Analysis

  • max time kernel
    93s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 06:26

General

  • Target

    cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe

  • Size

    655KB

  • MD5

    9abc05fbb9ad054f9c44d349fb61307d

  • SHA1

    280926fe7a685d4cd3c752feb0a3284b4f2b6e74

  • SHA256

    cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad

  • SHA512

    8caff24b566437d21f3fe1ce544d2894bdbd2754177049ffcd7e77e140137008c998a6286dd77f7aca455eb6061c7b790383ea6b299e01e724fcc7bdae535e28

  • SSDEEP

    12288:hGdfJDRM8SmKrBh69VpmSi6AxOzaO9TsnD98A7xH5zbgbWlIzkJZ:gdhDRYmKi9XiZYzZ9TSD9J7xH5zsbWlL

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe
    "C:\Users\Admin\AppData\Local\Temp\cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2196

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2196-0-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

  • memory/2196-3-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

  • memory/2196-4-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

  • memory/2196-5-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

  • memory/2196-8-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

  • memory/2196-16-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

  • memory/2196-11-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

  • memory/2196-7-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

  • memory/2196-6-0x0000000002250000-0x000000000330A000-memory.dmp

    Filesize

    16.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.