Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17/04/2024, 20:05
General
-
Target
5d110a2b2859a043e1f8b034f67255e67d9a5f872c1aaf359447050591c7147b.exe
-
Size
2.1MB
-
MD5
097fac50f308190e201b423f121aac3a
-
SHA1
e291ce7f6da9d62933d900638831b61d96a999ba
-
SHA256
5d110a2b2859a043e1f8b034f67255e67d9a5f872c1aaf359447050591c7147b
-
SHA512
3d273fe5abbb4b223aeaf64d2c35309ff541c598895b3be2db6a1d42299677240854a11a6cc3963e0d4fdaf3c6920969850d9b2d545733b67e76e4c2c09ae38e
-
SSDEEP
24576:I0QuuAo+kX8ADPTw7UfJ8nnSEO5c2Fg6AQw/9:lQ+ojX8A3wu8nnSvxhw
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5d110a2b2859a043e1f8b034f67255e67d9a5f872c1aaf359447050591c7147b.exe"C:\Users\Admin\AppData\Local\Temp\5d110a2b2859a043e1f8b034f67255e67d9a5f872c1aaf359447050591c7147b.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://suggest.se.360.cn/sedoctor?ctype=se&cversion=3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1572 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5d73a1d8fab7e95e4814417ee399b6d48
SHA1bfd7994418531da7ee96e4a7918d0227b48e748d
SHA256cef3b530156c1adb0992bea7a8dc255e3e1cffe5c19f4e1f94295e444affd09e
SHA5124133b0777d97204750e6e57ebf4a969273ea2e846d51b3f127aef114dd0424b229e2ccec7fe0aa5ee3aa0fa399c88f5fa9b68cf4e23208b015f0017c132819ac
-
Filesize
344B
MD5d0490405c6bf6fef350f7ccd0a06927a
SHA1b9f12ff2083665aaba887ee676fbe710175b58b3
SHA25674d137f9b4260cf22fe86e2743cf52654c5f3c9d078bd336a24133e7ee4c2ad2
SHA512bbebd72eda83f597d91436da83515c4dace7be1dba76d236faf2258cb35edda32d80f45a24c4cd07be6b5ba77783d78e7c43c4dce58778da4c18b270bed22c23
-
Filesize
344B
MD55fdf70ea8c1ec0db5015ec1c3e99c190
SHA1b9bb8a224afa1ea4462038039b217126d4f23ef7
SHA25668cc6717b605c556908c0ca696fb3e55a347831537dad63e1ba06185c6128c31
SHA5125d52cd0186d0a58d28e1f7b645a78974901f8e86161fbf2bc26d5108ae52122f214362f48b3ffd40ba52647c6ea494c5b340d2c590fb3a9bc67f84a534eae460
-
Filesize
344B
MD5530247969d82949db1a17d375ebe053e
SHA1e72b9272099322c1d815c5eaea4195e8db9534bc
SHA256fa63bd136e58df347800a5aae02de43d8884bc5a13123db9d0802cee3128f3a4
SHA512bad0b79604b40dd481c105f0ed958b346127da791524ef89fbaf5dcac42c9ff449155e0a7c82889d0905ddc7463fbb8946afd7b6c495dfa45df3fc675da9f86b
-
Filesize
344B
MD52a9618a04875a0e3617cb86d36ad2a8f
SHA10f2d3416c754c4b9ad870ab3ed9a24ceadec3d12
SHA256a159b3193e4b73342934ca3dcf2418bbccf5ec54e4d1f238fbbdf866ed4b83d8
SHA5128adef47f247086b1c0cf46199cbe5cc38bcf7a6f851e9ec511bd2c6b021ff140cb0b10df4149b809e4c05b96519b6c8f2ce4e083bc9dd0ccce320f228cd3a092
-
Filesize
344B
MD51c035c6bf948aa65c5a24485c6316ed1
SHA1f014675b9209cf5811277d5ee9168be9d7cbacdb
SHA2569c2adde0e262f9976a8bf8cee52211369e3d60b5b9a9758e42bb827fb5d8606e
SHA51233d1d3dd5c26a30b12e0b6f2edf0ecde5f06785b2d39c4f0b2513534baa3f3331f6d2f77d747ec8f73a656c94413b3ebf32ea8099651aa7783dbb9952666e316
-
Filesize
344B
MD5a53ac952aca6546b3834268b8ad77ecb
SHA17f71864dff797ed0c11f709367cbd09e8d887a45
SHA2567443c1851e74f6754ec546a1f2c5caa51544ee5620a700538887eca77b8cb7a2
SHA512183dd18f1bd3b694d754e907ed9d2bf70c78732f403b4e5cf7b96ae1627be60399c0339f5003f2574a0b968e4b6fa94d5a539bc0c64f02c44f28dcd78d00b04f
-
Filesize
344B
MD58e619438b547eaea065af45fe3b20203
SHA14501fd432d5e7e088fc7ab4f20b9eaf17ddec1dd
SHA256e0fee0060daac0e4bb28618bcddf7cd1d70325e4bb5f0e07686d452652361853
SHA51285790378ed08d162bb7e83eda63885c2855eed4d427693aa07df648c8f398eb27173763967b678d4972382f7eeed9d480b958098c8a18128512d18ce5ffd84b9
-
Filesize
344B
MD55a4c456ba8ace8b1b5b97f2ece3b5e83
SHA1802eceaf08fa19ff8b55007ed8fe20fcd31695ed
SHA25633fb5784ed1090d2e26f1c28ae3b478ea81e982256e447f85db83a1d9c0fda08
SHA51245fa8b1396fb44d6f40e05b260ea482876ee2b4aa295cafd643748fcf594d83c5b799fd28900ab3b32d20af8ed3c0fe3ca9e1cf2c43937f3632a602f0cbbde7a
-
Filesize
344B
MD5891be50d899c3f58b8f46c13666b9b73
SHA1666b44d6374490d6e599faf410987038cf63724c
SHA2562f304834b0aa4b7ba5eb3dd429dd470346055f0a9c21398b8c58cb7b7d15c5cd
SHA512189a0504aedf0b697a09db618c8d709eaf08321359bb971d01d33e3b14ee8b0c96fecce4ad02ef7060de8b70b66f6a0a007b4deb2e83a23e9e4e12883f6122cd
-
Filesize
344B
MD59172ce0a4c700ff91c3a870d8ed20f14
SHA1a4a31833711f2f6ada31f21f8e84521df479d286
SHA256a7efc621631f7b2124cc516da6842d250d6b5472051c12e432e73c89c61d8dd2
SHA51289583aa6c4232062be88f9e500dcb002f4a8917fac02678f80fa83da158d1bc04380dbf17f3b10f0f5bb0f0c8a505535242e8a91d7bbcfec99be62f17e432cec
-
Filesize
344B
MD5210dcbb3098909497eda7db2df6453e3
SHA1de188626f66b01228df0d380d4ce5205c61c12de
SHA25692c319fdbdfa3031332c0229a011489f769b690f3d04316187e5cb41e3610163
SHA51265973a17d5190253e965c048a591cca8c1ae19948bad9922207d907c4f7885abe170936feebccc646c5862baeac995a12f06bf85e6bfb8a8cc12de73d132af1e
-
Filesize
344B
MD551149e18545f6646cb7325590d8c9a5b
SHA1a857fbdce862d8ac82c07b98d97af1f0917c233b
SHA256ec8a0497ae393d054a1a464896c14e8e408bf72cbf3458272881109d71085417
SHA51214764a45869260d0f70b2883e687404e6c39c35cbb0eb41e5065eb4f589148f0536e534933e47c6209e463a4b3b8109019740eab192b5fddb6590341674f68b6
-
Filesize
344B
MD5ca46afa249efdaf652e36e9162b81fc4
SHA1cac5f321f1b46496e4f3f5adcfedc915822ef962
SHA2569e023f7fe36b60691482a1af7e8d150f3b5920ad4175ae85272ff2a9b80e03e3
SHA5127f051fc05ebf5c52a69ce00e42363e5380877d19bbecce78422aa7ae7ec127a01390b4f0228d12fddfa0de57f358da724e718ed14519b77aca923e283c4b3606
-
Filesize
344B
MD5660a518038b40261052ae86882c63ac5
SHA1ebf30601f523606b711c13dbfc0cfa007885338a
SHA2567a4f781a4a4015228be028631323fa19cc1918303934a04ec34274c9619d77c1
SHA512674852b559ad54a32c4ea739e7a30717136b11261c7bca8bd43c48b2815f7734f129adc2648fb47e05ddd36968dcebd589224a2fe6210acf64e89394ae8fd689
-
Filesize
344B
MD54057fa958a8be7e2dda719292bd77f47
SHA1fd9edfb3a31ee26a23c671015c0c146443bc80e9
SHA256b071837058cc35708c871025dc6bdb830d757c68fb820f3b63de444dda0ea95c
SHA5122a4bf946a8d3568d11f42219c3da4ed0707fac3ecaa88ca69795305ec5ed12a067c028dced32a2638026b39052e74fe5b6e47f4d60ccc986d536706e4d34a717
-
Filesize
344B
MD5c289168c6efc0a12ecb9c15988613cc7
SHA1aaea673033e2d65ecd9e043dd9c685aa883c154f
SHA256389fef3a1b84ee29661ad2447ea57f0d18a0d0c7aefdcce087ce762d57793412
SHA5125c8a0e6a0005104127931a7317e0e9c9ee3ef7e040f6b7afe398c2d80bdc403e11cc6fb4ae550a70c38912f924300a2f1d06fc8eec339f1e5c6bdbd2ac40f40f
-
Filesize
344B
MD59cc0664c7d36e7e4804f1805d0291a37
SHA1f3abcf63f91c1b453e921ad0836934ec22278225
SHA2564e0a5007a42518c35d196b71ce861aef10ffd03d29db6cc4363951d167b5384d
SHA512a3f26eb7439b763e148aee47c4f5d0542253fda67ce46c0896c7d0e9bfbffb4dcf9c283b9a6de5cafd8150165554d0a756277b09213f43a6179d1bc7a7ff58b2
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
97KB
MD52d6a8ae0c85f29878f95f4479d07cdf9
SHA142da4925f02fc39644498f37eb462bd3dbf9b4ac
SHA25670bec6ff64c2468ff4fd2a4057cafa198d981654dee2d3382597890d57e5b4bf
SHA5129d5eb4f6876237b0e18e9eb79b9035804de383bb70f19f72d742d83497e0ce83f44f117ebbe2938f32b1ebd44ded8e9f52bf28bbd39aa67d6e4fe601d8dd1ce4
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
1.0MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB