Analysis

  • max time kernel
    124s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/02/2024, 21:45

General

  • Target

    73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe

  • Size

    3.0MB

  • MD5

    a4d8ae019f013517c7557012dba59dc6

  • SHA1

    43b595ed13b1fe31dcd57f65689d7d89db524953

  • SHA256

    73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232

  • SHA512

    ec470ed69989f656d967bd5b025dc7fb59cc0381b238568a63f844a1c114e9448727431317dfb6a4170bea2ff54faea95d9d15e296ff02f8486f50767c00d945

  • SSDEEP

    49152:RBwpxPJg7JW4jhzQpxSlDvZajSiOWJ40PCLdt5bqUl33kwpPN:RBwpxhg7JW4NkpqiOWJ4PLdTqUxV

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1184
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1276
        • C:\Users\Admin\AppData\Local\Temp\73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe
          "C:\Users\Admin\AppData\Local\Temp\73b9580896eeb0939c0f22268b0dc37268b2abd1516a7d0c4a9abbd8a5061232.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1972
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1116
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2240

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\Common Files\WanNengSoftManager\WanNengSoftManager.ini

                  Filesize

                  186B

                  MD5

                  2e3de2fbdda5f9c6fb1cb9ad979fa705

                  SHA1

                  f6217c1f8bb9b781084080964008bc93cde4f38a

                  SHA256

                  4061506aa6b8964bbec32ad56a28195406ef195992c8d803e5c566f148ab7a15

                  SHA512

                  f0129b17e1ee25eadf893046b341be6fb4700954e525853f9ee24b55f40f239064aa5ba0c3a26c9c18ab9772fe38c7da3efe4dd2874caf0a7298e511d1e20c97

                • C:\Users\Admin\AppData\LocalLow\WanNengSoftManager\SoftConfig\SoftUse.ini

                  Filesize

                  159B

                  MD5

                  935dd010c805e3a609a202c8b202a853

                  SHA1

                  c380af9715484890920b82d3ce9a5fb6ef1ae83c

                  SHA256

                  29a531843cc3497d214e9aa87640a1bb12793b3e0ae4cf9699548e5f865c9ce4

                  SHA512

                  c303e4dab82fc1a0466df832f588a2db724a4cf1aa600ee34fe618573d81c45b97771b2ad48b25a1115845112b85292ce073729076e208f93c9b5b27de047681

                • C:\Users\Admin\AppData\Local\Temp\WanNengSoftManager.ini

                  Filesize

                  271B

                  MD5

                  2c02d3dae92d830859464ece8df2d54e

                  SHA1

                  9507c9b9cdb7b0068bc98712e3ef615816a63ee4

                  SHA256

                  373b9f2263ce2c9c0442ee53274ecb7cb985ebf8c46ce6ccbe3c24859cc6e3fd

                  SHA512

                  febd3ca050d64781ab742106f1453b0228a44188b69cdec85e5542ce0eb4010f603867df0b8129144b815f72a320e5d4947492b52956c1daf7709ff638c0dfae

                • F:\nidi.pif

                  Filesize

                  45KB

                  MD5

                  2e561a6c0df02589b36ac975229d5063

                  SHA1

                  31f709f6d3f22b852c5e196f060c54991e63c8d6

                  SHA256

                  f61d8016131a8b2ef8e58703cc4056eac6accb042719a1eef1f708443dd4a3b2

                  SHA512

                  8ae5f10165a273fc0ee10809c427c975210b09189a2a54aff0d623f4c080df0b48a1d032cc9db4eb9441a520a613ae5814878c1415d8b741c98c86b7ba39e9e5

                • memory/1116-14-0x0000000001BC0000-0x0000000001BC2000-memory.dmp

                  Filesize

                  8KB

                • memory/1972-41-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-46-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-15-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-18-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-25-0x0000000000D00000-0x0000000000D02000-memory.dmp

                  Filesize

                  8KB

                • memory/1972-23-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-30-0x0000000000D10000-0x0000000000D11000-memory.dmp

                  Filesize

                  4KB

                • memory/1972-33-0x0000000000D00000-0x0000000000D02000-memory.dmp

                  Filesize

                  8KB

                • memory/1972-31-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-35-0x0000000000D10000-0x0000000000D11000-memory.dmp

                  Filesize

                  4KB

                • memory/1972-36-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-37-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-38-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-39-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-40-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-0-0x0000000000400000-0x00000000006FE000-memory.dmp

                  Filesize

                  3.0MB

                • memory/1972-42-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-44-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-45-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-13-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-48-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-50-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-57-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-59-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-61-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-64-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-67-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-69-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-71-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-73-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-75-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-77-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-97-0x0000000000D00000-0x0000000000D02000-memory.dmp

                  Filesize

                  8KB

                • memory/1972-12-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-3-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-11-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1972-1-0x0000000002210000-0x00000000032CA000-memory.dmp

                  Filesize

                  16.7MB