Analysis

  • max time kernel
    151s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 02:08 UTC

General

  • Target

    bb5d30043da8f565bc0e4e0a36700236f913410157c6dae04707a777af64594b.exe

  • Size

    97KB

  • MD5

    4979b9387c252c9d2ebf3b1cbb33bf10

  • SHA1

    8592adb1e2d6c04c655ffa922506571da091bd40

  • SHA256

    bb5d30043da8f565bc0e4e0a36700236f913410157c6dae04707a777af64594b

  • SHA512

    da85208e76663af3d5ff4ee5a1797984bac3e8f657d2870336b1a01001c8cf25f888a1a9a80116166850f340ba2db71d15824b1616b8d3184fbad34aebaf950e

  • SSDEEP

    3072:etvRA7jO1M1uw9oZJTyB3yNC7HqZxXDay:gu7CmgxJ2BidxX

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1220
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1284
        • C:\Users\Admin\AppData\Local\Temp\bb5d30043da8f565bc0e4e0a36700236f913410157c6dae04707a777af64594b.exe
          "C:\Users\Admin\AppData\Local\Temp\bb5d30043da8f565bc0e4e0a36700236f913410157c6dae04707a777af64594b.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2004
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1192

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2004-54-0x0000000075831000-0x0000000075833000-memory.dmp

          Filesize

          8KB

        • memory/2004-55-0x0000000000590000-0x000000000164A000-memory.dmp

          Filesize

          16.7MB

        • memory/2004-56-0x0000000074DD1000-0x0000000074DD3000-memory.dmp

          Filesize

          8KB

        • memory/2004-57-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2004-58-0x0000000000590000-0x000000000164A000-memory.dmp

          Filesize

          16.7MB

        • memory/2004-59-0x00000000016E0000-0x00000000016E2000-memory.dmp

          Filesize

          8KB

        • memory/2004-60-0x0000000000590000-0x000000000164A000-memory.dmp

          Filesize

          16.7MB

        • memory/2004-61-0x00000000016E0000-0x00000000016E2000-memory.dmp

          Filesize

          8KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.