Overview

overview

10

Static

static

3

363ecffc5b...c7.exe

windows7-x64

10

363ecffc5b...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 20:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

  • Size

    6.3MB

  • MD5

    b0bd17e3c1447a1f1ad35fddc5007f26

  • SHA1

    7ceb51392d32f113f07300c636112bc311330e38

  • SHA256

    363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7

  • SHA512

    707afbec914a32c6285db891f78ae47ded8d24befc72ca71b994b3fb2dce2e31efa002a3c24d904a526040a76c77cb19448e06694c2b54c4cefa206a7c5da95c

  • SSDEEP

    196608:EYub1Ls+UIUwgT4Ot8DS2Dpcbw7lgssa4B:Tub1avPF8JYGlgsjI

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 11 IoCs
  • UPX dump on OEP (original entry point) 12 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1052
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1136
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
            "C:\Users\Admin\AppData\Local\Temp\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2204
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2152

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Defense Evasion

          Modify Registry

          5
          T1112

          Impair Defenses

          4
          T1562

          Disable or Modify Tools

          3
          T1562.001

          Disable or Modify System Firewall

          1
          T1562.004

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\0F7611BC_Rar\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
            Filesize

            6.2MB

            MD5

            c87127b3715d0cbcf93e9053797aab84

            SHA1

            da9978f5e493b20d9d38e958882f47ff047cf527

            SHA256

            d6b22291baa4a47eaec054c1332c258572c2f7cd9cb961548a46c56aefc0f64c

            SHA512

            35f04cb369b588d28d777041bb09a7807ce4ecfe0b646af9f54ca9a4e8af9237bfd72132ffdba9e5ab90f35572cf8961c12e4c71dd3338931781bc37be2fede2

            Download Submit
          • memory/1052-25-0x00000000001E0000-0x00000000001E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2204-15-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-38-0x0000000000650000-0x0000000000652000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2204-12-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-0-0x0000000000400000-0x000000000046F000-memory.dmp
            Filesize

            444KB

            Download
          • memory/2204-33-0x0000000000650000-0x0000000000652000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2204-16-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-19-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-17-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-14-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-11-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-37-0x0000000000650000-0x0000000000652000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2204-36-0x00000000008B0000-0x00000000008B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2204-34-0x00000000008B0000-0x00000000008B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2204-9-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-13-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-18-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-43-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2204-55-0x0000000000400000-0x000000000046F000-memory.dmp
            Filesize

            444KB

            Download