Overview

overview

10

Static

static

244e8393a3...9c.exe

windows7_x64

10

244e8393a3...9c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    35s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-06-2022 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    244e8393a3120b4321065dcf4c5a0671e3f68ca5bc6e6dcd5983ded59bd8b09c.exe

  • Size

    655KB

  • MD5

    8a51d93fa4038e8610062d1b9833b101

  • SHA1

    7fb6cf45a1f6cb8e764ec1fa7ee16f3494e874e6

  • SHA256

    244e8393a3120b4321065dcf4c5a0671e3f68ca5bc6e6dcd5983ded59bd8b09c

  • SHA512

    e18020a37f5e9e4f71b0ceaea14d248ebad45145f7a3cd7f2e1fc3ac57af3022e35f2bead57266b937da33c6f8381bb36d2b9b9dd81a6e12172c4757ee3ccff2

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1200
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1268
        • C:\Users\Admin\AppData\Local\Temp\244e8393a3120b4321065dcf4c5a0671e3f68ca5bc6e6dcd5983ded59bd8b09c.exe
          "C:\Users\Admin\AppData\Local\Temp\244e8393a3120b4321065dcf4c5a0671e3f68ca5bc6e6dcd5983ded59bd8b09c.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:780
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1136

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/780-54-0x0000000076531000-0x0000000076533000-memory.dmp
          Filesize

          8KB

          Download
        • memory/780-55-0x0000000001F80000-0x000000000303A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/780-56-0x0000000000400000-0x0000000000469000-memory.dmp
          Filesize

          420KB

          Download
        • memory/780-57-0x0000000001F80000-0x000000000303A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/780-58-0x0000000000580000-0x0000000000582000-memory.dmp
          Filesize

          8KB

          Download
        • memory/780-59-0x0000000000400000-0x0000000000469000-memory.dmp
          Filesize

          420KB

          Download
        • memory/780-60-0x0000000001F80000-0x000000000303A000-memory.dmp
          Filesize

          16.7MB

          Download