General

  • Target

    virussign.com_26a40eade629154d15e019603e4ce790

  • Size

    120KB

  • Sample

    220715-tsg8dsdbdr

  • MD5

    26a40eade629154d15e019603e4ce790

  • SHA1

    6823521b875fe13e6a607db7f868b4925a71eeeb

  • SHA256

    c67d559821f7c3cca0adf73727e00cf193c8c9ed7c82876235335afb4768656f

  • SHA512

    765373138bb0f70c7cf92f615274b0d45be29a1746e72af9e0c15820acb8b45604baa441f891384b9c77b12b211b17e88835de85c2bc351708394f4740762dae

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      virussign.com_26a40eade629154d15e019603e4ce790

    • Size

      120KB

    • MD5

      26a40eade629154d15e019603e4ce790

    • SHA1

      6823521b875fe13e6a607db7f868b4925a71eeeb

    • SHA256

      c67d559821f7c3cca0adf73727e00cf193c8c9ed7c82876235335afb4768656f

    • SHA512

      765373138bb0f70c7cf92f615274b0d45be29a1746e72af9e0c15820acb8b45604baa441f891384b9c77b12b211b17e88835de85c2bc351708394f4740762dae

    • Modifies firewall policy service

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Tasks