Analysis
-
max time kernel
169s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
-
submitted
16-07-2022 07:58
General
-
Target
virussign.dll
-
Size
120KB
-
MD5
981c8a2357a000371a465746daf3a340
-
SHA1
ed2872a3df64db6859d15ec30382156aa203015f
-
SHA256
449463aa2edcc35b3f5db7cbae40b09aac5ec12ee65d1c0f89c8628b5bd868e1
-
SHA512
434b7c87cbf9b62bdd0f7f942fda10c74ce9c62eb5d64fd3847958749d2ac94670737205212ccfc3f86d018d879916177072bbf03f51170fa9d0bd5209e1bded
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e56aa4e.exeC:\Users\Admin\AppData\Local\Temp\e56aa4e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e56acbf.exeC:\Users\Admin\AppData\Local\Temp\e56acbf.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e56bc6f.exeC:\Users\Admin\AppData\Local\Temp\e56bc6f.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e56bcad.exeC:\Users\Admin\AppData\Local\Temp\e56bcad.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e56aa4e.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56aa4e.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56acbf.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56acbf.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bc6f.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bc6f.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bcad.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bcad.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Windows\SYSTEM.INIFilesize
257B
MD585ff53bf1f747fb725edbb131911db7b
SHA1ebce920ab9016cbeb9a6cf7aac6d1e7e74168750
SHA2560867adc713ac9ffa0a1c90606592c6034929dd00c0872beb6fb59b525af94d39
SHA512c32cc95223049bc84f0ee9f13a93d254524c6da4336ac70cf8318bc55f224f1150db1e3dca068375ffb6209aa5a4aad3012469c7097fdfb2bbd130123eead5f0
-
memory/2596-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2596-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2596-142-0x0000000000000000-mapping.dmp
-
memory/3420-130-0x0000000000000000-mapping.dmp
-
memory/3420-138-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4248-151-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4248-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4248-131-0x0000000000000000-mapping.dmp
-
memory/4248-134-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4248-140-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4248-150-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4488-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4488-153-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4488-145-0x0000000000000000-mapping.dmp
-
memory/4488-155-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4488-157-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4488-158-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4840-135-0x0000000000000000-mapping.dmp
-
memory/4840-152-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4840-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB