Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
16-12-2024 23:59
General
-
Target
7a6be4c5fcaace12714e5bd3cb170b645655c79997cbcd7d7fcb4a5b1a0bd2de.exe
-
Size
767KB
-
MD5
f48c142ac82f6874d1256c5f266a6ef2
-
SHA1
bb1d810cfa29eab5d37543ddca8b643887ac5855
-
SHA256
7a6be4c5fcaace12714e5bd3cb170b645655c79997cbcd7d7fcb4a5b1a0bd2de
-
SHA512
6d038c06a69c9cf446b002d1cc9297051e87478e6a7d755152a5309ca587b37b727d13903a322a4ffa757d95024c26ef4d2b06eb3856d9f9f79fa5ee705a4def
-
SSDEEP
12288:AdsBWptwlMYHUVmkzTyuhdQFdOq8mC4qJQAwXIoccqWT8kSHi6GP0gd6m56FliAV:AW0pmmY0Vm+1hd5t7w9ccGC6GPB8iAV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7a6be4c5fcaace12714e5bd3cb170b645655c79997cbcd7d7fcb4a5b1a0bd2de.exe"C:\Users\Admin\AppData\Local\Temp\7a6be4c5fcaace12714e5bd3cb170b645655c79997cbcd7d7fcb4a5b1a0bd2de.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\04745c5de6d397aed09905fe59\update\update.exec:\04745c5de6d397aed09905fe59\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
703KB
MD512a8816119a4982fd8e522fb974ee284
SHA15728e05c61af004536d5c0b65cca0fefd89066c0
SHA256ca81e833aca7a7b9c41038dedbf85e9381e709fd558c36c4e4c272231e411063
SHA51275d971b1112eef2250c9a91337d228a914daa82885b1132228988c4e62dca228bfd51f150698696523870b5e064e0530a523b7a7a828079e29a031c7eb24176a
-
Filesize
700KB
MD513f40799bd1bf4b7e3e8c77194121342
SHA12d723e5d9abc98f1432c939cd7626d102469c12d
SHA2562a12d2bcb26e96babbc82737ffe30d76afe7db8daf40c7c3594d9665d5dfdb17
SHA512237d7fb124a7b577598e1f2191afc80513992c0af9e290956b82aae18d8c6daeb3dfab457deb3378e2b17d69c17d757faf98a8b5ea0cee7d3c50b18367312aed
-
Filesize
363KB
MD594b3ff0f65e277bdbbc5e39747ea034d
SHA14bfb51f6d77f5123728c0bf360f4396617c1cd5e
SHA2565e4f341be4c0627d02282aad5f1df9a73cf9600f41325c0fd3783f119f421b81
SHA5128643b0b7c38e9fa18d1537bb783a6674e37600d2e882d7ea66c26ffb761eaeeb87a69d04513525c34b2dea964b8a90cd11c4a2e863ac58766c4d5b06ddf47d24
-
Filesize
8KB
MD553f295b0d5174cae972a2ac2ffd5ff77
SHA16a012113496c8f0857a0e741a5375e8c1dbcf0fe
SHA256b1b0c9fc7967e8897a411b22e37fe6dda27c401de1e867440f94caf085cbdb05
SHA5129dd2a798ce0e6a35a97acd38bc4dcb713f86e9697b0889a81907454f80f6be98973a7569cfddd88bbaeb21099ea0ef345c5d791993cacf1d8163bdd1c821c7e2
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
848KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
848KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
848KB