Analysis

  • max time kernel
    127s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/02/2024, 21:36

General

  • Target

    808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe

  • Size

    185KB

  • MD5

    f92de49a96b1bde10d1442ebbc5cf47d

  • SHA1

    90ae669123d835cb79c5a964638efb9cfb58db47

  • SHA256

    808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534

  • SHA512

    b641e55fd4d69d46a15bcf69a63d990f508fe0f82cfd785383a03184c47eac5b13a01b54b6071dc21b701dc6b788cb5dadf5e4c2cdc3d3703993c801ebd8ca1f

  • SSDEEP

    3072:rajIMvS5ujzAYWjtAed6TC+cweppRKWyXZEv5HZfKvkTRUsVnAiB0eyk390CO:rAr6ojE1iWRcZEvrfKuUsbCkN0CO

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1192
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1248
          • C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe
            "C:\Users\Admin\AppData\Local\Temp\808f3bf017a4aabc93fc4079a7ec76164d3d1c1db6d06b6cf741323649d4c534.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2216
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://www.douyin.com/?ug_source=yd_tbbg
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2876
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2620
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1476

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

                  Filesize

                  914B

                  MD5

                  e4a68ac854ac5242460afd72481b2a44

                  SHA1

                  df3c24f9bfd666761b268073fe06d1cc8d4f82a4

                  SHA256

                  cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

                  SHA512

                  5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

                  Filesize

                  1KB

                  MD5

                  a266bb7dcc38a562631361bbf61dd11b

                  SHA1

                  3b1efd3a66ea28b16697394703a72ca340a05bd5

                  SHA256

                  df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                  SHA512

                  0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

                  Filesize

                  252B

                  MD5

                  2e330a5851266c39f7b645bea192f39a

                  SHA1

                  2ab668aa835c939ac5625a800390e2358c4cba64

                  SHA256

                  bc401eb4b3497b71a586246247ed3afd0550faba7c0f81307e68448f9639d8dd

                  SHA512

                  c1c23c693b85a27e7aaf3277ff215d7c5c9f4e8bff6612d4f3d69dc0742aa014f24e273aa639d23f835f51182847f0c4289e75f2c2eae5f38982d507930a0973

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  dae67e5ed4d7ba5e85eaac3ea579e4d7

                  SHA1

                  a62405079c275be4e223b9f9e90f5231ed7a24e5

                  SHA256

                  ad11c75d2f4dae27920e7fd6507f857b38721e911102fd255f318cd6474d7261

                  SHA512

                  075b45cf8e701c4344756feeb4501e54bb36a904935c8ea8841bb47f39c06cbfb4a8854993e07413df140996e7afafc07a1cec13358a4a86403d201b69cc0458

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  59beb8217ad3ed162fef324ba56d1615

                  SHA1

                  28b991158917489954baa72461080c4ec235bc30

                  SHA256

                  cdd5ced73364117f7cb4bb5d2e5e1d7fd7f3771a62ddd6dd8c5eafebc387c0f1

                  SHA512

                  f1b766f6b95ce8571edf2d33193bf0fb109c22f189f44c81274ec068a4262af1b685f3b3aae6c9807269795b6ff4e998fd95f0adf4851c104e4ff00cfb373453

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  cb267e3ebade0dd6fea690e62790993b

                  SHA1

                  7dfbec4aad00b7d6a9a75b225a296cdd55a31ea1

                  SHA256

                  7a1db2e47d8a5b5319513d16b999c7e4f2fa777a631cf28de4e4d6252b9ae8f6

                  SHA512

                  4de4c1776b26d72374e408bc157211a0859e58c8ff73c76c9eb7d0d48023c77cba9e7ac66a62aecd5a1b79760c29abfffbf249392aef212f046294f6e503566d

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  fb859fe384d7877d5b04c8d073343b5b

                  SHA1

                  9ca170cff0c8f1150c5a36a08d2ff617a7cc0b5f

                  SHA256

                  113d233a469a8d24ea6c7eada708ce18086f175e2adb5616c48fdec93dc16e7a

                  SHA512

                  eb75848b39c2a99511ed7cc4d91df1ad228b31d3e5e13f8ba20e5c023cb683f01692fa671ce6380a1f4df804d9424321357d196c6bb75899a82f6c0e08cca5ae

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  94f873f1b26c49ee61e218f69fe79dea

                  SHA1

                  2496d3709f7642b2e10b68d5af91cd1132980a5f

                  SHA256

                  6326ea945102f57568c1173287f9af77d43b97f3559f5e132ed1cb9d85830046

                  SHA512

                  658f7594da0f62d477e53f006cedebd5c36d7129243447f7080f9fec4d332218600d75e3b2d5121dcbef1fa178a17e621ae0798ac10a61ee1f2c5d4c68ad920a

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  fc00071dcad7fcd367658bb5f9e484a5

                  SHA1

                  2b184abddbae45410f2b911a22da57539f721871

                  SHA256

                  c223527fb9a6ff757c7c63bd096bbc0131c1c11c5cccecb7dfd85e6f6a023e8a

                  SHA512

                  f742c0fd3ba05fd7447256eb1e8797ec6a364f91c0ae97f5df97072a3bafdfb847c10a4581982fd05dc932cd84511ce9c1c986097a87c07d4a4fe904e26bbef3

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  92f0a951fe4cd8b028a42447bac60f4d

                  SHA1

                  d732077faf6f200027e2412a747b94246b714d58

                  SHA256

                  e1e716c5b42164b1a7db6979c9c04af939754f467f03ea054e7c7a03450ced1a

                  SHA512

                  cc0d13ea8febaab609391b59889a607c5ff67f483112643e98a4ece274734a4812ba755814043870b20551f8537e078986a0a66bb864af8022814e629c67b7b7

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  9450e6ca888cc3e2bdf04934f9e2f8bc

                  SHA1

                  e70096bb0fd06b1162950bc4b9e1f1abced1006b

                  SHA256

                  e34906606758572a78db9af33a71210d5b8c0252744496ad20870e8c3188ab94

                  SHA512

                  8e5939c4e4d6f1c6186b481fd3f194c9a77610521f291e75f7005509deb55c6da0e7429f404e90077987ab6b6c98e999ce7349a2415722981fbaed7ba9d22cf3

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

                  Filesize

                  242B

                  MD5

                  e52d60aa4883fb54d8cde90b4aad8c0d

                  SHA1

                  10d8a0856a4247e37f8075a1cad4d16a97ba9bed

                  SHA256

                  86f5c9ff1e5bb9750cba929e33e4963d0b89829c3a93d014976614a76822ceaa

                  SHA512

                  e045af6c84888717b8455d37af3a5a5e1358330cf78a306a787565391a703981e73b59de1806b9b174f659b122a7a4c167e2efc1d30b5a07858784ff0a4b3156

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f9yyw0t\imagestore.dat

                  Filesize

                  4KB

                  MD5

                  fbb57f3aeaa36f809b796b4e64f78c37

                  SHA1

                  f897c702f8445cf6383c5b0a5cbd1bba6da3fbab

                  SHA256

                  4f65e4a9ed1068171cbe5d67933eb6d6c47c36dcda0c35594c388b72df6ecf2d

                  SHA512

                  211537310a8c3bdd114b3fc937b3dc774244b070daddad84e86dc3053d50e889460c116e5255c2c5f97a621307e0ed56feb8558939e57b6b635097b6ba2babe8

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YV6H14B0\favicon[1].ico

                  Filesize

                  4KB

                  MD5

                  f8311db859d25e29264e23db6fea5663

                  SHA1

                  5e8172fc205457f01a291e044dc8a25c77ece7eb

                  SHA256

                  e67348e3ab54fa207e1ce4be78e8399d1b73a794d819a17d8656ea2b17a1109d

                  SHA512

                  2b2907d45fb96c3e312a1e074b7366fe671244e76e46d12493e2c35f6e31d1d8361360a154be7b6be046028ca949800e180e96b1e136fb7fb83c1f6662183bb5

                • C:\Users\Admin\AppData\Local\Temp\Cab5CA2.tmp

                  Filesize

                  65KB

                  MD5

                  ac05d27423a85adc1622c714f2cb6184

                  SHA1

                  b0fe2b1abddb97837ea0195be70ab2ff14d43198

                  SHA256

                  c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                  SHA512

                  6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                • C:\Users\Admin\AppData\Local\Temp\Tar4403.tmp

                  Filesize

                  171KB

                  MD5

                  9c0c641c06238516f27941aa1166d427

                  SHA1

                  64cd549fb8cf014fcd9312aa7a5b023847b6c977

                  SHA256

                  4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                  SHA512

                  936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                • memory/1120-5-0x0000000001D00000-0x0000000001D02000-memory.dmp

                  Filesize

                  8KB

                • memory/2216-15-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-20-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-34-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-46-0x0000000000400000-0x0000000000430000-memory.dmp

                  Filesize

                  192KB

                • memory/2216-31-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-30-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-25-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-21-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-24-0x0000000000710000-0x0000000000712000-memory.dmp

                  Filesize

                  8KB

                • memory/2216-36-0x0000000000710000-0x0000000000712000-memory.dmp

                  Filesize

                  8KB

                • memory/2216-18-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-19-0x0000000003090000-0x0000000003091000-memory.dmp

                  Filesize

                  4KB

                • memory/2216-0-0x0000000000400000-0x0000000000430000-memory.dmp

                  Filesize

                  192KB

                • memory/2216-16-0x0000000003090000-0x0000000003091000-memory.dmp

                  Filesize

                  4KB

                • memory/2216-11-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-14-0x0000000000710000-0x0000000000712000-memory.dmp

                  Filesize

                  8KB

                • memory/2216-7-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-4-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-3-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/2216-1-0x0000000001E50000-0x0000000002F0A000-memory.dmp

                  Filesize

                  16.7MB