Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19-05-2024 18:18
General
-
Target
1e8a83093f635a417439d907b6a95a6b8ed34eecdd4b0e09cb6e04fe20278049.exe
-
Size
276KB
-
MD5
82cd5b03e8567da6dde4aab0ab031e6f
-
SHA1
395f2cb21614a2beccda8ef485774ef848728da8
-
SHA256
1e8a83093f635a417439d907b6a95a6b8ed34eecdd4b0e09cb6e04fe20278049
-
SHA512
b08fae4ed49e998e224dd8084cebe3eeb774c9e5d55d35da37462f200b51f00a21776ad6dfcee2bef5f70c56fa3aef7e66cd65823c37e95752dc61814c9d7e75
-
SSDEEP
3072:BHe+aX3tM6gT9o2MK52DRkBUiXxBHkjh5c5Tuh310dIajugrxMs3fGBj:8+aX3u6gT9o2LGOUixdkjhUqcIuFn3M
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Deletes itself 1 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1e8a83093f635a417439d907b6a95a6b8ed34eecdd4b0e09cb6e04fe20278049.exe"C:\Users\Admin\AppData\Local\Temp\1e8a83093f635a417439d907b6a95a6b8ed34eecdd4b0e09cb6e04fe20278049.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a9FF7.bat3⤵
- Deletes itself
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD59d97fc9c6cc8d9edce2751eb3c0f3f52
SHA1df09baa66ddb85b9c2f56f686a19ea675fcebb86
SHA2569957defeb85703c3405c30009bc57f69e1802c62c59b1b33613759957e733510
SHA512cc07a91952e4246fc76bddd1eced81308d9e25437adb2d6192922a8f340c47be35f68389d4819da8954d0dadf37569f93598a86e721857d525d2abb44f3a7b82
-
Filesize
243KB
MD5be4240615d40903b01f4cc50888354c2
SHA10302675bac3692a63ea9b619615e96bdde26fb65
SHA25625deda512c2799b018b322848acf2ac6ddd2e9ce40a643bd113b5448e4547639
SHA512b3f4fd55166103775ca41e96e87c7684275d30176f148b1e0ea79057db89918aa9450fbcc2649f78c651337837228012fc941cc56444bc5a5081a57171dbff87
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
324KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
324KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB