Analysis
-
max time kernel
29s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10-06-2024 20:19
General
-
Target
2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe
-
Size
327KB
-
MD5
6d6836a9d6b5f361024c3b8a69bd47bf
-
SHA1
f940bbf01e03c3dca256cd36b2f5dabc601bd3c4
-
SHA256
2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f
-
SHA512
ebff2244be4f1eada9ce81a91175807a15663fe53266af77528dc5780e249e923ddfbfbef02259e5a191f60a2ab3f491c3223c65962f9a5774880d36deaed00a
-
SSDEEP
6144:XsLqdufVUNDa3S5llllllllllllllllllllllllllllllllllllllllllllllllx:cFUNDa3S5llllllllllllllllllllllh
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
-
UPX dump on OEP (original entry point) 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 7 IoCs
-
UPX packed file 21 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe"C:\Users\Admin\AppData\Local\Temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe"2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exec:\users\admin\appdata\local\temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:21 /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:22 /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:23 /f7⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe5⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-12585533895958160810319371281668936508-845322938354380835-32925554-556094992"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
7Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\svchost.exeFilesize
135KB
MD558a09cb3b5da1c50b98e594180213477
SHA10da72b75d76948a2c8a79ddf28ed95e488e5baf5
SHA25615ea2c75e14ece8644c858a3550f91931aaae32e29f29effe03aaed8b06c85f6
SHA512bc0597f8f4785d7ea941a876b1e1ee438f07b44c74b23dd0d1a7c1b609d9b96c3d9a300f379ff298d7be42d8e5a0786f3612feb4e70872dd0b9e9365f88f532c
-
C:\Windows\SYSTEM.INIFilesize
256B
MD54a8a8bdf30ca86c6002d6db121d3157f
SHA1b470d16a14259f1c6db9c1c41cd1510c6c117db4
SHA2560591bcefdd4f012c0fcf0fa919cd94fb1c39c17cf5910b8997be5a098c9cba17
SHA5122bf53377530c98f41740c266eeedce280e9b9769b779dbd81d4f85fc8f48b473d44c3d357b19023aeeba5a149818f78dead38f2ff8d060452dc5e47edd7a711c
-
C:\vcvd.pifFilesize
100KB
MD5e88fbbf3ada0de81ab0829ad20612cd6
SHA1614732e31327af7ad81c4fd7a10a1b665166acc6
SHA256aadaf7fb9917a173e095f35aeea85fe62e141e307b4691256453c0d638054d29
SHA512d6c1e0246f09beab64ee9bf61b95f9b7003c11be97c302be7f6295a15f2d888a5e348be2e6a53ee26662be4cc5a15a8126ff621ee1081473fe13711d9cc67c46
-
\Users\Admin\AppData\Local\Temp\2bae3b6c7ccb527e97e722b3288b60320d836c8e6de8ca1ec757ed0602f1322f.exeFilesize
192KB
MD544981b4bc4a2a86d97d9daa4dfdc56c9
SHA134de2285a03a85eabbe026dbde0a832472253df4
SHA256dab149bc4edcc9e8762df554bf96544cc70c0a549598a70f89b5064a4e557e53
SHA5120441f7685f812675ef28db2d622111a4a5a5362a659b553a2ed78a73abeed45580915bd2c5dd0e8ff77df2bab0e46cc60d2dfcd7427f8201c8029b9baf28af98
-
\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD508218b37b1eb854e8fd8dd0859c5fe00
SHA11d5d5a35ff77b1440be0d1cf7214e4427d49e351
SHA2566b99c9c859c38b75a8dbe0fd148a71235bf3d2f69f48663d1195e95526d48608
SHA512c3a94072d5a927d9bfd97997761c3d5a121bbd537b2d6185429d3ffc4fe13be7972efc4db75b2edca5ec63dbf178ac83028d171610aaace66656b6084615c0c0
-
\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD510bf281bd01dcdf7759c981fbf652071
SHA13954d13520598847ba6e907cf3a62b47c7ec75e1
SHA256603f4b2906e73b7a46d7312ae7441a8596817a67e8985030c782d109445f8812
SHA51291aaf2618eba99f6964b2e38d2735589a09c538342359ffb66161a72322b58d4e789ed09ccda771f8f519c63bbfaec2b87720bd2cc5837c1c24d7bbc589d1d1f
-
\Windows\Resources\spoolsv.exeFilesize
135KB
MD504afaf1c88170ff539ad04a5bb66cd45
SHA1cadd3a6e44b1cd9a5b9a3520bc824d5a8b4b2d50
SHA2565b1cb6251026aa49115068179b6ea1838ea3141f648079be8492e2400452071b
SHA512d99a06b7e211f77ab8ebbc3ab9b0260f0dafc36e7d44d969c871ea1f2d90e686a252c5009d58fc61fa1566bb16306c0d40ee8fe7906d701d3505579d7c344d9a
-
memory/1180-39-0x0000000001B40000-0x0000000001B42000-memory.dmpFilesize
8KB
-
memory/2032-76-0x0000000000270000-0x000000000028F000-memory.dmpFilesize
124KB
-
memory/2216-32-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-112-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-29-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-28-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-36-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-187-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-186-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2216-122-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-31-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-27-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-65-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/2216-64-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-123-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-121-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/2216-37-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-120-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-61-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/2216-118-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-54-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/2216-116-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-115-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-113-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-30-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-93-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-111-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2216-95-0x0000000000610000-0x000000000169E000-memory.dmpFilesize
16.6MB
-
memory/2232-58-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2232-63-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/2232-106-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2232-103-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/2232-67-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/2320-48-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2320-46-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2320-47-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2320-110-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2320-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2320-62-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2320-66-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2320-107-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2320-18-0x00000000002A0000-0x00000000002BF000-memory.dmpFilesize
124KB
-
memory/2320-7-0x00000000002A0000-0x00000000002D1000-memory.dmpFilesize
196KB
-
memory/2456-101-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2548-88-0x0000000000310000-0x000000000032F000-memory.dmpFilesize
124KB
-
memory/2548-102-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB