Analysis

  • max time kernel
    30s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2024, 03:56

General

  • Target

    19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe

  • Size

    317KB

  • MD5

    76e4c67f2f63c5b0cf1c17fb6c43c760

  • SHA1

    bcaccce30f728ba7efe489a16c8f14235347967f

  • SHA256

    19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

  • SHA512

    78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

  • SSDEEP

    6144:dNyZWJhe+9xwSp0Ksr8/Ddv/9zyKI20IBHqLw:dNbhe+9fp0VYDZ9G0DBK

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 12 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe
            "C:\Users\Admin\AppData\Local\Temp\19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386fN.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:316
            • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
              "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Deletes itself
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2864
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1668

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\0F768B10_Rar\Un_A.exe

                  Filesize

                  249KB

                  MD5

                  0a5c25e3cd2be05bd66d913daf651928

                  SHA1

                  3077abd0e78b2c8c441944130e98df74b9843693

                  SHA256

                  7de0b18ce9840e97ec87f948ab0ed8fff2ad4d47b8eb160c6f15bb02fc55fa04

                  SHA512

                  aef0fd28a641f1b29c7d69e0e9beef08ea4f32d6381cfa18fb75e6a5d4a5b690321c1fb2ec9e05a3dbbfc17f3ec84d648f89105547586ea2d8cfb1b7b179e283

                • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

                  Filesize

                  317KB

                  MD5

                  76e4c67f2f63c5b0cf1c17fb6c43c760

                  SHA1

                  bcaccce30f728ba7efe489a16c8f14235347967f

                  SHA256

                  19178e819102249868b84d4814ac0adfa4cb65016a6ef61be8a71f9289a0386f

                  SHA512

                  78a3c9a8cb544ff23eac16bfaf5c5c417f2f945573f031880fb8a9a4da0bc693361e19428cc01e2bb3e7c89743e8ad6476dcd95904019c9eff4cafc0f5fe67d7

                • C:\Windows\SYSTEM.INI

                  Filesize

                  257B

                  MD5

                  06840081b344d951537054ece1e52024

                  SHA1

                  05cba71ca2b3feeed8dabe559b8f156b35142092

                  SHA256

                  b3b2967a0b762052bad1d58c2d726789e816ea14140774174739db9753f0e718

                  SHA512

                  ff80c6b9b361e309ee7231c207adfb2d0fcaf122992e0edc5c186b4965eab4aacb9ae4cba92cf559296b604076be2b1e834851f78f94972ea5b0b52df4f4677a

                • C:\pcwv.pif

                  Filesize

                  100KB

                  MD5

                  07eb6efe490f286ecc7ffa2610da56ed

                  SHA1

                  3c9ef24d9af639f5ea4e29ed99dc8639023ca82f

                  SHA256

                  706ee9a20408983c4db5995c06228030bf7afefc4d5556719888f80babd35adc

                  SHA512

                  b41bae0166256cbc7a88453cd96989c7d402806f3e49018bbaa2d5b5a2f1a5bae50356eb2416de7f0acfe457eda7f083978affb287865db9e9663854b735ad2a

                • \Users\Admin\AppData\Local\Temp\nso8B21.tmp\FindProcDLL.dll

                  Filesize

                  3KB

                  MD5

                  b4faf654de4284a89eaf7d073e4e1e63

                  SHA1

                  8efcfd1ca648e942cbffd27af429784b7fcf514b

                  SHA256

                  c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

                  SHA512

                  eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

                • \Users\Admin\AppData\Local\Temp\nso8B21.tmp\INetC.dll

                  Filesize

                  24KB

                  MD5

                  640bff73a5f8e37b202d911e4749b2e9

                  SHA1

                  9588dd7561ab7de3bca392b084bec91f3521c879

                  SHA256

                  c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

                  SHA512

                  39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

                • \Users\Admin\AppData\Local\Temp\nso8B21.tmp\System.dll

                  Filesize

                  12KB

                  MD5

                  cff85c549d536f651d4fb8387f1976f2

                  SHA1

                  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

                  SHA256

                  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

                  SHA512

                  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

                • \Users\Admin\AppData\Local\Temp\nso8B21.tmp\UAC.dll

                  Filesize

                  14KB

                  MD5

                  adb29e6b186daa765dc750128649b63d

                  SHA1

                  160cbdc4cb0ac2c142d361df138c537aa7e708c9

                  SHA256

                  2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

                  SHA512

                  b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

                • \Users\Admin\AppData\Local\Temp\nso8B21.tmp\nsDialogs.dll

                  Filesize

                  9KB

                  MD5

                  6c3f8c94d0727894d706940a8a980543

                  SHA1

                  0d1bcad901be377f38d579aafc0c41c0ef8dcefd

                  SHA256

                  56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

                  SHA512

                  2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

                • \Users\Admin\AppData\Local\Temp\nso8B21.tmp\nsisFirewall.dll

                  Filesize

                  8KB

                  MD5

                  f5bf81a102de52a4add21b8a367e54e0

                  SHA1

                  cf1e76ffe4a3ecd4dad453112afd33624f16751c

                  SHA256

                  53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2

                  SHA512

                  6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

                • memory/316-3-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-4-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-25-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                • memory/316-46-0x00000000048D0000-0x0000000004941000-memory.dmp

                  Filesize

                  452KB

                • memory/316-35-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-7-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-5-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-24-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-9-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-8-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-26-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                • memory/316-6-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-23-0x0000000000610000-0x0000000000611000-memory.dmp

                  Filesize

                  4KB

                • memory/316-21-0x0000000000610000-0x0000000000611000-memory.dmp

                  Filesize

                  4KB

                • memory/316-20-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                • memory/316-10-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/316-0-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                • memory/316-49-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                • memory/316-42-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                • memory/1116-11-0x0000000000420000-0x0000000000422000-memory.dmp

                  Filesize

                  8KB

                • memory/2864-79-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-98-0x0000000002050000-0x0000000002052000-memory.dmp

                  Filesize

                  8KB

                • memory/2864-84-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-97-0x0000000002060000-0x0000000002061000-memory.dmp

                  Filesize

                  4KB

                • memory/2864-83-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-82-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-81-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-77-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-78-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-75-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-99-0x0000000002050000-0x0000000002052000-memory.dmp

                  Filesize

                  8KB

                • memory/2864-101-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-102-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-103-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-105-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-106-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-113-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-85-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-80-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-76-0x0000000004200000-0x000000000528E000-memory.dmp

                  Filesize

                  16.6MB

                • memory/2864-47-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB

                • memory/2864-244-0x0000000000400000-0x0000000000471000-memory.dmp

                  Filesize

                  452KB