Analysis
-
max time kernel
25s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 00:53
General
-
Target
bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568.exe
-
Size
292KB
-
MD5
71849dbf584ce55ae3c22785deab0140
-
SHA1
0c1625163f6c21b0557c579d1d89c31d697aa7f7
-
SHA256
bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568
-
SHA512
d976e515c7d1c8494715504b16c5680990a3366f90dd3254c03a694a9ae57a3ee381437c8f122163f00a94ca30c2458f707416d820195ee43ba80c2e7184f019
-
SSDEEP
6144:0vEF2U+T6i5LirrllHy4HUcMQY6NdgykIduVr/GASXET7:mEFN+T5xYrllrU7QY6NLkIo6A97
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568.exe"C:\Users\Admin\AppData\Local\Temp\bd430b7202501bb717de216735f9f4ee6ad95457b388ae24046eb8186f1c9568.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 00:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 00:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
292KB
MD5c0c79891d0a2c5d66a9ac028dfd720f0
SHA1f74be50152ce89f2e876bef78e819fcfc93d49e8
SHA2568d5937beecd70013efcd090808a70bc0c8260a7bf3d311cf12f20ecadcd85fb3
SHA512294a8633955981bd00c05fa2bbf88c920b60dc2f209514efd73fba346ae7943abc8073eeb0ff8a6fffbf77f5e6a88cf3db5b075f4385deba5004358eb1e92122
-
C:\Windows\SYSTEM.INIFilesize
257B
MD57f32a176e13af3e588fdafe89696fa87
SHA10f7dcff863c47bbf1fa153c46614484a58b03a26
SHA256c03d37d1af94a97f03943c021f6fb9b47bcea5f6ac561f01afab9b1f85edcbdc
SHA5129811eb98877442d3441ee4902515f8c93297b954f44f0ee71438bd770221fd5a88374e832baf6a1f77e6ffcee5c6b1c8a77aaf278bf9b9f3e720062312529c98
-
C:\Windows\system\explorer.exeFilesize
292KB
MD5932b9d59d934c480182dcac7df7bf016
SHA19c865f0ed29e7c8b9591389124be52af09c154d8
SHA2567f3fa5466356acf98806d34b6a6a2e93066098aadac577c25e5820462f9d0251
SHA5122259e6f8dc66d85614cabfa2b51256c536b9ceac27173f4018e4b2b8edd5edf5e0bf701a51e0a85978e4e5d80a86ec6e5a94903f9caaf252f10aaefe69122105
-
C:\Windows\system\svchost.exeFilesize
292KB
MD58d343c50d7fe4035124f59d07ed2a680
SHA1fab1531a51d5c5fea46624308637518947f78df7
SHA2560af1bd43a29fa9e4250a79bce5f14c0f0e33951d76895da1c8455086234d6aeb
SHA512f18c7d745aadb0ec0fe7e1c0f84cd5fb0d94362e0439d4a63a901a7221a116451912c8cd7a1c86df8358af15ac801ca9f806a74ee240fd9feac3639e9861ab94
-
C:\fxurod.exeFilesize
100KB
MD5aad6f36b60e648f6ccda4021d2734af0
SHA13301596e6b081effb94e59af00b91bbb529e6487
SHA25679348d4560cbe661828effcc7b9a6184e8e2711c84dc06ba2eef48372e935555
SHA512c60e1d72cefc60d0f28463d6291034e036d18d5f5190935fc497ab48e6d885a331296b60b891db57ab0825ec3c902d6172042080039cd2b503263bb5d18ac591
-
\Windows\system\spoolsv.exeFilesize
292KB
MD54793334d15bd73fb086bdd69e832da91
SHA171f11749d1e3cff7b12990083f0f58681207fe50
SHA256d941e90ae293126541ff2907bf536b415fe213c3e49babddcdf0dce567926287
SHA5124d91873bf8403a8998c1d7eadba697b204d174dcf52139a84ce1cb5366980522db0751209ab61740dbbe07d8be1c3b12853ca17f767a81f8aa4a527ad7f10805
-
memory/848-73-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-79-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-10-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-29-0x0000000004500000-0x0000000004502000-memory.dmpFilesize
8KB
-
memory/848-3-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-28-0x0000000004790000-0x00000000047D2000-memory.dmpFilesize
264KB
-
memory/848-18-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-26-0x0000000004790000-0x00000000047D2000-memory.dmpFilesize
264KB
-
memory/848-33-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-39-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/848-36-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-43-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/848-44-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-1-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-42-0x0000000004500000-0x0000000004502000-memory.dmpFilesize
8KB
-
memory/848-6-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-104-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/848-52-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-8-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-91-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-57-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-0-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/848-94-0x0000000004500000-0x0000000004502000-memory.dmpFilesize
8KB
-
memory/848-13-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/848-82-0x00000000024E0000-0x000000000356E000-memory.dmpFilesize
16.6MB
-
memory/1128-9-0x0000000001D90000-0x0000000001D92000-memory.dmpFilesize
8KB
-
memory/2288-125-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-110-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-117-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-201-0x0000000002500000-0x0000000002502000-memory.dmpFilesize
8KB
-
memory/2288-164-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-107-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-136-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/2288-109-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-120-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-113-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2288-133-0x0000000002500000-0x0000000002502000-memory.dmpFilesize
8KB
-
memory/2288-128-0x00000000033F0000-0x000000000447E000-memory.dmpFilesize
16.6MB
-
memory/2588-88-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2588-64-0x0000000002580000-0x00000000025C2000-memory.dmpFilesize
264KB
-
memory/2588-55-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-124-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2592-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2592-53-0x0000000002D90000-0x0000000002DD2000-memory.dmpFilesize
264KB
-
memory/2592-185-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2592-122-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2648-85-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2648-78-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB