Analysis
-
max time kernel
42s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
21-10-2022 11:25
General
-
Target
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe
-
Size
173KB
-
MD5
10b704217cde743100df3fe10f6403a0
-
SHA1
b346bd15bebac1c98d27d541646f8f575b4ca441
-
SHA256
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040
-
SHA512
c0de87a5a0f59ecea6856a4e878e46130a522bec59e09ecbc038cc26085965423e9a846ffbd725f5c5fa59bdf749569d2f3112541e375b84f8fd1c6b35e66ded
-
SSDEEP
3072:Yq/ISpAbGTe2Aq/tqiqZ/4YTi3wJSyjX2F5aOHGRS+mxeSP1A:YqRAbgeFZAdIT65aO8S+zSP1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe"C:\Users\Admin\AppData\Local\Temp\c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/268-61-0x0000000000000000-mapping.dmp
-
memory/660-62-0x0000000000000000-mapping.dmp
-
memory/904-54-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/904-55-0x0000000001DA0000-0x0000000002E2E000-memory.dmpFilesize
16.6MB
-
memory/904-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/904-57-0x0000000001DA0000-0x0000000002E2E000-memory.dmpFilesize
16.6MB
-
memory/904-58-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/904-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/904-64-0x0000000001DA0000-0x0000000002E2E000-memory.dmpFilesize
16.6MB
-
memory/1292-59-0x0000000000000000-mapping.dmp