Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
21-07-2024 05:58
General
-
Target
f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe
-
Size
567KB
-
MD5
c00c2c86cac8aec9dc53d73e6addf621
-
SHA1
c1d177cb32b1beb3a09827d59541c19fc473ce65
-
SHA256
f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067
-
SHA512
caef8e4d387d4912103e523b184c0b9b823b5658877a02de52fc944fb30ca22c8681b00bb2e6b23b8513b9e1f52df2ae83dcde41607d89855ef67539e37b7ab9
-
SSDEEP
6144:wFpbFpXFpgT2Jst3mWmqLuFpguM2cT65Qv4sdZfUmkjYtK3Qxahx:Wpxp1pwsWUpRh5u4ccm8++x
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 8 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe"C:\Users\Admin\AppData\Local\Temp\f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aABBA.bat3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe"C:\Users\Admin\AppData\Local\Temp\f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aAD21.bat5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe"C:\Users\Admin\AppData\Local\Temp\f5c99dc1fee7b2280907a7ec42f0e5e039212f1bfc687740c04cec1e1cc91067.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD53b6ab73ad7d6d27bbc1f2b09b6a7a13a
SHA1a9adb49e14c018f19837e90e2d5cd930cd3c8d40
SHA256996c71e8a6f399e7895e24bb031067770cad117cd9569743244ba32c97a310f8
SHA512ce509a807c60da7faa8c579f0228195334decf42787fc578e384a6d77e10ba17d7e2f5781ac75578b31278612587a48bdd8d5c8e93481c0dc4376a0d41ef5ed9
-
Filesize
472KB
MD588eb1bca8c399bc3f46e99cdde2f047e
SHA155fafbceb011e1af2edced978686a90971bd95f2
SHA25642fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728
-
Filesize
722B
MD5c02ffb817dff4f854dc9f663bff91f26
SHA1fb21983dca669fd07d35cb7b76ae829645b91e59
SHA2561b14d0c76dcee81364f4e016700cadb91978b5c0d8cdcaafe02d073cbff82389
SHA512a095763f5b44c8bb7dabfdff56eb650db7b57994da963ab2b250f5177266589cc4acc0110df267ee8fd9e158e58c50f6cfec163472019e485affdc320cbb5c0b
-
Filesize
722B
MD5dbc82159c80129f3fa10797abefeff71
SHA1998e542464ff6c1fe93a6adceadc535e02c34c5f
SHA2569c67b87fa7b8bea3c9f995680afb599a62696a1780d9dbcad9d69873a9604740
SHA51200f8673c12ddb12820d8a7dd44ae71ba3c4b24d5cf3335bed6678039f5b4d949d36e8d5459ca5d50e2d5daea34247552811a94a2411598399d0cceb54c52afd3
-
Filesize
540KB
MD50bb681b15cac98f7686ebd583f10f23e
SHA1deec2aee6a0c53843a5ecfb602877d701ff093a2
SHA25641b57f8f2e4a3ec95b1ded89a9b58ab8188759eaddb7dae7e359014f31af99ae
SHA512b341a69de25810043f509955129879dfceafdca94fd2f5af0adece17cea0b3c9220caf6c5f830b664ba456248e67001076a0f9edd1480b9027da7385d8067256
-
Filesize
513KB
MD5099b98033eba20ddc97a8854deccd932
SHA1645bb6959840331826a77f1ab19d1484da84c68e
SHA2562e70f2cb5d36fb9d3de990b4428a872213e543a85cf5f983d975281a9a56ee5f
SHA5123cac6c8727eda8c7ec2339a404566cef3354f023e7115d44d5034c6abf193287f4de96ca6289bb854396341faab809c7b7bc950f0d8b63062a6072af211ec831
-
Filesize
27KB
MD5faa537da04333b1d2264b5e74336142e
SHA18ac278558286edcbe5b0648d0052dc98e148aa40
SHA2569c1055873c600ca7e5e6d55aff2bc1287d91b6e7e7dd73af40175e27cdc8c131
SHA51291ba1be7a655d818e3ba62c5bb1c023ce19e5105a5d1b798d9da1faf6dded3c0ea4507617ed56dbf911f2a235547f02f4ecf1fd353e0451ea0870eb6605f2dd1
-
Filesize
27KB
MD5dafa3c7445c5f0485d4fc4777401419d
SHA1ee8f93641875cc64e35ad39c7aa56dd30d674f36
SHA256389ccb5e5a91f6f9145404b1675c4ff9fd3f4b9d7224a1939c4304f4accdb2c2
SHA51222c88cba4d1cf3c63f143797f0bf4536f2a2bee9f6fc761d549d4ebd034630f2e4556b0742f760dfc9f104ca1b0864d499c617d91fe6a43f27c4e3564e2a0c0a
-
Filesize
9B
MD52efce5174bcf8d378a924333f75e26ad
SHA14fe6e1d729b55d42eb9d74aca11b36a94402de14
SHA25604ccb9bec2864153c72852867d8e65dca07eca4e5edcfb4beb62cb364dcd91fa
SHA51224684969632fb0562a3a7a5fec91d869d627730d8e9d83a2b17e326d7047e3fbff205eec207914e42ecd50fef68a212c19f3599ded271c00e66acc22f1f04c16
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
284KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
284KB
-
Filesize
16.7MB
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
276KB
-
Filesize
212KB
-
Filesize
212KB