Overview

overview

10

Static

static

3

43184bd516...f1.exe

windows7-x64

10

43184bd516...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43184bd5162fb342e94f91e1b3df8891e2c3b9a9b060d57a4639c4d8fe8ad9f1.exe

  • Size

    124KB

  • MD5

    fed03e665695876114f9af0d1ec028bd

  • SHA1

    ccd21ae940f58dfff9300884b2ae34e210605851

  • SHA256

    43184bd5162fb342e94f91e1b3df8891e2c3b9a9b060d57a4639c4d8fe8ad9f1

  • SHA512

    8ad296501d8ca61c870833233c598a9c1d493a249f129207239f2064bbbf1335acc12a9c1b2b804eb4a3da70e3e709e47478b3bbbd7287f8cb5b32922397a396

  • SSDEEP

    3072:sftffjmN/8ftffjmNCekfgkgiutON7FtL2BEJb:0VfjmNsVfjmNVOgkgi12eb

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Deletes itself 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\43184bd5162fb342e94f91e1b3df8891e2c3b9a9b060d57a4639c4d8fe8ad9f1.exe
    "C:\Users\Admin\AppData\Local\Temp\43184bd5162fb342e94f91e1b3df8891e2c3b9a9b060d57a4639c4d8fe8ad9f1.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\$$a192C.bat
      2⤵
      • Deletes itself
      PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

4
T1562

Disable or Modify Tools

3
T1562.001

Disable or Modify System Firewall

1
T1562.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$$a192C.bat
    Filesize

    722B

    MD5

    df9a5c4d8d7b488c3db4119347d4830f

    SHA1

    dfa636a1053e8dd1286693f62f5fc227bf919553

    SHA256

    e8ca635b44c94ba491657a8f0218ef69faead6266e059e9aa1b0d6d782ab1fed

    SHA512

    eb6ffae6e6f63f1dbc608ef9a8b231f7f11679a5864466ad0dcde8c569796549870ee85ea9f303797937a584390de2b3c62e43a4b5bc95beb7225221ad7d7d79

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\43184bd5162fb342e94f91e1b3df8891e2c3b9a9b060d57a4639c4d8fe8ad9f1.exe.exe
    Filesize

    98KB

    MD5

    23e3f5cd2f749216e2d1ffb9597155e2

    SHA1

    c2fb05b00f09a6072a76f01bdc2d46397cc815de

    SHA256

    261981cb1aa043a572cf4984a71372f36b66968412295b6dbced5c15bb1adccb

    SHA512

    51a42b8acf596cf3671247a07e552eeb596a727ff78d3049607cb5c3eceaa492ed5e127a37ec59932398bcc68899a90102ff463cf094013aeec2023ce7f89e7a

    Download Submit
  • memory/1724-0-0x0000000000400000-0x0000000000445000-memory.dmp
    Filesize

    276KB

    Download
  • memory/1724-1-0x0000000000600000-0x000000000168E000-memory.dmp
    Filesize

    16.6MB

    Download
  • memory/1724-17-0x0000000000400000-0x0000000000445000-memory.dmp
    Filesize

    276KB

    Download
  • memory/1724-18-0x0000000000600000-0x000000000168E000-memory.dmp
    Filesize

    16.6MB

    Download
  • memory/2916-52-0x0000000002550000-0x0000000002551000-memory.dmp
    Filesize

    4KB

    Download