Analysis
-
max time kernel
20s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-05-2024 18:15
General
-
Target
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe
-
Size
287KB
-
MD5
a9300349e56df396f27110591c3c4e8a
-
SHA1
91d6b1133ac0cb5115fbaf99be8d3bc0af138574
-
SHA256
042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a
-
SHA512
51c9994735350821cf03c26d170ae0f5de6a7837d1cccce8ba7c114b9fa1005a95719458a02c531873fb59ff58c6eeb646fb47c7df3f80f7d8b9a1b30df2996f
-
SSDEEP
6144:dvE72U+T6i5LirrllHy4HUcMQY6A+5Y+21Eqe:9E7N+T5xYrllrU7QY6A+LX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 23 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe"C:\Users\Admin\AppData\Local\Temp\042973c6fc9e0efc69a9cb08a80fefb7e388d98f0021c38c237fdbe50f4a0c3a.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 18:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD5c4a18af109e26e052450ef0510216890
SHA1adcaca65be33f58a8719acc6cf39a40e05c66408
SHA256827b7db1586167d4bd35e46b4bf053fbcd3c05b0f6366f27128ee36b8fa9d5c2
SHA51281203cfa28e3a4e55beac615eb49d44bfde953317b2717b018100af1c8c14308669a627932bac0b2ac172fb5a1707e367c30f4ae2e8b73948e44df55488b082a
-
Filesize
257B
MD57bbb0b3cdbdde17197b290c2ab499c5e
SHA182654665ed1b6c26b49cda493a542cfc497427cd
SHA256e5776b779cedcfa188560a59094c10464fc8914178153421da92bbf80c7a14cb
SHA51263dd37fff0ebd5f1414be7ea7fe5b610a99921341357aa3a22a1792a8d288e8341ea63206e0df171f6ea30fce0d0218581e6033f0bc3e3fe81d067ac7c6a2f15
-
Filesize
287KB
MD58090549034a28b12ac22ae9178d041e3
SHA191783e91f6cdef35f86b4222e3f6fca1254b2db5
SHA2560bc136f04c26247d88fa3187698db15ffd5d1abc40f6f2dd2c71eca5b0622df8
SHA512b3aa0c718a629efbd918c7e0e1fc563788afdc88f1fdd5023f2f00cab524c31af54eb35a7c1afa7a0b5a57b495d4636fc802dac655244116463918e1525959da
-
Filesize
100KB
MD59cf3b539f26324205dc4dcc1e783bf1c
SHA13d5dd4217d0d7c0af7418596853d853d89d13a4a
SHA256360a267757e073f718ec2cfbcdf68ba6a6e03208809abc59a38c5ca186183d6e
SHA512bccb2e17d929493e47bb2eaa2de8f32da22386eba50601cceae8ba7e0a1bf593a063ed2744781da380f674b68419cff7904c0ca784ee23ae306b7c6037b55a9b
-
Filesize
287KB
MD5bcbabc6dda0558b5b7e7cd8a299ba056
SHA1bb77cd204c8d958e6ffe40d81bc7e8778af9a9dd
SHA25612a6ad4cbf5af8e0f9427c8327a6305d81599dd33814dd49c6b00a771303fad5
SHA51224a02d6c8b92988516eaf983a3fa78cb4c738cee95cd0f37bbbd0ba4d014928aaeecb89e4b825c74dd26e7ea1eb9331fd560710afebc5ccb0c35109aba238fc3
-
Filesize
287KB
MD57bc280e2ee6f3a3b12c99cf48f217206
SHA10b323608c76f822aa6d837964023d76ceb9c04e8
SHA256d96a82a95c9f647c0347059c35a175284a98884676e1050f71ec2c9589b28f29
SHA512f385bca954e7815323140ec9619d22da7f066fe5d60b5bb1f0ed0f9e1f49e836c3b0573587d4c224ec0f10134d2433b289fe5306d3de1b9fbc60a758fb775dda
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
260KB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
260KB