Analysis

  • max time kernel
    27s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 09:07

General

  • Target

    92d759bf0e13a67c10f151d8200795b76b2a6eeb07570db358c2df03a77b1bb0N.exe

  • Size

    1.1MB

  • MD5

    2eef29a0d934cee51c90c89a4e772570

  • SHA1

    f1e32de97b43d5394d46da30b1a895ed3397ce04

  • SHA256

    92d759bf0e13a67c10f151d8200795b76b2a6eeb07570db358c2df03a77b1bb0

  • SHA512

    6ae70a8f59970f1f91511b6a4f51170e3d7744aa1e3c7ce4b8ef64a28098f68f430d080199e7a7b764df18e946e4ef0955b9859ed768e56092b97f072ee4eecb

  • SSDEEP

    24576:0iZ1IdkiaMTNXs8q73ratc8qwBWc0JE9UcyL6nGIrNDXqHqApX:rd/eehjratJBn9Uc+GGI56HLB

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 28 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1048
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1056
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1124
          • C:\Users\Admin\AppData\Local\Temp\92d759bf0e13a67c10f151d8200795b76b2a6eeb07570db358c2df03a77b1bb0N.exe
            "C:\Users\Admin\AppData\Local\Temp\92d759bf0e13a67c10f151d8200795b76b2a6eeb07570db358c2df03a77b1bb0N.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1780
            • C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\Setup.exe
              "C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\Setup.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2956
              • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
                "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServer
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:540
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1472
          • C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe
            C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1388
            • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
              "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" -RegServer
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2084

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini

            Filesize

            27KB

            MD5

            243e31cac3a47d88aaf039c698928247

            SHA1

            ec1913f97c61d51f879374dbdb0b91bb82c38854

            SHA256

            a841b2a687122c08e28440c29efe7be222cc9883a6c368747172a222d930a3da

            SHA512

            c279faf68b41b800442c374efc9a6c715aa05143837b5355d3b85565567b15037b3af10f25b0bb474909b45bbfa69c2e18ca9cc409aeb4f153aea3ec5520e518

          • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll

            Filesize

            208KB

            MD5

            fc4a921f70a6756a8dde441dd9f2e74a

            SHA1

            ee049f9b4a613eadd30dc024daab55786b4c7739

            SHA256

            ce762f688c098cb4ceda474902ae06004a75b9d62bce55e701b225b0845dab6e

            SHA512

            b45ad0b9215c3db627e2b316bfbc8df8d883df2ee3ee206967dd51532c7bc80099a9cca139c1aa83919a2367f068f5c8f2299a1ad89148f8439ebcf2aed948f7

          • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll

            Filesize

            148KB

            MD5

            624f7a2247d0b6bdab236adbce24b11d

            SHA1

            fec5a27937b376087be9af74db45f7e8f62c93f5

            SHA256

            984e3391ac2a783045154453d1b2397411a32e81d24e479fcea4ed0ac9817899

            SHA512

            5c1652e0eaa6b5e841dcc07e13143ab2076fc02c4ca016fab2a894ba7a50c5c85d1619341109f9ab84c81d33b5a4b8018c25e2614bbf809ae135614499928a2c

          • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

            Filesize

            204KB

            MD5

            bf9479e7b9de3c2333f25a2fc558001a

            SHA1

            a4c86180520d356ffe9271f9cf36e9866b3a3715

            SHA256

            ede31c8f2ead504a1b3556e1285a7c071add3145db68589472c4161a573a6717

            SHA512

            0458dab6ad3ba257f4ea482bf9c17b6661ed77f0b22daa695c698fc5c21e9620831aa0caaf123cb902f1547d11d54bb7a0b6255968cef8f894b36796a4e43b53

          • C:\Users\Admin\AppData\Local\Temp\0F76FD52_Rar\92d759bf0e13a67c10f151d8200795b76b2a6eeb07570db358c2df03a77b1bb0N.exe

            Filesize

            1.1MB

            MD5

            c21a76a86bac625d5ea65ee9337efd31

            SHA1

            af170f664ad1b1bf3abbfb2a117d584289fcb73c

            SHA256

            6446b39e32fc68f12b0f84b366799c0775a4a656d5417e8ab7582e8bf44c73f5

            SHA512

            00cd1cd52ceb2c08aa50de8464fc86b61f20059cc1d319b433ac935e532d64ec0aabafa9ffd086d52c518c3d6365c2c1d766021a538db74e9097a897d0aba3af

          • C:\Users\Admin\AppData\Local\Temp\PFTFD5~1\IKernel.ex_

            Filesize

            250KB

            MD5

            c452d061be5d6b5ae0b1a7a371643bf4

            SHA1

            9e02dfd5c80287245494cb06ffebd622ce7b438d

            SHA256

            929a2f50579e401ca1642ba89274a7dcb0d39dff8a484a4bfae6f412dffaef27

            SHA512

            5570de631d61f326ade17d48136465b050c554f77069fd4349cc6b99f73a916b7c0fc21e757da82dd158af78ebcfd3853b22cfccf04d46f7634c4cd124741694

          • C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\data1.cab

            Filesize

            546KB

            MD5

            4b2a68adb1defb204341e609260ffa94

            SHA1

            f4612db5e1b59be11965fc6187ca483db2c93580

            SHA256

            194a68dbdc11d4697a30dd29ded5773c9e93083ff8de445a5f72a133a4463de7

            SHA512

            e227dfc74cf3666497bd768d18a4819109c96c38e41a7384a73cd2e7634ff66288d5afb751363d4e12d3af8b6ce31951bdd04927621c1f732e07d9c5bef35fee

          • C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\layout.bin

            Filesize

            441B

            MD5

            3595cdb07c48afd189fb18c662d82a00

            SHA1

            255640b26da052d1d0a600b08026cfa499d16ac1

            SHA256

            8a6fbd6198eb169b663664f2d3b72e8dd69aa550a6118528bd370ce4fb902c29

            SHA512

            eb5916d2f98daa8e09a5ef0c4383079f5c82fd297bc1599dbcffc8ab50d2ecdecc86ec21a9c9713c4a963c0a7f5b3ba798a38792ee9f9b7ee17c400a4be76e3d

          • C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\pftw1.pkg

            Filesize

            962KB

            MD5

            b326de165550aa2e7a2dd30f446c1acb

            SHA1

            a779a6bfdc7f9c284a5af46115ef36a8198733bd

            SHA256

            e1176418f2a1690032dd7312c95e8ba23ae3d0f45188819c2c63fe297501d7a3

            SHA512

            0df83a20ec18cd19036fb7cf451bbfd838814b49c25d4f3c66ccc63b2f2da9092827dd28be3cb09e571c5fb0d808e4b5d63bc0beeda6c23338afc6d8f68de696

          • C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\setup.bmp

            Filesize

            471KB

            MD5

            38fb45ab3d0b2267da11ae9d12a24dbe

            SHA1

            1dd42ddcd070aa6a2536e0ed5ebcc6a2aa45debf

            SHA256

            15d5be290e2d34ece064c047ba48adc7fc4f9c6b4b1bc0d6e95f37fdc07c9444

            SHA512

            32e475db1dbe027bec4352021556eda774533b07628b98cfb982d5df84f55e68dfffcb00c4d8d0ac5c50e7e346dafe3f2ada1009c401adc8d938d87ddc3f28c4

          • C:\Users\Admin\AppData\Local\Temp\pftFD54~tmp\setup.ini

            Filesize

            160B

            MD5

            c80b9a31cc07952ed78c6cf5716b7d64

            SHA1

            949f8a812cbfe97638a58c5846fca97de9780c71

            SHA256

            a085d26972bbc6bf83cc2237bf1d3aa9f4204769ebfd2bd1d79a7e0a63ff2144

            SHA512

            f24970e17b9acc57a851c56eabaf184cd6d67862afca0f3e852aac732b4b76a03bb04801e69a67b93c8a99d605a8048b34d42bcd898205b0ef0b798937c82830

