Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
05-02-2025 13:54
General
-
Target
418f5bab148534bb9cd704a9d0442aeeb1aeff2a229a05046bd4c178019da862N.exe
-
Size
1.7MB
-
MD5
013ecad170ae4493231353de4b5808d0
-
SHA1
787c12b83e8413f5de4d12054e315460d174ecad
-
SHA256
418f5bab148534bb9cd704a9d0442aeeb1aeff2a229a05046bd4c178019da862
-
SHA512
8c413737c4ae4d5205d8d1ed90ce613bd0118dcfbcd20fc088036195adfe1becc89eba19abb66d82f81dbfff922ab06a7dc519c95b58b11bf260b566df899cc3
-
SSDEEP
49152:TSuXa7DygjViavcddlfUYS2ApJL7BtaTdZbOND:TSUqxjVi7WYDuVBAjil
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\418f5bab148534bb9cd704a9d0442aeeb1aeff2a229a05046bd4c178019da862N.exe"C:\Users\Admin\AppData\Local\Temp\418f5bab148534bb9cd704a9d0442aeeb1aeff2a229a05046bd4c178019da862N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
\??\c:\a226870e20c3b0b2c95834\update\update.exec:\a226870e20c3b0b2c95834\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD55dec374b7b81234e709a4a6ee4fd573d
SHA1d80037c1b662e33adb96da0637cc6969a10af892
SHA256895462d3e56ed029728bea718a8e61be12aeab87fb5bf9939613fecec1136637
SHA512053f81a73185af8e8822fda38518b707aaa263ebbaf9e96d74bd360ac2da802dbd14ce6fcebc70edaa4baa54ecce0e93be278fc6e015687185b4eab6306cf7b6
-
Filesize
20KB
MD57bb67070982a0c04731e443fc8268508
SHA18322aca0bcee3afd0b1212359508e79d6e0017b3
SHA256082b7c89d78d27a764065b7770d5ee106f46437650c04cd409dfa50c1115b6d1
SHA5127bce689d8f756179bfc790e3d7d5eef5fc7ffde983369e6984d44bbf92d16720d0bfd7d0c96cfeddceb0d487fb6216a629b6e6470e9d5859fa2c7de209a4c740
-
Filesize
25KB
MD5ee207e35aea4d5df41d90221e1b66efa
SHA1757469cf9ad2f21f267bbe730560114fdf8a89a5
SHA256cf64c95e9a2d02967efc22b00efb3736156b913a95231eb63c1df45d43475e64
SHA51243e9f75725daa4f3428b2d9cee2c2cc8b2f2e991b8e58d72d2f429fbdfb614c86d172f03d3f9da98756bd4e245643d9a57c6efa422d6c60ad364a2322245542d
-
Filesize
699KB
MD50b630c8656b1ea82c82b929d51fa351b
SHA12be63bbb8e54a471bbc4bda98c9157903e821be2
SHA256480bbbbd89d8275bacdd5cfce22d845785de61a1fbee787ebd2f67c54eaf3e21
SHA5129d804dc534627abc3b7625fe505bfdc6bdb33a23ae46fe6263beb380d92b1dd35b2d1b3a272c87f709413c30f6cd4e6bc271c3ae3ccfb13081679acbe035ebda
-
Filesize
362KB
MD5e58ab8bfffc584dba6f7ec2f83f32b68
SHA1855d7c624feb67140dfbd7f07269eae98b15c23d
SHA2566d91f37649df6a6f5b180198d495cff9ebfaf264f9867b5d409dfb75ee83587c
SHA5127fd80646ea082ebe8017797d9ef2910d9e8ff0f7e0be50d708d2d0ea3edc8c4fa95b4f8f7f3c567fce2df586ffa5b0b76e3c5fd14d64f4dc135264d71ff0fa3f
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.8MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.8MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.8MB
-
Filesize
8KB
-
Filesize
16.7MB