38a04a87ac7bd609437fb41ca62ed1dadef1a08b0a029b8b3b85d7009239b622db7ffcb47b9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 27 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe"C:\Users\Admin\AppData\Local\Temp\4771a9b9240d732a11a4f25240ceef633a49ecb81ed6503b427688d16f740664.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-54-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/848-55-0x0000000001D40000-0x0000000002DCE000-memory.dmpFilesize
16.6MB
-
memory/848-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/848-57-0x0000000001D40000-0x0000000002DCE000-memory.dmpFilesize
16.6MB
-
memory/848-58-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/848-59-0x0000000074131000-0x0000000074133000-memory.dmpFilesize
8KB
-
memory/848-60-0x0000000003BB0000-0x0000000003BB2000-memory.dmpFilesize
8KB
-
memory/848-62-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/848-61-0x0000000001D40000-0x0000000002DCE000-memory.dmpFilesize
16.6MB
-
memory/848-63-0x0000000003BB0000-0x0000000003BB2000-memory.dmpFilesize
8KB