Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 21:40
General
-
Target
9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe
-
Size
132KB
-
MD5
8bd5d568d369a2879c839bdab44f29b9
-
SHA1
214e2e43c691751bc058e2b2db8eb02066c86505
-
SHA256
9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930
-
SHA512
e486f6758391034ec3461efd6d3b1e35425dfa4facd0a5633cbc706899afc7926754d127b86135c3bf2887e1b45c8fbc6e90344958609ad9eb64d35c02fc5daa
-
SSDEEP
3072:fftffhJCuEmUBCSjGoLpmSTLd4W1CV9uymmH2Ri/:HVfhgujiXxfdA9Pm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 2 IoCs
-
UPX dump on OEP (original entry point) 3 IoCs
-
Deletes itself 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe"C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a9EFD.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$$a9EFD.batFilesize
722B
MD59d677c9ab2594116efe24f25c59c80e2
SHA156b8468029bb0874d80af27b9c9a460bea000a95
SHA25651fa40b9fe9df36c891bec03100d6e30460c80f557a5261d4f4a9b916dd72479
SHA512b75dc0ecbd88067e6f00a187f1fa12e1cf9d3a68a083a0af39e3e24632e4679ce14ce4b9b1a125b62fb1a39fc1cd8496bdd3ade184e99a002e1326106dda0fae
-
C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe.exeFilesize
105KB
MD5a5e228e5d234a4f52917056191c3f20e
SHA1e7c3d31c4fc8d61491e78e918ad837262a6a2ce7
SHA25603bffa2faa622e0f285400d8adccf7480052cb2a4f334b88de895dec5b1eb08a
SHA512b35a1f87f056c71ba783e7196161e265fca9970833b02d90fc2bda2436ca78a20dde05e6dba6c4fa8c26fd25229bf4be311f333cf05b42df6ed5c8fd5346f13f
-
memory/2552-50-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/3056-0-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/3056-1-0x0000000000650000-0x00000000016DE000-memory.dmpFilesize
16.6MB
-
memory/3056-13-0x0000000000650000-0x00000000016DE000-memory.dmpFilesize
16.6MB
-
memory/3056-16-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB