Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-12-2024 04:54
General
-
Target
325eb90e96a50a29f2e790f19b1a03ac95f9c6f1262e1840801de9d212b060edN.exe
-
Size
1.9MB
-
MD5
867c7366d3949b6a8c01607aa9bbc5f0
-
SHA1
27b142f1399c4493de3f855793586aa5e402a63b
-
SHA256
325eb90e96a50a29f2e790f19b1a03ac95f9c6f1262e1840801de9d212b060ed
-
SHA512
9fd0ad42a0c64ee89ab552cf0f44d86af0be6f7afa77419e3f86c9dc64a517f0852fd2fef8919259ba81edee2808025a8786a079500d2a0c6e8e41a5b4043721
-
SSDEEP
49152:PeDJbTCgaFxKCnFnQXBbrtgb/iQvu0UHOc7:PeDJ6hFxvWbrtUTrUHOO
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 12 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\325eb90e96a50a29f2e790f19b1a03ac95f9c6f1262e1840801de9d212b060edN.exe"C:\Users\Admin\AppData\Local\Temp\325eb90e96a50a29f2e790f19b1a03ac95f9c6f1262e1840801de9d212b060edN.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@AEB02D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AEB02D.tmp.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 25208⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin3.bat" "9⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\325eb90e96a50a29f2e790f19b1a03ac95f9c6f1262e1840801de9d212b060edN.exe"C:\Users\Admin\AppData\Local\Temp\325eb90e96a50a29f2e790f19b1a03ac95f9c6f1262e1840801de9d212b060edN.exe"4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11179074872299015987624013-884344237307023812925822271-2078359812-84222960"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-863964503-55797419931773024532050371194300208814757589051148936782-1517326982"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD50a377bbfc57f26d47274f15f4b853a44
SHA1ebda14f4efdb4916ac6248226d62685f1c78576c
SHA25655811780a8f0b34ad50e92377a7b0c1f93d2b1b0d976fe311de3e10e64f8c23a
SHA512e53d16622ad2048e4e29054f5a0261f441cf76346c3fefedfb6d1f2f470e46f25a7b7baa66bceef55b893285d2a85f0725c507c2304757a3c159e146ceadca58
-
Filesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
Filesize
229KB
MD56f90e1169d19dfde14d6f753f06c862b
SHA1e9bca93c68d7df73d000f4a6e6eb73a343682ac5
SHA25670a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc
SHA512f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3
-
Filesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
Filesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
196B
MD5f2dd13df2f85f004528f19ac20226a68
SHA1cdb0df85f2a017715cfeef513b2bd3b3cebac375
SHA256affb370cda8203ff45063140ae021a754ac5a3bb620e2a436656d3b745b89a3d
SHA51218a217a38216b560398ceb0cada2f464a9b4cee1dfadf1d2668cbab49378ff7a9efa7bede3998a978a1399bf41d54e860635b575da3cbfca551f1f4aedadcc66
-
Filesize
126B
MD5d4aee696896b5a810cd7b8b2187962e4
SHA14c30f5b778766daf9ceb1dc64b18664704b8267d
SHA256b18c6e22c6041fcec69469818b7d1c8f4263a3c29d8050272b2339c5d7d53351
SHA512eed2ccbe75b27a299155c0f2f43ce24808dc313eac582d6b724f835f61189c0a1184bb93c2afb35d199d44e27f4e4a5bb757e268f0412ffe15259fbee824e61b
-
Filesize
102B
MD52b3f985971a08dbe371fed4d3b3fb20e
SHA18b14a7c25990ddd814860b243fea53d2eaeb2d1f
SHA2561951da1827c047a9abffa8f9671b9bbca7e264c31d3681cc2e70716c91065e08
SHA512400b2c1f3638844ed823f423db94a2321604af4c40f3a26f932f482026b8ca1a493b781b3eec607a0d23e5acf0f7df993681e8e35ba6771a210fa01889166cf5
-
Filesize
257B
MD555fd9a2a31fc5b0459ddc6a8800a3175
SHA13db7d2654f62e66d3de6fabd7cbe69357dac7e53
SHA2563f454f922051b040f664dd2be9937876b53b05f2fff090ba2ef03072b4b50175
SHA512e51ca4dd5b5c9c3d9979474be83c68d773c29d6990f6b8e9fcb2eb5f1cc18319dd1e8c4989ad6ce1ed7d45975ac4d9e6dd45e9861f1053ce884bbe62cea7f234
-
Filesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
Filesize
116KB
MD5fc27846c7ef27c1d70fc234e81dcaaa4
SHA191c1b105a444d60f6c2c19848f0c0b7105f78267
SHA2566fbf6fa87e4d32f2583898e2f269a65bd9e9e48f0d42c0ddcad75ec4e3a7c929
SHA51227d669033b33e2be2a13350225d8fe764c090aa4c3f0c8df30b65a79948efdfab8dac5603f7db909430da3f1985d68e1c56eb302c229ed027152a3cbc5485254
-
Filesize
1.8MB
MD5bac38a3ccab64771cdcf1e4553adcbec
SHA1c3b5ccb26d1f44fa21450df1dd50e6aed7655cae
SHA256ded9a996e38fcaa584b3c750797adaab5824ad3c1c582b075eb141d461f3809d
SHA512f3008046e72e21eaef9bd336a4b72ca02957b8e8aba062185bc970182eb7bae1005c8c7f084092bbcaa84af897c5cb2d45b24478b43a298a8141cd043e35a297
-
Filesize
1.8MB
MD5ca226f874d7668b41c9b09c8ece67112
SHA15ce8914fc6019f8225a2170d2a46532cb944b3b3
SHA256dadb7226452148b37800a1c84013b400f4f5cdce0d2167e98c02325a69da5204
SHA512231cb6f52d27fdefd491a154cf4196974383cdbf656cd9cac3deb55e378d74f691e43d1206a01d30fe1ce8076f9fe913c5a086d22198235f22f1b0905c75bcfb
-
Filesize
202KB
MD57ff15a4f092cd4a96055ba69f903e3e9
SHA1a3d338a38c2b92f95129814973f59446668402a8
SHA2561b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA5124b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
84KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
308KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
308KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
308KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB