Analysis
-
max time kernel
119s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-06-2024 02:28
General
-
Target
6234ee603e913259b81db21f73ab91ed8344e294f34bdfca4ece19cb67332e9c.exe
-
Size
767KB
-
MD5
916dd306d5b551070a73339e870f3642
-
SHA1
935832a602ddc2f8688d9bce1b2ef86b6d72b487
-
SHA256
6234ee603e913259b81db21f73ab91ed8344e294f34bdfca4ece19cb67332e9c
-
SHA512
04ee1ec57c7fda5f0d51ef53e5d721f9edfef4d0d139e64eca314eaaf24756c403103d28831fdb9246040ac34347a6582165c53fe776602a9d7a161e5863ba0d
-
SSDEEP
12288:E1V4L4PCtGDtlLJgsGoT6gYAMkZ6XlwAcMs+50tgAakT7hs5fDDbbjmh8Q0u8sZD:E1VUQDtlLJg3or6XKAsCI8T92
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6234ee603e913259b81db21f73ab91ed8344e294f34bdfca4ece19cb67332e9c.exe"C:\Users\Admin\AppData\Local\Temp\6234ee603e913259b81db21f73ab91ed8344e294f34bdfca4ece19cb67332e9c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://down.360safe.com/setupbeta.exe3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
7Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58e880a498591d1bebea0ba59c1d20762
SHA1c2181c6814a58be21551d809f987a80f9de61b72
SHA256f86c8db857105504fdf6e49c66bcbbc587e9a273354166473e3ec8b41c687385
SHA51235266cd5a33ac91f59336cadb17af01a35e4d73079dd872919ab10d52a7928b4879ad6aa360bc15fd5732d7a0cbf0cede9640411a95bb47176eb873b665fc221
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a89f622f54fbb71e4ea3fccdf7def266
SHA17f2effabb6b900ce88c4963b64c077c566b655e1
SHA25637f3ae524c6428d8c10136a04ba255b151e4ded6c34856d6f7c8efc04d6deacc
SHA512a3fe52f95081d583c60f464b11e9681cdbce83db896d8ba7358a7910578a36408d78a98fe39dfed51258084478178bc6d9baeab233143893ade4727d1965bbe7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f871556f9d3c38ef4502aacce515c754
SHA18bdb7917aaf0e84807a69e2ae727c33045a48a9b
SHA256c501fb9ddfe6eb1bb66255762672dde5b957cd847fd4b04fc57a80d6e6a05a90
SHA512abdccc5efc649ce8f5c01c8c1f5eb548f7067bf95d3a600d28e0f5d7589a664070da5abfa831663420dc3c9bfb3fa3071133de73f2f4130fe9ebd9937248cc1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c06080d97f080bd1fd36267eaa6af5e3
SHA1db9e8600557a7ddab7652c5e2a2466054df9e682
SHA2565bdf0368fe17415c27bbffa485d847ebb35d4b04a4a3eda2504bb590377a52fb
SHA512f4693fe3151f5177ba111b3cb57ff98b98f430e9f9043c3f186a389d3d6dc5c0beafef506dad9f2fc71f936770ba4425d04ffc6a56c810d03af3fd7ccc8b73dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56a3eab57e9a9d673a3612614bd017fea
SHA1d188941f5bab08f7625531546fa90f481e2cff95
SHA25692935c0ac344fd6e174be8d7d3a21be906a1e4c2bf7425cdce03b4f6555df6af
SHA512b7f6be4e4c6b627cd61546a98116c87cb5255a3d72923f981ad4fe2d429762de7a0331a9c02599c49dce4714992b0bb3a85e4341d917ba4bec08ecd3de6da2f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56be343a89a787acc7f5ba3c0925e79b7
SHA116c5be9a310870ac8dc0662e96e0c4bc1e6a87aa
SHA256ec1a66fbefa62c0afa135488c52209e3d15c31fde9a42f7f7f6f045d384a2142
SHA51278c0e3ab4e4151bfd058977f014c0f96b8bb29413a7e97a9f929020d56eedf8bacf2741a83b45730e80ea22806eacfa32a1f9af6331dc96655d69483032d28ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD521827158054f01efa832e0fc2d47ee6f
SHA197dc8ff284fe3802793a72db167d6dbeb2fb6776
SHA25689a877d0e8a71cea083f3eca05061b7ce65bcae6e4b7458995a31b80964474f9
SHA5127077b710674a211cbe76dc97a6a8e33c0b466ef81b4152c82be56100b59204b57bf5cdf432eb26c8f33bc1466fb6ce88d2c7273c800e19da95e51ab48e6929bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5508148608b1903a249f7d99d575cf919
SHA1b8224b4cdf29ea744c2b8d5bb129d9569f52480c
SHA256be43e854c8ec56fb5d4186973d424dd1231d2e3495b15975b7d902c318f9eede
SHA5120e5b4b5c71a31c99eea1ab6285dce7d0978d118639a23662c0c8192aca8aed02b605337a7fd6823ff908e77d8bec79436b595092c29f71dd6d81f03028c9ba44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51eed01db08cbbc1a6a45eb12960e3cf0
SHA1427c552556c0e40489847aa0982b6d02cb08a37b
SHA2567626f3dc04ec42bb3eaaea8da7cfd7d1eb9419cedede909bde5584fcbcc5a13e
SHA512c960de656dc1742c476ccede05cdddc33d4021aa8f1207de505ea3b046f2ba48f588416f764aa4d0545e91c849a43425867d6394b0dba1ac6a8120d8564baa65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55add7f0cb472462cb9c3a4db7885267c
SHA11b5aa13186759cb8cc4f35ee5603eca12dc23ce7
SHA256676c75140a30ec238c166e415a3f45aa63d7d65055248fc238f53256761c3983
SHA512920238991897c1b7f3c62a383a615f1b14a1103c6e5a97a4a542b4b0577933ff653d08e73265a0c9ec4d7dcd23d91d1f16c0006f2dd3f27314c46091bccb1208
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5415243f9a83b055df3bc03e620a8d008
SHA1617b2b53d8affdb5121577f405a45cd1ebba7aea
SHA2561de16fdf2ef4110ba0da8c19e192869126280225c727d779fa0bf23f459ba1b3
SHA51207e76d1dac0cfdce1189b16adfc5aa5b34d39832e9de374af4edb717884fd612f3d1619bd947f6ea7e2c3e2f2adc0178cd0847c956be3d5af36acfe7ef469a95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD511f6e8d2ee40f10fa320f351736b9021
SHA1fdccc113e342d5b5ec6191be481ece4deddaf697
SHA25674e38db031e71a1756a24300b2ccff6692ac119eb7da742efd7393487868eb00
SHA512ea46833f726f25c0eb1b99a52ba17ffd30f7800b61735d4d35c39bd8e44c88b4b8e10deaa70a5c6d1c01691fd693c2f3d2c0505af20b924a0156ba0d6dbf3edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD52dde4e45ed118fc2f5e5650e33627665
SHA18f33e2775d23281cff66a63f87e1b99c0f9ae89d
SHA2567e9ce1b83d475cbefd628bea1fc5d7e289fb675b0db3934e0a5d8065276f4552
SHA5128c7e9c81532c466aeef559f764d44cbe8f37e8f116b1dd96f49a33b6bf763a917b1b772133e8bdf87b76e11ad0f7fe938e9cf6f5ad0e5a0b4dbfc5e1af07d16b
-
C:\Users\Admin\AppData\Local\Temp\Cab4931.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Cab4A21.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar4A72.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
memory/1120-18-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/2976-28-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2976-11-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-36-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-38-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-37-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-40-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-56-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2976-34-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-5-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-7-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-3-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-35-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-27-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2976-0-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2976-33-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2976-31-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2976-32-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2976-12-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-9-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-4-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-6-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-10-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB
-
memory/2976-8-0x0000000001EC0000-0x0000000002F7A000-memory.dmpFilesize
16.7MB