Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
30-06-2024 19:32
General
-
Target
0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe
-
Size
505KB
-
MD5
13162c54c4d8e425799ab947e57df82b
-
SHA1
02e7518ebc738d1be6c6079701b47d12f76ee33b
-
SHA256
0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca
-
SHA512
f7aad4cde66b4414ef7a5fb7e09032d4423932a5803d366876fb7d1e6686c8e48329a8d7d59c1c8eb88bd77a92ed7f6f7a7ae0d02cf981a2554b5f12118da57f
-
SSDEEP
12288:FMsi9TgKPChlEiYOAkycjo+ZToV0vloD29/:FQgKCYLtcPo+o29/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe"C:\Users\Admin\AppData\Local\Temp\0e4fc8e09d8bfa3094bc9859c63eaee96d036fc5513c2576101a3dde06b289ca.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://down.360safe.com/setupbeta.exe3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
6Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-18-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2228-27-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/2228-5-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-7-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-8-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-9-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-11-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-3-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-32-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2228-31-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2228-12-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-30-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/2228-0-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2228-60-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-4-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-10-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-6-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-33-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-34-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-35-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-36-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-37-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-39-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-40-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2228-59-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2228-46-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2228-26-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB