36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

General
Target

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

Size

883KB

Sample

220520-1ytlyaedf8

Score
10 /10
MD5

1a0cc91e3e90d89d7a717fd6d3787c64

SHA1

ce4323bc4033f2f81ee3903ac2fb7873f6bd0ade

SHA256

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

SHA512

d67c64c1ac8a8935990ae86ffda9cf208348a29db0ccf1e513c550fe5b91beb55ab9700253d4f5030acd87765229a7971237ae38844e924a9a68b01dbb432b85

Malware Config

Extracted

Family sality
C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets
Target

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

MD5

1a0cc91e3e90d89d7a717fd6d3787c64

Filesize

883KB

Score
10/10
SHA1

ce4323bc4033f2f81ee3903ac2fb7873f6bd0ade

SHA256

36af8eb23e7b3c1f7a8e3a0baf9972580b9f6004e748100511e50da0fcd4b29a

SHA512

d67c64c1ac8a8935990ae86ffda9cf208348a29db0ccf1e513c550fe5b91beb55ab9700253d4f5030acd87765229a7971237ae38844e924a9a68b01dbb432b85

Tags

Signatures

  • Modifies firewall policy service

    Tags

    TTPs

    Modify RegistryModify Existing Service
  • Sality

    Description

    Sality is backdoor written in C++, first discovered in 2003.

    Tags

  • UAC bypass

    Tags

    TTPs

    Bypass User Account ControlDisabling Security ToolsModify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Windows security modification

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Writes to the Master Boot Record (MBR)

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit
  • Drops autorun.inf file

    Description

    Malware can abuse Windows Autorun to spread further via attached volumes.

    TTPs

    Replication Through Removable Media

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Privilege Escalation