Analysis
-
max time kernel
31s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
21-10-2022 11:42
General
-
Target
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe
-
Size
177KB
-
MD5
22408f36bd6db96d30c5bb149b3050e0
-
SHA1
e184eeb125c465dfa2b1a721ad89b45ce0cf3801
-
SHA256
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95
-
SHA512
743f21a1ee68de71eaf52c0e7d91db9c5826e37ea0c3b98a11d662c2aa536e96e60a859a8abb69683bf87589d903e3e2772000827268270b0cfdb810d5ea2198
-
SSDEEP
3072:Yq/HSpAbGTe2Aq/tqiI09Gp7ifqtTyOWZS7wB7gUkIjr7aF1A:YqQAbge6Gp79Wc7pIjr7aF1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe"C:\Users\Admin\AppData\Local\Temp\30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/732-59-0x0000000000000000-mapping.dmp
-
memory/940-61-0x0000000000000000-mapping.dmp
-
memory/972-62-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB
-
memory/1348-55-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1348-56-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1348-57-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1348-58-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1348-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1348-64-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB