Analysis
-
max time kernel
82s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
02-02-2025 08:01
General
-
Target
abc/R700,.exe
-
Size
1.2MB
-
MD5
7683790ae33576643b69c12d640fd5fc
-
SHA1
adbd241d4dc1ff76dd5269b00b6c0278bb50588c
-
SHA256
a5d1941cd0dafe9f7ee2034200e2aca8f2e323a5eeb7fb9f3b210906b8e5158f
-
SHA512
b3ace082767cccda5d21ddec192e37fe1ce4d15c50374a140a1700c8c28231aa3b56fe1ee4a011f17d67b40b5ab2a610ae03367574149f143af218956e4bef94
-
SSDEEP
24576:TmPZ/5jLtGHyhdFP8gxBYTICZazH0XHEvJ4BDm:KPZ/ltGakgxYa0XHEG6
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 9 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 7 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 40 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc\R700,.exe"C:\Users\Admin\AppData\Local\Temp\abc\R700,.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\abc\3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\191dd0\WD32BEB.EXEC:\Windows\system32\\191dd0\WD32BEB.EXE3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD54c9e8f81bf741a61915d0d4fc49d595e
SHA1d033008b3a0e5d3fc8876e0423ee5509ecb3897c
SHA256951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129
SHA512cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7
-
Filesize
48KB
MD5bf9bcf86d8767e8b743af94cb1970f87
SHA13cb1b967016e0a9ed244fc3c002cdd594afdd2d6
SHA2565064bb1a3713c9a72c978d5f3744d9a743d22f700a0cce08523cb861de7e4ce7
SHA512ca42ed7b5324072afce8d676020b9e89041e623d5f0bf192b735e7a1e77df916ddee5cb8507afecb5a68aa6648aa336f4943f3fd1aadf2ae395ad11417c3762f
-
Filesize
328KB
MD57bcb58659e959d65514c45cd01bfc8e4
SHA1c2f41529a536c746ac0cf92c026dea65798f3ee7
SHA256f37248aa68d84818fba2b1ea160d7eec4d3f426eeca4d215c8db8d8389d18388
SHA5120b33bbcb059de95e74e9e115fb09ca73846720041113c9cab10e5dec40024136241d66a92181527e36db714c4c96ee532b7df00ae2c10798d8bea947f6762217
-
Filesize
124KB
MD593cdb6a29b7dc77a97ea9ac5ff8aab8a
SHA1dbca2b77362683948e0ccdba824c1a7166d3409f
SHA2563f929d34cd96cef878c3e5e0ee185173b1ae4caeed60838e32b63d45c055db80
SHA51226b6d74980b4f3be40efa4cafce485dfa5a8397b16c0e3fcb3ace18887ffcc0c6dd6351bffde8e7de95af2f570baa7081131529ed2b0449982df001bc1065478
-
Filesize
1.1MB
MD584b74113dc0a776ae9ffc2ff0cb79e46
SHA155b710400c1c01281a00b9da6b36cb4a8943d55d
SHA2565c6786cb8c4179fd9b6cd57c7d49a2cb82f4e873f296e23951d42290883b52c7
SHA512c3879146564848cfbcdfcba1913bd9e163a91070c635e5fb1b1ff033f3c09f20fc4f7af971b69343c6ae17307c304135253e8893b44a73fa2da83cfc5b2f321b
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
1.1MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
132KB
-
Filesize
508KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
508KB
-
Filesize
1.1MB
-
Filesize
16.7MB
-
Filesize
60KB
-
Filesize
16.7MB
-
Filesize
60KB
-
Filesize
16.7MB
-
Filesize
132KB
-
Filesize
388KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
224KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
1.1MB
-
Filesize
48KB