Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 23:49

General

  • Target

    ad2be454b3e9aaba81d90b6f64795dbf.exe

  • Size

    480KB

  • MD5

    ad2be454b3e9aaba81d90b6f64795dbf

  • SHA1

    a2cfadc5bc40949ecfbfdb7588c1516287453ada

  • SHA256

    99143f9b1d2b1df8e72c429599f9b0d6a894996c1f644c85555c135729969190

  • SHA512

    341a072c54fc2fbab78da29c9da433c4eb238e763d3db0a345be3e3a9b6a59f13a781c9f478df8a0b0544e71783e15580d76f9de1f0652efe77f4c705189a487

  • SSDEEP

    6144:GoY4G6cWDIn7hB8juQ1SO1qV37xBNNwRbmFSEBNvrywyn74gG8wBEuahPxWovh5:9Y4G6Fy8jR1m37xBNeRYbT8MMhlv

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Users\Admin\AppData\Local\Temp\ad2be454b3e9aaba81d90b6f64795dbf.exe
      "C:\Users\Admin\AppData\Local\Temp\ad2be454b3e9aaba81d90b6f64795dbf.exe"
      1⤵
      • Modifies firewall policy service
      • UAC bypass
      • Windows security bypass
      • Checks computer location settings
      • Windows security modification
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2452

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1100-5-0x00000000002D0000-0x00000000002D2000-memory.dmp

            Filesize

            8KB

          • memory/2452-0-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB

          • memory/2452-1-0x0000000002020000-0x00000000030DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2452-3-0x0000000002020000-0x00000000030DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2452-4-0x0000000002020000-0x00000000030DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2452-6-0x0000000002020000-0x00000000030DA000-memory.dmp

            Filesize

            16.7MB

          • memory/2452-11-0x0000000000400000-0x000000000047C000-memory.dmp

            Filesize

            496KB