Overview

overview

10

Static

static

4f2e5b0143...aa.exe

windows7_x64

10

4f2e5b0143...aa.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-06-2022 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe

  • Size

    2.8MB

  • MD5

    ad3697357986602530c84cbe13899d6f

  • SHA1

    041ed939b5af1e3af4ee2850a6cdbd1ec2a1cea1

  • SHA256

    4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa

  • SHA512

    3db87973635866759cebac374def08a2b09e6b8584f4180b566c2c990611b5e9a1f1d2c33270dd763924aeb205eb87bc6c030820e4380c7926ccce305cfa2570

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1220
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1260
        • C:\Users\Admin\AppData\Local\Temp\4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe
          "C:\Users\Admin\AppData\Local\Temp\4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:644
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\GetBoot.cmd" "
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:884
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe"
                5⤵
                • Executes dropped EXE
                PID:1780
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1120

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch\HalX64.dat
          Filesize

          3KB

          MD5

          9aa9781d662cb8e0c8c8dab376b883f9

          SHA1

          3f1ded73dc780b6593bc0ddf3dc804b9f535236f

          SHA256

          e74e3582fb8450a40000cda5a4ac16c0a6d1ded7b68522b4cea0c3c2bb4aa10f

          SHA512

          153e81c641c1674222cbe0b89d72506da37b341701f971c674443749a57a401d4e99bfa82c5f5a54f8c33bfa7c6a5fc0cad3285b35d2c05574b6fc34421224aa

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch\KernelX64.dat
          Filesize

          9KB

          MD5

          1c115b5abd71048c96ad2945bbfd9c0d

          SHA1

          f850297f80e655113168bd82bfc5bef9f2e02f71

          SHA256

          c0d2a9ba83bf38971ab95feb892de8600b4de7c1cf4f497219a9128178b67400

          SHA512

          0d2c0cf589af50caec0cfa984aa46281b9925b5ca38f360dd49449167a2bfa59b9ceb86b863f7ef086ac2da76cb5940a193663b2c6e1ec683ad28ba6124ca246

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\GetBoot.cmd
          Filesize

          134B

          MD5

          4f1b25c69c01b3188f80c7632c1e4d24

          SHA1

          0557f574d3c43d15c249b6ef8c48a0adc291a297

          SHA256

          0140b1e86cf5140dbec53616d535acb06508f3d21963b09aa997147bfbeb7e92

          SHA512

          f643c46237da1e07a59fa81639c98677a83a25039cf080d9926b5d307754a09ed321a35fd87cdd2c74b13cf1f4ed9cac3d483e79403a68262230c2be15618b57

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe
          Filesize

          366KB

          MD5

          852505f9859757040f6ecf2ee5a4d4ca

          SHA1

          229a2d48dc7a8445bad0cecd1ee9b9dac3932246

          SHA256

          9845a4f6cb437d135bcc7373e4ca2386316267176a43cda8f65605e8bd85a312

          SHA512

          663f2ab860beaa02c0eb67b8b4acab3a403564438da1917b84b1b313b53361c3d829ec75442ec51f648d9ca7b1f936fa8d7998bedafb095354a65ca4a8a3ab8f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\boot.cfg
          Filesize

          1KB

          MD5

          cd7b5a260c052edf324b17a11b5e1380

          SHA1

          9d69a1a7a1a2031672752808c0c8563ab81b84fb

          SHA256

          8307766b2f1cf2b2e27d34dfe6e836c35ab0eb8b2268757f150dd66aea7d380f

          SHA512

          0fd85f31348624e0d7388459793c5360ebbfab87caa9d951e78b937e2acc8e934d141b2efdc440b4c1123546fc6b231fd0fe6af8e06f31e967d97f67dfcd4c0c

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe
          Filesize

          366KB

          MD5

          852505f9859757040f6ecf2ee5a4d4ca

          SHA1

          229a2d48dc7a8445bad0cecd1ee9b9dac3932246

          SHA256

          9845a4f6cb437d135bcc7373e4ca2386316267176a43cda8f65605e8bd85a312

          SHA512

          663f2ab860beaa02c0eb67b8b4acab3a403564438da1917b84b1b313b53361c3d829ec75442ec51f648d9ca7b1f936fa8d7998bedafb095354a65ca4a8a3ab8f

          Download Submit
        • memory/644-83-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/644-79-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/644-58-0x00000000002A0000-0x00000000002D2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/644-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/644-55-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/644-80-0x00000000002A0000-0x00000000002D2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/644-56-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/644-57-0x00000000002A0000-0x00000000002D2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/884-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1188-77-0x0000000001F50000-0x0000000001F99000-memory.dmp
          Filesize

          292KB

          Download
        • memory/1188-78-0x0000000001F50000-0x0000000001F99000-memory.dmp
          Filesize

          292KB

          Download
        • memory/1188-76-0x0000000003180000-0x0000000003768000-memory.dmp
          Filesize

          5.9MB

          Download
        • memory/1188-81-0x0000000003180000-0x0000000003768000-memory.dmp
          Filesize

          5.9MB

          Download
        • memory/1188-82-0x0000000001F50000-0x0000000001F99000-memory.dmp
          Filesize

          292KB

          Download
        • memory/1188-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1780-73-0x0000000000000000-mapping.dmp
          Download