Analysis
-
max time kernel
29s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
29-06-2024 04:21
General
-
Target
e63d0241072b0c54aa33feca3c08b217e13a337e554aac2d579d15b60f1ecc50.exe
-
Size
732KB
-
MD5
113aaec1011cf6a0e1db11100b603d36
-
SHA1
eb68cbe430ec0b1e3c07a81819f09dd84de31e4e
-
SHA256
e63d0241072b0c54aa33feca3c08b217e13a337e554aac2d579d15b60f1ecc50
-
SHA512
77c9ee398ba36e9b13270ffe467c72cc54a099e607a57672c80e9dfc1516ef3f11dc189b0f8faf7ce5751c18fdd1684e74b33503b2b0524ee205f65427746c43
-
SSDEEP
12288:RTyjXW+48qWywrU4kGFezOAVuJ5PIIww7F5DO3HYffJQC:VIXW/8yw1ez54lIeF5SXYHJ7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e63d0241072b0c54aa33feca3c08b217e13a337e554aac2d579d15b60f1ecc50.exe"C:\Users\Admin\AppData\Local\Temp\e63d0241072b0c54aa33feca3c08b217e13a337e554aac2d579d15b60f1ecc50.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
8Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F763025_Rar\rundll32.exeFilesize
664KB
MD52eb5d76180ce7b3241b281fa79ab3483
SHA106293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA51235f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d89361ba5b2e0ea562492ceca0cc8736
SHA14147bdd049854b92c09b4cbecb28c93ac75b44f3
SHA25691923f3b70851599259acd79609c5c111fddff7a9419b1269c8293aa2b6adb36
SHA51266d5e8bef03ae89d54db3e0b2a2057d6dd12470f8742b74bf01abdecb7b95d7a9bda61d054d3a3b4ba14684366cb35b5e498ea380231c084c78b5e1dca6b8c16
-
C:\kahdfx.pifFilesize
100KB
MD542984f4171a04f2c98ea190af00f2b40
SHA1923504b510de1df236a65c0747b2f364be78fbff
SHA2560716f03f38a345cee20a262f7aee1d4f2b0dd7872b1f1e00049bd2fec01509da
SHA5123bd35b25bd005967536c560dbb790bd5e61b7ba82c6da7b8ed7b03ff8371e343426ef6228ad329a7cb673427237ae985b3f60ff1c9ec527839af42aa1c04a184
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeFilesize
732KB
MD5113aaec1011cf6a0e1db11100b603d36
SHA1eb68cbe430ec0b1e3c07a81819f09dd84de31e4e
SHA256e63d0241072b0c54aa33feca3c08b217e13a337e554aac2d579d15b60f1ecc50
SHA51277c9ee398ba36e9b13270ffe467c72cc54a099e607a57672c80e9dfc1516ef3f11dc189b0f8faf7ce5751c18fdd1684e74b33503b2b0524ee205f65427746c43
-
memory/1100-17-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/1916-57-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/1916-33-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-8-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-4-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-16-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-29-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/1916-28-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1916-25-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1916-24-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/1916-10-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-15-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-9-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-5-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-7-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-38-0x000000000A800000-0x000000000A8BF000-memory.dmpFilesize
764KB
-
memory/1916-46-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-0-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/1916-47-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/1916-6-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-11-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/1916-3-0x0000000002680000-0x000000000370E000-memory.dmpFilesize
16.6MB
-
memory/2720-81-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2720-82-0x0000000000340000-0x0000000000342000-memory.dmpFilesize
8KB
-
memory/2720-83-0x0000000000340000-0x0000000000342000-memory.dmpFilesize
8KB
-
memory/2720-69-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-67-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-65-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-64-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-66-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-61-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-68-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-70-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-63-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-88-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-87-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-89-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-91-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-152-0x0000000003AC0000-0x0000000004B4E000-memory.dmpFilesize
16.6MB
-
memory/2720-166-0x0000000000340000-0x0000000000342000-memory.dmpFilesize
8KB
-
memory/2720-39-0x0000000000400000-0x00000000004BF000-memory.dmpFilesize
764KB
-
memory/2720-214-0x0000000003AC0000-0x0000000003B4D000-memory.dmpFilesize
564KB