Analysis
-
max time kernel
10s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-06-2024 03:48
General
-
Target
ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe
-
Size
744KB
-
MD5
7b279432c17d041b0f923b1d84fbd3b5
-
SHA1
f6a2ef3a0030deaa01d38d28fd80304daa77a960
-
SHA256
ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
-
SHA512
4b889f36b1eec440b54328d41e572200856ea6d11954830b7fda68574395f6ec342cdcf97e0a98ea106e41ad27ff425a944a3b70bb29725b8dfc60c250f2e33e
-
SSDEEP
12288:lTyjXW+48qWywrU4kGFezOAVuJ5PI1ww7F5DO3HYffXWWLeJG5rIlL:JIXW/8yw1ez54lIVF5SXYHXWWLeGClL
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 56 IoCs
-
UPX dump on OEP (original entry point) 60 IoCs
-
Deletes itself 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 56 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe"C:\Users\Admin\AppData\Local\Temp\ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
8Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F7630E0_Rar\rundll32.exeFilesize
664KB
MD59f4ad2e1a21330ed5442d666e37a3b47
SHA1af241db65197924eab63e20fd481bbdd8aafb053
SHA256d895f7d839dedecac0558587ec722eb06ecf352399380aa6137052e1bc168783
SHA512c9763e0c148ac7ced9263256afaae6d08de6a6b42a688df91d2faf7973ae725da9ed74cd88f1393ce6aa96e8bd227da9c0c7421af2be21427c3d102bd7018dfb
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5694efca7fdc05a6fbc31a8dc1745a93c
SHA12b7d4c99cdd893296da9d9cce8bda12c741ef709
SHA25643b37387ef2a3eff4718a537199c63035d14074090436bdd9f16e9439395830d
SHA5129298e880abc2705e1e4e3ec66180872f3d8b2905e1d96c8718731a24c4519cb427421029adae47b93f756b02c776fdc0d42f34303a62c0258540b66f6717cb6c
-
\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeFilesize
744KB
MD57b279432c17d041b0f923b1d84fbd3b5
SHA1f6a2ef3a0030deaa01d38d28fd80304daa77a960
SHA256ee4a4e249970f7cab20fcb8d13d468558cb49b0d42f3a81b5798f9f02f86e1e2
SHA5124b889f36b1eec440b54328d41e572200856ea6d11954830b7fda68574395f6ec342cdcf97e0a98ea106e41ad27ff425a944a3b70bb29725b8dfc60c250f2e33e
-
memory/1116-17-0x0000000002070000-0x0000000002072000-memory.dmpFilesize
8KB
-
memory/1116-17-0x0000000002070000-0x0000000002072000-memory.dmpFilesize
8KB
-
memory/2464-62-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-67-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-63-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-64-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-65-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-87-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-61-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-68-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-69-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-78-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2464-81-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2464-82-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2464-83-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2464-70-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-67-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-42-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2464-60-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-58-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-62-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-66-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-70-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-83-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2464-82-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2464-81-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2464-78-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2464-69-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-68-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-42-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2464-87-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-65-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-64-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-63-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-66-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-61-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-60-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-150-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-58-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2464-150-0x00000000028F0000-0x000000000397E000-memory.dmpFilesize
16.6MB
-
memory/2856-34-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-35-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-1-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2856-7-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-3-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-10-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-11-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-15-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-29-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/2856-28-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/2856-27-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2856-25-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2856-24-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/2856-38-0x000000000A3D0000-0x000000000A492000-memory.dmpFilesize
776KB
-
memory/2856-9-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-8-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-6-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-4-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-5-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-31-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-16-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-57-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2856-34-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-38-0x000000000A3D0000-0x000000000A492000-memory.dmpFilesize
776KB
-
memory/2856-1-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2856-35-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-16-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-31-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-5-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-4-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-6-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-8-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-9-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-24-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/2856-25-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2856-27-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2856-28-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/2856-29-0x0000000000240000-0x0000000000242000-memory.dmpFilesize
8KB
-
memory/2856-15-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-11-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-10-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-57-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2856-3-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB
-
memory/2856-7-0x0000000002820000-0x00000000038AE000-memory.dmpFilesize
16.6MB