Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
10-06-2024 07:30
General
-
Target
ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe
-
Size
4.8MB
-
MD5
cf0b2b6db9247d897dce923963cd4489
-
SHA1
69ee0a9e0d6162cf702e57f3869eb5ae3eec8661
-
SHA256
ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975
-
SHA512
2d9a61c9c38f3e71c558a2fa155a9b39ed48b4fe2dd2c045bf5c38ff7c70dfa640a7b4d85533ba74156cc4fba3dfe6f6ee28e84ea1d032ee2ae9f37cdbcc1dd9
-
SSDEEP
24576:W4L1dN9IgGFCXy3DryDNYhJkfdTazmaj9Tb9X9Pu3mmGld6oKZmMP+73lIqV:NB3pyYqhJkfdVa5TLG3mmhHmMP+bl3V
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\rwhnj.pifFilesize
97KB
MD58b17fe253285961fe8e4a206ac3a81fb
SHA1d72e1905d86189f992083bd533bc198ea28c853d
SHA2563b6ebf2f2487e777a23946d0e6ddcb39426aadc9b5df261f0ff4b09cbf74fe4d
SHA512c35758d7b32111c614517ed693e4608dcf03dcf0154bdcd852707331bb5fd14daa44b014f4bb63b9137d4dd410b200af021b9262df2fbcd32eb99576acc3edb8
-
\Users\Admin\AppData\Local\Temp\36034B7.tmp360net.dllFilesize
480KB
MD5d5f22fc1beff60f5fa9398effca73e2f
SHA1f84c5f048b5269381a8c6d1dc21905458856543b
SHA256214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6
SHA512b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3
-
memory/1104-9-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1684-44-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-23-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1684-22-0x0000000002350000-0x0000000002352000-memory.dmpFilesize
8KB
-
memory/1684-46-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-25-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1684-6-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-4-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-7-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-14-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-12-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-45-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-8-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-47-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-31-0x0000000002350000-0x0000000002352000-memory.dmpFilesize
8KB
-
memory/1684-32-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-33-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-0-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-42-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-43-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-2-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-17-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-13-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-5-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-49-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-50-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-51-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-54-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-55-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-62-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-64-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-66-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-68-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-71-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-72-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-75-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-77-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-81-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-83-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-84-0x0000000002950000-0x0000000003A0A000-memory.dmpFilesize
16.7MB
-
memory/1684-98-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-103-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-110-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-1-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB
-
memory/1684-177-0x0000000000400000-0x000000000091B000-memory.dmpFilesize
5.1MB