Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
05-07-2024 05:59
General
-
Target
1.0.0.2.exe
-
Size
5.0MB
-
MD5
ad809738e208d99a28009023546bc695
-
SHA1
3326e4971b5b23122dac680dfb9eb41df0692267
-
SHA256
775939b8bf22ee4999cebd8d9e1525ca9417464b5fe6ed1778f0a7b43d07d6ef
-
SHA512
2c730917acab6344b187a2e208bd0753f78c4afd4804a209b3af034a1c8d90e50f7ebc3a00556bd79dac2fa385c2376622d88ad65f1ef4ee5e8fcce5af23a5cb
-
SSDEEP
98304:k2ONi+29K/WE9PhBGjohAInvqIKofZP5UyeAQQm4OTb12pcFS+fRXN/f0ykSJf+P:k4+SK9hh4M5v9fZP5UNDcOnMp0xN/8dn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1.0.0.2.exe"C:\Users\Admin\AppData\Local\Temp\1.0.0.2.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\rksowY.exeC:\Users\Admin\AppData\Local\Temp\rksowY.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\69ed0314.bat" "4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\69P6875H\k2[1].rarFilesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
C:\Users\Admin\AppData\Local\Temp\69ed0314.batFilesize
187B
MD53a2089692d5e01558fd8e525b3be064d
SHA14f4f711c3ea1555f405cb4d3dfa1ce814252e14b
SHA256302611cc5a045af821be411615cb3e12464165b8dac9faa64458f8a142e3c634
SHA512cf111e92e46c71f671f3e376fa801fd8f72fcfefd87afbf4a035c3749d4c846e301478a679ffdeaccc2cb86cc26a86650379288df97c6a9648ee8fdc9848792d
-
C:\Users\Admin\AppData\Local\Temp\75A6048C.exeFilesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
C:\Users\Admin\AppData\Local\Temp\rksowY.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1088-15-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1940-29-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1940-122-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1940-39-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1940-87-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1940-88-0x0000000000340000-0x0000000000342000-memory.dmpFilesize
8KB
-
memory/1940-73-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1940-30-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1940-37-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/2524-45-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-67-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-32-0x0000000000400000-0x0000000000D7B000-memory.dmpFilesize
9.5MB
-
memory/2524-40-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-5-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-41-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2524-43-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2524-38-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2524-12-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-36-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/2524-35-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/2524-0-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-46-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-48-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-51-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-50-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-58-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-59-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-34-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-42-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-68-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-70-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-71-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-31-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-72-0x0000000000400000-0x0000000000D7B000-memory.dmpFilesize
9.5MB
-
memory/2524-33-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-11-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-91-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-94-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-22-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2524-96-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-109-0x0000000000400000-0x0000000000D7B000-memory.dmpFilesize
9.5MB
-
memory/2524-23-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2524-123-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-149-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2524-10-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB
-
memory/2524-203-0x0000000000400000-0x0000000000D7B000-memory.dmpFilesize
9.5MB
-
memory/2524-204-0x0000000002870000-0x00000000038FE000-memory.dmpFilesize
16.6MB