Analysis
-
max time kernel
118s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-06-2024 04:16
General
-
Target
efadf013c147a0b3bc4be1d84b0afc7a671e45b4a243c0bf133d6cbde3c5a09c.exe
-
Size
1.1MB
-
MD5
4c62e61287e2358db4cd9c9724aee608
-
SHA1
0fe4a1bf64ca1fdc8c411005d4f0ab39eebc8d2a
-
SHA256
efadf013c147a0b3bc4be1d84b0afc7a671e45b4a243c0bf133d6cbde3c5a09c
-
SHA512
c602d8cfb7d19bd64425d10158f97aa84280b8d373327a8d83646cea241c739eceac1e452097cbaf386aa0248b94c0df7c2a3979e778212837affc0818510aa0
-
SSDEEP
24576:h/vXd0GFi/eytAEup7NPUHo88uIwHxIQ6Hn0a7kjxY3:Zfd0GFi/pAEM7NcJxIQ6HnNAF+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\efadf013c147a0b3bc4be1d84b0afc7a671e45b4a243c0bf133d6cbde3c5a09c.exe"C:\Users\Admin\AppData\Local\Temp\efadf013c147a0b3bc4be1d84b0afc7a671e45b4a243c0bf133d6cbde3c5a09c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.0MB
MD57064a0dbf394f9065f2910a63d9a0753
SHA15685f3d6dfad3f19779e0ea3e3eeba8de8076cdf
SHA2562836dedf7336973afefd87a5faf0aba34acd8f974008c9878762d41ba7ade9cd
SHA512f1fe801ceb60f6324f182e1d5ddfea671d96106c1f268a767d74a14d42853ca57bf46dfa7f5ea83e3a15fa43ef34fa1db3e5d159bbe4cafbae78ed90924513e9
-
Filesize
846KB
MD5935f0621baf2ab9a50d1de9b2db3927f
SHA1f2e42383d158af008f2ef26449b62071bdf34a95
SHA256c97302631a8c4d380362025bffff415004d4fb72e3ce33bb4cebc69c285936a1
SHA512aa29f404cf53052b4b319d4623635b3537cdf0a05122381f1fa8e861e97a338c0fed0f56038cc0443de19cc7279d934e6258aeb6c9f89a1b2b955c65e3d484f8
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
704KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
704KB