Overview

overview

10

Static

static

SLIPatch_v...ta.exe

windows7_x64

10

SLIPatch_v...ta.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-06-2022 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SLIPatch_v1.5_beta.exe

  • Size

    2.8MB

  • MD5

    ad3697357986602530c84cbe13899d6f

  • SHA1

    041ed939b5af1e3af4ee2850a6cdbd1ec2a1cea1

  • SHA256

    4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa

  • SHA512

    3db87973635866759cebac374def08a2b09e6b8584f4180b566c2c990611b5e9a1f1d2c33270dd763924aeb205eb87bc6c030820e4380c7926ccce305cfa2570

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\SLIPatch_v1.5_beta.exe
        "C:\Users\Admin\AppData\Local\Temp\SLIPatch_v1.5_beta.exe"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1632
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2040
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\GetBoot.cmd" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2028
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe"
              5⤵
              • Executes dropped EXE
              PID:1960
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1164
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1116

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch\HalX64.dat
          Filesize

          3KB

          MD5

          9aa9781d662cb8e0c8c8dab376b883f9

          SHA1

          3f1ded73dc780b6593bc0ddf3dc804b9f535236f

          SHA256

          e74e3582fb8450a40000cda5a4ac16c0a6d1ded7b68522b4cea0c3c2bb4aa10f

          SHA512

          153e81c641c1674222cbe0b89d72506da37b341701f971c674443749a57a401d4e99bfa82c5f5a54f8c33bfa7c6a5fc0cad3285b35d2c05574b6fc34421224aa

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch\KernelX64.dat
          Filesize

          9KB

          MD5

          1c115b5abd71048c96ad2945bbfd9c0d

          SHA1

          f850297f80e655113168bd82bfc5bef9f2e02f71

          SHA256

          c0d2a9ba83bf38971ab95feb892de8600b4de7c1cf4f497219a9128178b67400

          SHA512

          0d2c0cf589af50caec0cfa984aa46281b9925b5ca38f360dd49449167a2bfa59b9ceb86b863f7ef086ac2da76cb5940a193663b2c6e1ec683ad28ba6124ca246

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\GetBoot.cmd
          Filesize

          134B

          MD5

          4f1b25c69c01b3188f80c7632c1e4d24

          SHA1

          0557f574d3c43d15c249b6ef8c48a0adc291a297

          SHA256

          0140b1e86cf5140dbec53616d535acb06508f3d21963b09aa997147bfbeb7e92

          SHA512

          f643c46237da1e07a59fa81639c98677a83a25039cf080d9926b5d307754a09ed321a35fd87cdd2c74b13cf1f4ed9cac3d483e79403a68262230c2be15618b57

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe
          Filesize

          366KB

          MD5

          852505f9859757040f6ecf2ee5a4d4ca

          SHA1

          229a2d48dc7a8445bad0cecd1ee9b9dac3932246

          SHA256

          9845a4f6cb437d135bcc7373e4ca2386316267176a43cda8f65605e8bd85a312

          SHA512

          663f2ab860beaa02c0eb67b8b4acab3a403564438da1917b84b1b313b53361c3d829ec75442ec51f648d9ca7b1f936fa8d7998bedafb095354a65ca4a8a3ab8f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Tools\boot.cfg
          Filesize

          1KB

          MD5

          cd7b5a260c052edf324b17a11b5e1380

          SHA1

          9d69a1a7a1a2031672752808c0c8563ab81b84fb

          SHA256

          8307766b2f1cf2b2e27d34dfe6e836c35ab0eb8b2268757f150dd66aea7d380f

          SHA512

          0fd85f31348624e0d7388459793c5360ebbfab87caa9d951e78b937e2acc8e934d141b2efdc440b4c1123546fc6b231fd0fe6af8e06f31e967d97f67dfcd4c0c

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe
          Filesize

          1.8MB

          MD5

          27cd350c5ae9453b62b5be2bf1b6c492

          SHA1

          011495b42b4f94fb4b7e348b1374c499b8fb438c

          SHA256

          6370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063

          SHA512

          61ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420

          Download Submit
        • \Users\Admin\AppData\Local\Temp\RarSFX0\Tools\bcdedit\x64\bcdedit.exe
          Filesize

          366KB

          MD5

          852505f9859757040f6ecf2ee5a4d4ca

          SHA1

          229a2d48dc7a8445bad0cecd1ee9b9dac3932246

          SHA256

          9845a4f6cb437d135bcc7373e4ca2386316267176a43cda8f65605e8bd85a312

          SHA512

          663f2ab860beaa02c0eb67b8b4acab3a403564438da1917b84b1b313b53361c3d829ec75442ec51f648d9ca7b1f936fa8d7998bedafb095354a65ca4a8a3ab8f

          Download Submit
        • memory/1632-59-0x00000000002A0000-0x00000000002A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1632-54-0x0000000075541000-0x0000000075543000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1632-55-0x0000000001FB0000-0x000000000303E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1632-56-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/1632-80-0x0000000003E70000-0x0000000003E72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1632-58-0x0000000001FB0000-0x000000000303E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1632-57-0x0000000000240000-0x0000000000272000-memory.dmp
          Filesize

          200KB

          Download
        • memory/1632-86-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/1632-84-0x0000000003E70000-0x0000000003E72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1632-82-0x0000000001FB0000-0x000000000303E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1632-83-0x00000000002A0000-0x00000000002A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1960-74-0x0000000000000000-mapping.dmp
          Download
        • memory/2028-70-0x0000000000000000-mapping.dmp
          Download
        • memory/2040-81-0x00000000006E0000-0x0000000000729000-memory.dmp
          Filesize

          292KB

          Download
        • memory/2040-78-0x00000000006E0000-0x0000000000729000-memory.dmp
          Filesize

          292KB

          Download
        • memory/2040-79-0x00000000006E0000-0x0000000000729000-memory.dmp
          Filesize

          292KB

          Download
        • memory/2040-77-0x00000000030E0000-0x00000000036C8000-memory.dmp
          Filesize

          5.9MB

          Download
        • memory/2040-85-0x00000000006E0000-0x0000000000729000-memory.dmp
          Filesize

          292KB

          Download
        • memory/2040-61-0x0000000000000000-mapping.dmp
          Download