Analysis

  • max time kernel
    118s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 23:21

General

  • Target

    e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe

  • Size

    1012KB

  • MD5

    3c8349453436e1bb2383d81edf04c550

  • SHA1

    3da06cb3376b1721e4d875c10f5a6953662abcf0

  • SHA256

    e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02

  • SHA512

    59f49b92a3cd5fb3abe683c6c19747d2c7986469caafc266f81b409e8a12975df59c3db2787acebd35d626fdc0d3c8a82d16527679abfceea7ca780a44d411f1

  • SSDEEP

    12288:k1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0INK4h1oWxJpcEi0/3IWV//7cSd8HR4bm:k1/aGLDCM4D8ayGM0R3o8/oAuylKi+t

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Sality family
  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1052
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1140
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1164
          • C:\Users\Admin\AppData\Local\Temp\e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe
            "C:\Users\Admin\AppData\Local\Temp\e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2696
            • C:\ProgramData\dbdysx.exe
              "C:\ProgramData\dbdysx.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2804
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2004

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache .exe

            Filesize

            1012KB

            MD5

            9773bf313ffe4f4027fb6fa3aa896384

            SHA1

            208d0575420bd6b3bba56674fff19ac18f0a2e4e

            SHA256

            6fd181ab0ad898041547c38472dbc9e617f7b907ee1003c5537b9eeb2ebaa561

            SHA512

            92449a982e731f1831f5133d7f9068454fd0b0e5129b67574fe7a9fdfb6755f7e9349d1b302c984d26f7ecdb2d787e9c71c188356597bcae8a9bb787388f8fed

          • C:\ProgramData\Saaaalamm\Mira.h

            Filesize

            557KB

            MD5

            8d0dcbc1481a967175e19dfa204d461e

            SHA1

            e785b892957645d143f1408e71811130f8d3db96

            SHA256

            a723e131c3067b612750c583cab54524721189ed95929f96dc71b326a98e4b72

            SHA512

            8457e9a648ace64fadfc5bc742ec3c1315c5815176a06c3c37271cf4a7cd9b1030dddd1077f353a393435a5442ecc8983c7dd1e0a090d5e3d7711231589af1ba

          • \ProgramData\dbdysx.exe

            Filesize

            454KB

            MD5

            47edcd0306bb49e327b7ce6cc862769c

            SHA1

            b2efb1b2960069d7f989f04df5ca563462e3e114

            SHA256

            8ef9154d4b9c7624e81394506b25f592eb848d2828d7645ba626cf48821a7b4c

            SHA512

            d4d9d12381d1da25072cf8ce13c9fb32d553f4fea1404f8e79bc61338e220cde5e1e9f64a4886bc19db0d268feae70c640b9765c4fdb25622eee27a774b0d2cf

          • memory/1052-12-0x0000000000220000-0x0000000000222000-memory.dmp

            Filesize

            8KB

          • memory/2696-19-0x0000000000A20000-0x0000000000A22000-memory.dmp

            Filesize

            8KB

          • memory/2696-4-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-0-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

          • memory/2696-23-0x0000000000A30000-0x0000000000A31000-memory.dmp

            Filesize

            4KB

          • memory/2696-25-0x0000000000A20000-0x0000000000A22000-memory.dmp

            Filesize

            8KB

          • memory/2696-24-0x0000000000A20000-0x0000000000A22000-memory.dmp

            Filesize

            8KB

          • memory/2696-8-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-7-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-6-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-11-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-9-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-20-0x0000000000A30000-0x0000000000A31000-memory.dmp

            Filesize

            4KB

          • memory/2696-10-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-55-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-5-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-52-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

          • memory/2696-2-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-29-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2696-30-0x0000000002170000-0x00000000031FE000-memory.dmp

            Filesize

            16.6MB

          • memory/2804-143-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2804-231-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB