Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2024, 20:37

General

  • Target

    4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe

  • Size

    2.1MB

  • MD5

    7159b56159cb1e12a07b4341719ac689

  • SHA1

    21f3d0d30784fd6ab6e964f213894fb8f268b3e6

  • SHA256

    4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e

  • SHA512

    e6a0a450f435aa3395aa8fcda5174902f0fbbf48b034b8c1da7f49268d72753c4f6ea8e93a93eb1df4aa0b6d34fa0952c922c0b470b01f4e3b791f581841e641

  • SSDEEP

    24576:Y0QuuAo+kX8ADPTw7UAJ8nnSEO5c2Fg6Abasb79:VQ+ojX8A3wP8nnSvx0

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1204
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      1⤵
        PID:2096
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1352
          • C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe
            "C:\Users\Admin\AppData\Local\Temp\4be1e03600a78c64b6ee0fee7be031ec761818e9c171aa9f2508fc100a87100e.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1136
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://suggest.se.360.cn/sedoctor?ctype=se&cversion=
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1200
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:1300

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                  Filesize

                  67KB

                  MD5

                  753df6889fd7410a2e9fe333da83a429

                  SHA1

                  3c425f16e8267186061dd48ac1c77c122962456e

                  SHA256

                  b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

                  SHA512

                  9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  ce3a64eaab2b185113e5ea5693606504

                  SHA1

                  363e46414383528424d661aba949f94184ec835e

                  SHA256

                  bdcc0c3c424c6cf5d564fe1430a1d9988e307e2b29fe53186cdbe4b3309fe055

                  SHA512

                  a5dca53e030e5a5a3c2976a23c037ea53376d299ed8288da8e62ae6fdaeddab3ee629354ac461521333ac7a6811b19d29a467e229dce9104815373e003abbce7

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  276cc802d711430f6d268b4f37cbb0f1

                  SHA1

                  5c4ec58074788e225d34883eef9fed938b0c4b93

                  SHA256

                  7ac023e79545cb4b27c1556aea3fb24a40062180fd14a2f9c0073fd813e0c423

                  SHA512

                  dcf7d93b1f5185f54c16f4d92c5ab7625a54ccdc66fa83c4d86e1332bf51f85adc3ac5dc2b5901ef316295754d399367a39fdfc73f5ded338d55f5608bc6e5af

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  726d6461f416fe936e2361a0489067eb

                  SHA1

                  2be47c52994e470527279fa9bdc14fdea61fa751

                  SHA256

                  f7e4e37ac5ce125eb4c149656aa27c019279d56f9998c611db5afb76ee001070

                  SHA512

                  9b3d1b22e68337097c2934487f359fbc311a2df19ac38ddad6d196d5492f1bcba7b1c1b659868c8414a9093e4232604da9453877488600a293f4819840ffc135

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  134b08c32be31d072b263ec2516ac469

                  SHA1

                  4e05f3ae9b7503da4ca83cb470c697fce76106e6

                  SHA256

                  d2b82e49fecf3674e95999205aee28e5e056087d90bfe076cb77ba3f66e94ee3

                  SHA512

                  f55591239f0f975c3dd40399a1be02325c4c206ddfdc07350ec87277b4182434adec9d3e8590a246c6482195af194952363b6326407c5322c9a65e9438740341

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  c288020ad00f45c05a230816964865d6

                  SHA1

                  e0118faa744a703c9cbd33adb6d7483836fb619e

                  SHA256

                  a2865e2231e6d6c69e944cf5988c3d567de2da0d7ba62cb1a35bb05aafa84b71

                  SHA512

                  0afda4c00339a2fffd3846e1eeee4a9fd73db9b18b2eae211449a6c9c3b2c7c3b6aeb46c6f6081b8b7ad73b64e798a7eddda5d3cb7d2cc9f8cfe721968a0a75e

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  15dac39cb94ce28bc856dea86c46e498

                  SHA1

                  39f31765b255fce1d6d0de35c3bad2896c564ed3

                  SHA256

                  0cb2c7f41e5679470bd5678ebbd2f8163eb3545c6dd86eba703c1647529801c8

                  SHA512

                  4701779680438783e06291bc4fa1ec33a4876470dd6bb9130a2fceee60b865859cce0e5bb9422afef62be27b1ec2ffc5fb4be4610a9521ad40b73a16c1f5aa15

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  7b9f1cad89c962ad466a139a07b50606

                  SHA1

                  59d3afac00ce0dd5ba660d45e71d053fc9f7be9b

                  SHA256

                  e1c2d10081e073e3d46c40ae975814f999feb4eabea589d4f2b36309d3033d4a

                  SHA512

                  95e1a34840783d140202dae8a784fdf8982e6c9f15f0c85a5829857ccaea76dc4017312b12c8e9f403fccfb5e48269e578e288799bbebf287108e0fde517ae63

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  9a8f78825a1bc80d49586860ce0390b9

                  SHA1

                  649092cee2f9557eb77ce7d472297a5eb7a38564

                  SHA256

                  8abb79449c0273b9db061b3c603d537c841c2fc67d7299f1f3041ef6ca59e0ee

                  SHA512

                  eb54e3c0ad1f4a0579b1e97789a1b126354a8528660a14e5c8fd6fea9a34cb83e1858403fa57394d803bf9782628f344fe5357963963a59ef95bfe6134c083bf

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  9b53c44b6be9753529160a339542b53d

                  SHA1

                  fcf017234d5aed863807b140eef44e5977c57107

                  SHA256

                  820bd192d1d92ddd0372ea2d737058fd688b4dee8d61c8129b75f6f16db31d8c

                  SHA512

                  7efccd327acc0629110f8cb0b5720b42ff9dbcac36a7d6fc28bfaa0fe0908b324ac4da0a92be74970447f398dead48d4cd8f164d3cdb74bc30a3d23e1b13f2e2

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  02ad3cc7de8793d6c06759190834aa44

                  SHA1

                  f93087a702a84f67c27f9f7f8ebb964c82aa3952

                  SHA256

                  6500f40315c6676676db9116f048c5ff75f74d6ec2d049adf4498cb59980497b

                  SHA512

                  70b5c5e374cbb4a71f7db904934ab65afe3cb29a78c29466c00256e45005e2062ece1570e855aaf68a79b346e8050869611724913cf7ea8ec4e4650338286ece

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  59406ed4563e7087185239952ad8d909

                  SHA1

                  39a43a2712f4c6f56932a0cddfb5d6d4c4a96846

                  SHA256

                  6e901ce3e4c890e28391993840886c02e7dac64fde2828baf3eadbc2f23ea296

                  SHA512

                  01f76f9dfba0f3b207dc761cc83dabe24bdee9819680d8308c71413cb73cc8b149c40e354377092affb96e0ba42f34e2fbb5e961d60226d374b7ebb9a2e56055

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  4ba8bcb5dd7132152d9219083cc7b4a7

                  SHA1

                  d4dd2f846e81111d00af9b859fedf9fded705a68

                  SHA256

                  fc06c4375a1e486c505844e009c4276bdc172e77a80b253999d32d1d2a2ab17a

                  SHA512

                  68f867e0bee780a0e2e248bd986f8bc8d7634db9f0d2eea6b87ce4f8de558e840a4b337296f15ed1b325b61346343e510a168ea11816ac84e2d94f72efc13e91

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  5a19fb673fffb8b465eed1ef9ead8e68

                  SHA1

                  2a51b55a40b9f4f7688c698ed3caf602eeb25309

                  SHA256

                  e970f9092f544931502ef71664982418b67cfe8a9abb78d8ac38f288553bd7da

                  SHA512

                  54d7df1f5ed20f1fe4f6c8e711e96ccb47305c35a7c566c82fa5bc33a4fbe170f921103aa9a5c79925f07c242d40539784c4658840536613c43fdcf426a1b5ab

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  4ca8cd65f95377a3317c19b675ebaa42

                  SHA1

                  c8b7c9afdd90892821a87f05329640fce9afcd64

                  SHA256

                  6afbe1fbcb7e6108ad135a2e00d6b53014f3cedf949ee4a8c3bc5d70cc1a2906

                  SHA512

                  f53b502c071041ce30c0d85b62b9f0a8bc7d31c9b9ac6364222417e32222cfbabcfe0d761b10067d7515bc3124cf20a39f64e09f49e7b7428e3a8f7c67c50d8f

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  cb8426071e75e8e7b35fc4c8da142b22

                  SHA1

                  c82e25ad5d472d1c5e0d955fd3ea61189593c7bd

                  SHA256

                  8c3bb4ce58e62ac45dd7b0531ad95087eeaa969571dc6032f74cdaafeb13f082

                  SHA512

                  93b105abc4a2fd01b3ba949f9002e8e723c46794e6f3608b11b698af1c64a318c6fbaa5ac4a16fac32610b341c737bc159920496b368763e3ce9f57050c68d4c

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  70bf282d99411970bb0a6bc36dbaf229

                  SHA1

                  bcb8576268f8c35eb81e636730be7258c6526497

                  SHA256

                  e31d3b4d21e9d075919c6b72458465959c2eb7002b25e6c1aa6c6c2ac3e3abca

                  SHA512

                  c2a2c1df69b66a89dfb1456dd60ad534909b1205dba621e154d2cdd1980a4315acfb069a0cbb8d06a5548fa5bddad52e2ea010e34a0ca6ca2437aee210a89709

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                  Filesize

                  344B

                  MD5

                  0f9a9d9995276bf0c5c6fbda3c50c379

                  SHA1

                  d25e0f01e9fbedf33084fe3159ce89bc76144c87

                  SHA256

                  27c3504f537bc68edb4db3d19cd3c17990e1f98578e3f939f59c70df76025ff4

                  SHA512

                  c73d6cce85d3416c4be0cefc62770d6952a15873ac3db5b50847f390fae9d40887ebc093ad1eb3f792de5fe379ce2bd8f26829091bf1b2828fb698c7238fd8d9

                • C:\Users\Admin\AppData\Local\Temp\Cab7BF6.tmp

                  Filesize

                  65KB

                  MD5

                  ac05d27423a85adc1622c714f2cb6184

                  SHA1

                  b0fe2b1abddb97837ea0195be70ab2ff14d43198

                  SHA256

                  c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                  SHA512

                  6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                • C:\Users\Admin\AppData\Local\Temp\Tar7DF1.tmp

                  Filesize

                  175KB

                  MD5

                  dd73cead4b93366cf3465c8cd32e2796

                  SHA1

                  74546226dfe9ceb8184651e920d1dbfb432b314e

                  SHA256

                  a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

                  SHA512

                  ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

                • memory/1136-31-0x0000000004570000-0x0000000004572000-memory.dmp

                  Filesize

                  8KB

                • memory/1136-63-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-0-0x0000000000400000-0x0000000000506000-memory.dmp

                  Filesize

                  1.0MB

                • memory/1136-34-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-33-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-32-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-21-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-25-0x0000000004580000-0x0000000004581000-memory.dmp

                  Filesize

                  4KB

                • memory/1136-70-0x00000000002D0000-0x00000000002D1000-memory.dmp

                  Filesize

                  4KB

                • memory/1136-30-0x0000000004580000-0x0000000004581000-memory.dmp

                  Filesize

                  4KB

                • memory/1136-24-0x0000000004570000-0x0000000004572000-memory.dmp

                  Filesize

                  8KB

                • memory/1136-26-0x0000000004570000-0x0000000004572000-memory.dmp

                  Filesize

                  8KB

                • memory/1136-28-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-13-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-8-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-1-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-5-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-3-0x0000000002350000-0x000000000340A000-memory.dmp

                  Filesize

                  16.7MB

                • memory/1136-4-0x00000000002D0000-0x00000000002D1000-memory.dmp

                  Filesize

                  4KB

                • memory/1204-6-0x0000000000210000-0x0000000000212000-memory.dmp

                  Filesize

                  8KB