Analysis
-
max time kernel
50s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
17-06-2024 17:01
General
-
Target
599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe
-
Size
708KB
-
MD5
a7073a3267e29df0e36f16760942c4da
-
SHA1
9fb42b03685673a6936643673036a0832b90d039
-
SHA256
599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632
-
SHA512
b7323bc3de45540cec738cf94b87bd6cb942e889126ca9f680731f1899ef95ab90cbd0fa240b562cbb9c9c4d275f29173e85accbfc183a39045e0c70ff358419
-
SSDEEP
12288:lJFZqYMOaQ0q9nV/zsnK23KHVI6nodVdyMLiqyVcxwtVxgpMiuzOTIfwj7LD5fe:zFZqhOBnVyK23C6OoYMLiVcKtVx4Miu9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Deletes itself 1 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 57 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"C:\Users\Admin\AppData\Local\Temp\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe "http://localhost:80"3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:23⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F7622CC_Rar\599ba59f51a3bb9db2dc7a572df715182d049fefa829e6ff6debdd38d20b7632.exeFilesize
635KB
MD54b7fdcc9f207e2fcd1227b0f58f2631f
SHA1f4fef2e3d310494a3c3962a49c7c5a9ea072b2ea
SHA25612407535426bc2951f8f462cc0ffba79763de8a5fc1ee42a532b804263771e00
SHA5125a9f9f8d7e685fb10ba3f464cffd3178218a51749fde054071aa03fb04915ae3257538abbe8608ad134fb0319d3a43f19281253839053d85990b9518cd916bf1
-
C:\Users\Admin\AppData\Local\Temp\ridhg.exeFilesize
741B
MD525aa9bb549ecc7bb6100f8d179452508
SHA1a3bea5e2138d1558109fa26d46e2f79c3a20228f
SHA256df83a0d6940600e4c4954f4874fcd4dd73e781e6690c3bf56f51c95285484a3c
SHA51212e26fa999faf2ca017a49987be5c668930495c26c789e19863097e5b0555add90ecdbb397521436acb47d7f2dfd5029b9b4beed16877ac7df854b3321642e37
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5fae003797d2120545e9ec3d0e768eb75
SHA1d4c0f6af4f163c9cc935da61425779f0ec7a653b
SHA256a7e01b09e916a5bf2cc27afe5a57e4124cd2b74d0449bdd4f8c534fc20991851
SHA51235c4e33376d7e7e4790b8ff39c3dc9941bfd4435aafe09573e2962eadd3a22aa008783c885df9971dd644c34763369a2227165461edefaf3120ba59555da63e4
-
C:\umlmww.pifFilesize
96KB
MD5fb3cd54ce9e6843b6e87a19d08d10172
SHA107870d02a68608f305d006d0c2bf72beee7d753c
SHA25688f8cadc3cdf943c2f9bb624303183f01c72649bd0ba9de830297916130e4447
SHA512285366583127937ad65cc0ee2dcb9845f7206b396dc337fbea9b7c146b2b622ec3f881a1946072c4e0798ea064679f5dcab5cb41e5be17b6bad653b4d324d44a
-
memory/1116-14-0x0000000002070000-0x0000000002072000-memory.dmpFilesize
8KB
-
memory/1728-35-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-48-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-4-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-11-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-6-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-13-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-26-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1728-25-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1728-23-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1728-22-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1728-9-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-12-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-29-0x0000000075920000-0x0000000075921000-memory.dmpFilesize
4KB
-
memory/1728-30-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-31-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-32-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-34-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-0-0x0000000000400000-0x00000000005A9000-memory.dmpFilesize
1.7MB
-
memory/1728-36-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-37-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-47-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-7-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-49-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-51-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-53-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-55-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-56-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-57-0x0000000000400000-0x00000000005A9000-memory.dmpFilesize
1.7MB
-
memory/1728-76-0x0000000004D40000-0x0000000004D42000-memory.dmpFilesize
8KB
-
memory/1728-73-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/1728-77-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-79-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-80-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-83-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-90-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1728-112-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-139-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-140-0x0000000075910000-0x0000000075A00000-memory.dmpFilesize
960KB
-
memory/1728-10-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-5-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-3-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB
-
memory/1728-8-0x0000000001F10000-0x0000000002F9E000-memory.dmpFilesize
16.6MB