Analysis
-
max time kernel
150s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
-
submitted
15-07-2022 16:19
General
-
Target
virussign.dll
-
Size
120KB
-
MD5
26a40eade629154d15e019603e4ce790
-
SHA1
6823521b875fe13e6a607db7f868b4925a71eeeb
-
SHA256
c67d559821f7c3cca0adf73727e00cf193c8c9ed7c82876235335afb4768656f
-
SHA512
765373138bb0f70c7cf92f615274b0d45be29a1746e72af9e0c15820acb8b45604baa441f891384b9c77b12b211b17e88835de85c2bc351708394f4740762dae
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e56f4e4.exeC:\Users\Admin\AppData\Local\Temp\e56f4e4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e56f87e.exeC:\Users\Admin\AppData\Local\Temp\e56f87e.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e570762.exeC:\Users\Admin\AppData\Local\Temp\e570762.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e56f4e4.exeFilesize
97KB
MD5b8892dfdcbe980eb546499a24bf94810
SHA13f62b7135a006944b42242bbd9099f4dbb0b67da
SHA256d8a7b054a9183b0eeb2ff0b02312bd16bd841598988794f26e9da2c3c2086fcd
SHA51255ac3d35f34c440ae415fd174732f858a40d89e5523bc52123d9ec0f12ff51759bfac78cf3a96ff1609a3dc801e348c3c715ac75dc22b22245d0c1cd89a573c5
-
C:\Users\Admin\AppData\Local\Temp\e56f4e4.exeFilesize
97KB
MD5b8892dfdcbe980eb546499a24bf94810
SHA13f62b7135a006944b42242bbd9099f4dbb0b67da
SHA256d8a7b054a9183b0eeb2ff0b02312bd16bd841598988794f26e9da2c3c2086fcd
SHA51255ac3d35f34c440ae415fd174732f858a40d89e5523bc52123d9ec0f12ff51759bfac78cf3a96ff1609a3dc801e348c3c715ac75dc22b22245d0c1cd89a573c5
-
C:\Users\Admin\AppData\Local\Temp\e56f87e.exeFilesize
97KB
MD5b8892dfdcbe980eb546499a24bf94810
SHA13f62b7135a006944b42242bbd9099f4dbb0b67da
SHA256d8a7b054a9183b0eeb2ff0b02312bd16bd841598988794f26e9da2c3c2086fcd
SHA51255ac3d35f34c440ae415fd174732f858a40d89e5523bc52123d9ec0f12ff51759bfac78cf3a96ff1609a3dc801e348c3c715ac75dc22b22245d0c1cd89a573c5
-
C:\Users\Admin\AppData\Local\Temp\e56f87e.exeFilesize
97KB
MD5b8892dfdcbe980eb546499a24bf94810
SHA13f62b7135a006944b42242bbd9099f4dbb0b67da
SHA256d8a7b054a9183b0eeb2ff0b02312bd16bd841598988794f26e9da2c3c2086fcd
SHA51255ac3d35f34c440ae415fd174732f858a40d89e5523bc52123d9ec0f12ff51759bfac78cf3a96ff1609a3dc801e348c3c715ac75dc22b22245d0c1cd89a573c5
-
C:\Users\Admin\AppData\Local\Temp\e570762.exeFilesize
97KB
MD5b8892dfdcbe980eb546499a24bf94810
SHA13f62b7135a006944b42242bbd9099f4dbb0b67da
SHA256d8a7b054a9183b0eeb2ff0b02312bd16bd841598988794f26e9da2c3c2086fcd
SHA51255ac3d35f34c440ae415fd174732f858a40d89e5523bc52123d9ec0f12ff51759bfac78cf3a96ff1609a3dc801e348c3c715ac75dc22b22245d0c1cd89a573c5
-
C:\Users\Admin\AppData\Local\Temp\e570762.exeFilesize
97KB
MD5b8892dfdcbe980eb546499a24bf94810
SHA13f62b7135a006944b42242bbd9099f4dbb0b67da
SHA256d8a7b054a9183b0eeb2ff0b02312bd16bd841598988794f26e9da2c3c2086fcd
SHA51255ac3d35f34c440ae415fd174732f858a40d89e5523bc52123d9ec0f12ff51759bfac78cf3a96ff1609a3dc801e348c3c715ac75dc22b22245d0c1cd89a573c5
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5516b902c71cc38bd9acf67524747ce1d
SHA157b59db29c98d78e7a8ea70831617121659eeec0
SHA256918f5b32b1ad71f8be1b57f1491c45ac8975c9fcbcc9a1943f85cfb38e80e60d
SHA512c60860005856eb22b04b4374ee6b015adf3d41ade61cb1868c87a52146db40b0b54ad0edb39be41ba849dc8ea7c8b56d117e8ea327d88873dc477171e3ff523e
-
memory/764-137-0x0000000000000000-mapping.dmp
-
memory/764-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4680-130-0x0000000000000000-mapping.dmp
-
memory/4680-134-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4804-152-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4804-153-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4804-151-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4804-149-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4804-142-0x0000000000000000-mapping.dmp
-
memory/4804-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-136-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/5056-148-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/5056-147-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-146-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/5056-140-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/5056-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-131-0x0000000000000000-mapping.dmp