Overview

overview

10

Static

static

10

d39103237f...f8.exe

windows7_x64

10

d39103237f...f8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-06-2022 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d39103237fc30b649676191adc04c4289a5254a769119fa477644aa90b4651f8.exe

  • Size

    5.9MB

  • MD5

    181d846f67268e7f3c9184682404886b

  • SHA1

    448baf53c5dc5fc76f42e7ee6f3fde7e7c099539

  • SHA256

    d39103237fc30b649676191adc04c4289a5254a769119fa477644aa90b4651f8

  • SHA512

    09cf1a1c780ae07990fc8118a89358bb4cf3b9b6d3d15e98133f96d53056c69a22b0cd69b5fe9e7afdda675dce9b1f1a384ad1f1a5564b2175cd53770510de0b

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 58 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\d39103237fc30b649676191adc04c4289a5254a769119fa477644aa90b4651f8.exe
          "C:\Users\Admin\AppData\Local\Temp\d39103237fc30b649676191adc04c4289a5254a769119fa477644aa90b4651f8.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1376
          • C:\Users\Admin\AppData\Local\Temp\d39103237fc30b649676191adc04c4289a5254a769119fa477644aa90b4651f8.exe
            C:\Users\Admin\AppData\Local\Temp\d39103237fc30b649676191adc04c4289a5254a769119fa477644aa90b4651f8.exe
            3⤵
            • Modifies WinLogon for persistence
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1324
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1164
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1408
          • C:\Windows\SysWOW64\reg.exe
            reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v WinIcons /t REG_SZ /d C:\Windows\system32\winicons.exe /f
            2⤵
            • Adds Run key to start application
            PID:1808
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:672
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x570
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1264

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/672-74-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1324-69-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-75-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-71-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-62-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-61-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-63-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-66-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-65-0x000000000040AA18-mapping.dmp
          Download
        • memory/1324-56-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-57-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-64-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-59-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1324-60-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1376-70-0x0000000001F00000-0x0000000002F8E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1376-67-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1376-55-0x0000000001F00000-0x0000000002F8E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1376-54-0x0000000075361000-0x0000000075363000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1408-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1808-73-0x0000000000000000-mapping.dmp
          Download