          • C:\Users\Admin\AppData\Local\Temp\plfE1B8.tmp

            Filesize

            3KB

            MD5

            a58d41fea85a25e85a753dd5f26070af

            SHA1

            b207e5aea708d070c7faac3132a406e5ad27c683

            SHA256

            6f077da9d868c427af27ebfb378101d1cbbbc2424899d3ae783c8e6c04d17616

            SHA512

            1ff66bc3076cc5ab24ddf42ebfee6638d64925fcf26d7643e3a2376c6911f6f03aca30f2004000dd1657df47da374807e4e95c7b7a06bcb45d314ce1d1bd0695

          • C:\Users\Admin\AppData\Local\Temp\{416d3aa4-fc00-11d3-98e4-181243000000}\setup.inx

            Filesize

            112KB

            MD5

            a9c34b05fce67b1b84b6c5712dd2bb4f

            SHA1

            75edb8a951fdbb90c70a89f2b9da22a02c43b298

            SHA256

            9d1ccfd8fcfaf3009078c91560d3e1cf0a95196b10d5cc2748145f921153b80e

            SHA512

            18530705e9908dcb17c3400712253cc3a64938cba1194fa35bc3075d4f6e712fc9bd3b50b4dc167f130ec7ec12d0c4451513b0d7872eeb693e1b682343a8861e

          • \??\c:\users\admin\appdata\local\temp\pftfd54~tmp\data1.hdr

            Filesize

            13KB

            MD5

            ff7d05d5e85e3aa750adabe958b423ed

            SHA1

            1704693d24f2128525e55f6525f3274fdf948c39

            SHA256

            2b4781909234b2d9c7309a26d82177386f50052e0966b67885536df961a63e04

            SHA512

            912b99e03bc8728bdcce00409ea292ae0ec165238c8c9ecd4e76ef63431af2c009a38a15f6afe2a8e9cbfbd15fbe37afd41eb1f86cfa952b61341ff4a37cfd73

          • \Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll

            Filesize

            232KB

            MD5

            344d211d79053a6b4a6d0897942488b7

            SHA1

            385cd1d6a86cbc721e18f4169b5c58c855639c5d

            SHA256

            8047f9354eb66963cc09eb44920c158c41465153ee0ed7bb7ad8e8a66ffb114a

            SHA512

            211668a76287fcc8647e935d24b4f88471ef2d1b0709a7ded3b1d7a5939a09a4c0f986f2d5e86f3734ef338226df97522a5b1ae96e1a07b5b4ebbaed17af9cb0

          • \Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe

            Filesize

            448KB

            MD5

            fe57fd4212a3c976382070e85dae79ab

            SHA1

            c60195656f8d8bff5fb87f3caeb3d341924eff3b

            SHA256

            bde199b3edc8e746bb4885c34d26077bf5423d3cf82385172f16b3d062d1938d

            SHA512

            9ee74698fe12382def51eda2479b8119f4e654efd40695469ddae1c931b7d9279b6747c538a45f1560268bd85cf38a9134aa1f150315215e1ccac4d72edc8991

          • \Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

            Filesize

            32KB

            MD5

            b3bab51daf1331ec48981e20c9cbb2b7

            SHA1

            d4ca6ec377b9a5c2677f22e7c0c6a51b173e020e

            SHA256

            1aacf1666132a2a6ffee05e6077924e0717c9a0690d657821e1e9e6ad63cb3e7

            SHA512

            43779da4ce317f146c3651bcb7dfe48822ee285e30e1a4bcb049d9eac160b18687df0ceefa5fe23f1d492631f3899f05cfe4a6de259936f99274ffbce9e3512c

          • \Users\Admin\AppData\Local\Temp\pftFD54~tmp\Setup.exe

            Filesize

            35KB

            MD5

            a81fb6afcc0503ebd21915f128d1836d

            SHA1

            f8b5759afa5cb055c8d5ffce2718722671da0c20

            SHA256

            380d6d28b7cfb2c6f4b964ec5d1f5b04c932a370272ca96190178717448913cb

            SHA512

            a091861f4e67448077fafce577867a87736c8ffa44699c7e298a7acaf3e2d7577023549ac0c717fff3779ead8252eb29ecafdb72fc577d6bcdc88db2955245c0

          • \Users\Admin\AppData\Local\Temp\{416d3aa4-fc00-11d3-98e4-181243000000}\_IsRes.dll

            Filesize

            188KB

            MD5

            fba4c93509629d66ebc0dbb9cf78ebaf

            SHA1

            1bafd79b3482d2f8833e5b18e5fd7113749b83ed

            SHA256

            25c4c127eac5b2136b7bc04561aab5f93a9125f16e2a8cc803cb5e45958d8203

            SHA512

            b492d0ff26f03183cd51759a5f1285ba9b41b5bd3f261629ca0958a429423b2e453ec8cba4fcb0261f82c263801cd609484146d2b18026a1459056c52ce78a9b

          • \Users\Admin\AppData\Local\Temp\{416d3aa4-fc00-11d3-98e4-181243000000}\isrt.dll

            Filesize

            300KB

            MD5

            a114f27ceb0b6ab1403bd8cff6771491

            SHA1

            a434b1393f1e114d35740b400d0c16a0a3af70c7

            SHA256

            7dd25a8e21b97990c514885a6cf4dc384c671907845d69614583c697a54cc1b7

            SHA512

            be5c1a984e74c999d787a1f02ffe36bd71e0b8e2e93fb63fc70ce9c71066a2d9111cbc7c33f6c203f7cc2537c0137078c77e02de2555bc67346455cce47cc9e3

          • memory/1048-38-0x00000000003A0000-0x00000000003A2000-memory.dmp

            Filesize

            8KB

          • memory/1388-168-0x0000000000A70000-0x0000000000A97000-memory.dmp

            Filesize

            156KB

          • memory/1388-190-0x0000000000A70000-0x0000000000AAC000-memory.dmp

            Filesize

            240KB

          • memory/1388-221-0x0000000000AD0000-0x0000000000B0C000-memory.dmp

            Filesize

            240KB

          • memory/1388-226-0x00000000035B0000-0x00000000035FE000-memory.dmp

            Filesize

            312KB

          • memory/1388-230-0x0000000003650000-0x0000000003684000-memory.dmp

            Filesize

            208KB

          • memory/1388-181-0x0000000000A70000-0x0000000000AA4000-memory.dmp

            Filesize

            208KB

          • memory/1780-17-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-56-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-20-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-16-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-18-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-61-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-48-0x0000000004870000-0x0000000004872000-memory.dmp

            Filesize

            8KB

          • memory/1780-60-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-49-0x00000000048D0000-0x00000000048D1000-memory.dmp

            Filesize

            4KB

          • memory/1780-51-0x00000000048D0000-0x00000000048D1000-memory.dmp

            Filesize

            4KB

          • memory/1780-21-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-58-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-52-0x0000000004870000-0x0000000004872000-memory.dmp

            Filesize

            8KB

          • memory/1780-57-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-0-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB

          • memory/1780-13-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-53-0x0000000004870000-0x0000000004872000-memory.dmp

            Filesize

            8KB

          • memory/1780-55-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-238-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-54-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-22-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-157-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-14-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-19-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-15-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-3-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-240-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-1-0x00000000002A0000-0x00000000002D7000-memory.dmp

            Filesize

            220KB

          • memory/1780-2-0x00000000002A0000-0x00000000002D7000-memory.dmp

            Filesize

            220KB

          • memory/1780-264-0x0000000004870000-0x0000000004872000-memory.dmp

            Filesize

            8KB

          • memory/1780-362-0x00000000022C0000-0x000000000337A000-memory.dmp

            Filesize

            16.7MB

          • memory/1780-361-0x0000000000400000-0x0000000000437000-memory.dmp

            Filesize

            220KB