Analysis
-
max time kernel
26s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
23-05-2024 04:32
General
-
Target
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
-
Size
124KB
-
MD5
fd127c6270d8c359a72ca527bc0e3909
-
SHA1
1eb9d4278b845e7fa5df7795da4a4b8a8d04e198
-
SHA256
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
-
SHA512
059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8
-
SSDEEP
3072:oCGVhOg013Uh59Td/9L+Ik0IrylyrgZQMHXSaj3A:ooUV11+T0Iryly8xXQ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 14 IoCs
-
UPX dump on OEP (original entry point) 15 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 23 IoCs
-
Runs .reg file with regedit 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe"C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg3⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Runs .reg file with regedit
-
C:\Program Files\EXPLORER.EXE"C:\Program Files\EXPLORER.EXE"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Program Files\Funny!.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Autorun.infFilesize
99B
MD59bf1e5a2afbe7da98a68e24153056e89
SHA1a081dd05387f0a820c090d1d1d003af4f4374b63
SHA256bca0db21212fb26b90ca976ad73636249ee40e70f59d867698a760b674ef13d2
SHA512591855a387d8e28b89821e3d5c0c9418ebc2d644732ab9ce75e90e9db0b2bf7fecfd273fd6ef22a8d8fde87b97002e176d49e274b6c6cfa5798ef151092fcdcf
-
C:\Program Files\Funny!.regFilesize
572B
MD5c2ab01b697609862244ae7365e7e03d9
SHA163f95bf1efc2f7fb66a51627131150a01856ab36
SHA2563e8770c1a3b8112a25d08b47a1bc0eed22aae31389b16dc03b07f3f10093e092
SHA512afb30a04c3b50ccd913200b012409a9a1e2411ca97f1143a8e6f879fb8bc50acb3ec0c32a76fa4aea2b5ad35450578b53c51bb6e5e982da4f63136f8734f7da2
-
C:\Users\Admin\AppData\Local\Temp\Funny!.regFilesize
649B
MD504fdb91e4f31252545a98d94582f222a
SHA16e9144b93384d4d76975a96d96d912204515a06b
SHA2568758c9438a12a9576a69b1b88ba51938f5c92b9bfe4ced50281bf98ce5dfd670
SHA512f3beb767e01c1089ffe35d9e5d5f2fee3253c45d8c96ce6a9c6796775e5363fbeb2c5e89af063cccff9e6bcc9d248f1db3e29e540a25f1b9aeacce6d565030e4
-
C:\Windows\SYSTEM.INIFilesize
257B
MD51c45604d72300631bf64f54de5afab62
SHA1bd60852d87afd11b1bc8d99273707ab4e1c8615f
SHA25623b144029bd69fd25e471701f74812430d8c4dedc259ab6e01b5130d56bdee98
SHA51291ec46f3f9636dda2c3c5b94e2b9dd3e9553d821c904835cfb2091dc656547ccd0d8c4397982ab352c04eb859a8b46aaab89d46edebe8eaebab0fa28fb910f2e
-
\Program Files\EXPLORER.EXEFilesize
124KB
MD5fd127c6270d8c359a72ca527bc0e3909
SHA11eb9d4278b845e7fa5df7795da4a4b8a8d04e198
SHA256ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
SHA512059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8
-
memory/1060-15-0x0000000002090000-0x0000000002092000-memory.dmpFilesize
8KB
-
memory/1860-27-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/1860-25-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1860-10-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-5-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-13-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-14-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-26-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/1860-3-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-1-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-11-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1860-12-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-23-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1860-22-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB
-
memory/1860-4-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-8-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-6-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-48-0x00000000025B0000-0x00000000025D0000-memory.dmpFilesize
128KB
-
memory/1860-47-0x00000000025B0000-0x00000000025D0000-memory.dmpFilesize
128KB
-
memory/1860-67-0x0000000002620000-0x00000000036AE000-memory.dmpFilesize
16.6MB
-
memory/1860-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2472-104-0x0000000003AD0000-0x0000000004B5E000-memory.dmpFilesize
16.6MB
-
memory/2472-123-0x0000000000340000-0x0000000000342000-memory.dmpFilesize
8KB
-
memory/2472-122-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2472-107-0x0000000003AD0000-0x0000000004B5E000-memory.dmpFilesize
16.6MB
-
memory/2508-75-0x0000000003A90000-0x0000000003AA0000-memory.dmpFilesize
64KB
-
memory/2648-33-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2648-35-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2648-34-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB