Analysis
-
max time kernel
25s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
22-05-2024 23:39
General
-
Target
80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe.exe
-
Size
132KB
-
MD5
6e61786732b6f48298ece472af802c25
-
SHA1
89a1e36c6e7451081cca20351c2aac9c4c2672f8
-
SHA256
80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe
-
SHA512
1aa19e7c6cc18e653653ec5efd0ca86b045ff38efd4c92b89ba071cdf9434704d31278b7df922790a2242640e5ddfbec95e14d2f76613702bf73a5f95d99a220
-
SSDEEP
1536:DJf83W8W60IL26Ap8iJySzlme3pUy3TDq+NcawHbNBleOD6MlSoUljObrEF8EX4n:DJCD548iJHxfq+Ncaw3fuOUhPm+N
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
-
UPX dump on OEP (original entry point) 23 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 10 IoCs
-
Drops file in Windows directory 35 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe.exe"C:\Users\Admin\AppData\Local\Temp\80376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system\Fun.exeC:\Windows\system\Fun.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SVIQ.EXEC:\Windows\SVIQ.EXE4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\dc.exeC:\Windows\dc.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SVIQ.EXEFilesize
132KB
MD56e61786732b6f48298ece472af802c25
SHA189a1e36c6e7451081cca20351c2aac9c4c2672f8
SHA25680376c647b3d54978f26072d5b1699ce3384d50bb9bfd9c9c9656364084fcbfe
SHA5121aa19e7c6cc18e653653ec5efd0ca86b045ff38efd4c92b89ba071cdf9434704d31278b7df922790a2242640e5ddfbec95e14d2f76613702bf73a5f95d99a220
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d88190b7bc08def9ef27d78b5879cdb5
SHA143cc217ef2e5b6777319dbc9830c4b3b62c18a03
SHA256e12c71bc3b4f41fae355d87f0da8e52ebcc6433da01398cb5d9401adc7eb7bab
SHA512ec1c85e03d9cb68ad26fb10df638e9239bb5e6adb8217bad74e8cec21462aade7902ccbf0c49b4706511ef25f4de2064709475841b50798533c1094ab6eb6e16
-
C:\Windows\wininit.iniFilesize
41B
MD5e839977c0d22c9aa497b0b1d90d8a372
SHA1b5048e501399138796b38f3d3666e1a88c397e83
SHA256478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2
SHA5124c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d
-
C:\dkex.pifFilesize
100KB
MD5e466b05afc9c94b869a5fb3ea500e997
SHA1e6a99b97f8808451c34ddb543e83bea0836d3f5d
SHA256401f766d355ccee537b266ead8496d78eb0840abe2ed052569704d2f8c3cc15c
SHA5127f68eddfebbba96f3709f56623d6b9c3940a53e92f41e69d79127382471508ab1e58abb8d2b4ebb736f2e016e378b5ccdc0c607b6f3bc37697ba474fbbc56945
-
memory/1084-30-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1644-113-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1784-56-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-87-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-24-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-42-0x0000000001E90000-0x0000000001E92000-memory.dmpFilesize
8KB
-
memory/1784-43-0x0000000001E90000-0x0000000001E92000-memory.dmpFilesize
8KB
-
memory/1784-41-0x00000000037D0000-0x00000000037D1000-memory.dmpFilesize
4KB
-
memory/1784-39-0x00000000037D0000-0x00000000037D1000-memory.dmpFilesize
4KB
-
memory/1784-38-0x0000000001E90000-0x0000000001E92000-memory.dmpFilesize
8KB
-
memory/1784-28-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-29-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-6-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-54-0x0000000003AA0000-0x0000000003AC1000-memory.dmpFilesize
132KB
-
memory/1784-53-0x0000000003AA0000-0x0000000003AC1000-memory.dmpFilesize
132KB
-
memory/1784-55-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-0-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1784-25-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-5-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-23-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-27-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-112-0x0000000003AA0000-0x0000000003AC1000-memory.dmpFilesize
132KB
-
memory/1784-110-0x0000000003AA0000-0x0000000003AC1000-memory.dmpFilesize
132KB
-
memory/1784-132-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-131-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-134-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-137-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1784-151-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1784-26-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/2744-152-0x0000000004DD0000-0x0000000005E5E000-memory.dmpFilesize
16.6MB
-
memory/2744-156-0x0000000004DD0000-0x0000000005E5E000-memory.dmpFilesize
16.6MB
-
memory/2744-155-0x0000000004DD0000-0x0000000005E5E000-memory.dmpFilesize
16.6MB
-
memory/2744-158-0x0000000004DD0000-0x0000000005E5E000-memory.dmpFilesize
16.6MB
-
memory/2744-170-0x0000000003A40000-0x0000000003A41000-memory.dmpFilesize
4KB
-
memory/2744-272-0x0000000004DD0000-0x0000000005E5E000-memory.dmpFilesize
16.6MB
-
memory/2908-86-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB