General

  • Target

    4d99d5f2839cb191b95812403783aa7a428d4088

  • Size

    563KB

  • Sample

    230202-qxzfpahh74

  • MD5

    1c83d3453f30072b8b830370b22ac6d0

  • SHA1

    4d99d5f2839cb191b95812403783aa7a428d4088

  • SHA256

    c9e415795841fbbb61ddf0191ba1d03a0554f2fcc6186da79bd0a4005008b359

  • SHA512

    518d55958f38896a714afc2ed0a7d53fdeef86385e1144b5084f14f5f9e0ea298bd7a08b48ebe6acb48b8a7c584068ce7f82f2b3df68c1bbe259e444ca9d1b45

  • SSDEEP

    12288:HTHm3xI4z242hQQgb7r51Qc1qrsfCzE3TN7flu5Zw+MaD:HTHm3xrUgb7Rqo6zKT5ln5aD

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      PerX.exe

    • Size

      700KB

    • MD5

      2a1a572771597d924ed145efaf4c77d6

    • SHA1

      0302a5986fadc56557018291003a2bc852fd0913

    • SHA256

      333ea334c1a637d1ef888771bf6542953d28f76c26487356ff2a94a971667c55

    • SHA512

      17560878ae608fe947220f0d640d72d51e7c607e238e8be7b9f19fc7d20a7dd631633c21f424629bb8f57963161d8226601308cf95ced86c7c178b64dd0302fc

    • SSDEEP

      12288:Ddm3xc4L24cmoS8c97WyggbpPYfBZpLnPO2Vmi1ZXA2m/jl+mixj2:Ddm3xX9ggbpcLP7A2gomOC

    • Modifies firewall policy service

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Windows security modification

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Target

      Scarletz.dll

    • Size

      44KB

    • MD5

      d6657152a962d3616bb217d1ed0d36f8

    • SHA1

      3eed106977fe7ef85476d6942e25a7f447919a21

    • SHA256

      967cd5507ec757106b12126a0679fbe7290af92041db787c18455e333f0ea8ec

    • SHA512

      5f5061f108d532a966376adf5a4ab5c7b04e644a77064915d8bc512c9f3d416a5d3d8adf8de3a86e5f472ed4423662799609d0672b11769bbdafaf621e07ed0b

    • SSDEEP

      768:aGmM0xoDvpJZkhyiJhqIcIZKOrG6CaNYx8OnfmO7:ahKdJKhyiSIaOr5NYLT

    Score
    8/10
    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks