Overview

overview

10

Static

static

1

42671db146...6b.exe

windows7-x64

10

42671db146...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe

  • Size

    236KB

  • MD5

    3570fcb1c153163194b558d0db591250

  • SHA1

    794b170a924cee2a9349b11f8ab11e40ffd7ef5f

  • SHA256

    42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b

  • SHA512

    225b0ba45ad5ea53b77f742e8c8ba3432a1f9c3e79ab11a7d0838ae03600f3442c08338b1d2f533add7e303021f4a0ed685d6f110ce9fac36bba60f9a29ffa74

  • SSDEEP

    6144:3Q3Im3YkuahFo/uM1GIKAs8LfffihaXV+l/wggD5a:vkXk1LKAs8TfihaXMGggY

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1332
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1396
        • C:\Users\Admin\AppData\Local\Temp\42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe
          "C:\Users\Admin\AppData\Local\Temp\42671db146deab97ebbe7a554502d0467db6e79656d63adf77f7e1b5dc7d376b.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:992
          • C:\Users\Admin\AppData\Local\Temp\DeleteFile.exe
            C:\Users\Admin\AppData\Local\Temp\DeleteFile.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:108
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelFile.bat" "
              4⤵
                PID:988
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1240

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\DelFile.bat
            Filesize

            88B

            MD5

            47b65094daedc3fed42669a8cd583556

            SHA1

            18568606d880bb090c5c54ed68b031f99fe02954

            SHA256

            cf4839b27b260bbfaf89c1ce7ef6cc426cda4b5120d6adcf447a77b352913db8

            SHA512

            ff2d7d2b2bebfde4eb331b4f94cbd39a9a238f2b8cd5d6f463c84ceedc5e372458ef402b960e2c6177de26a7e08193ea3a845c3eab3b002bcfe19bb5e5927f92

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • \Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • \Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • \Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • \Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • \Users\Admin\AppData\Local\Temp\DeleteFile.exe
            Filesize

            236KB

            MD5

            f4cee4ec36ad2cde717edd940528fba2

            SHA1

            fc71db69abdc7679fb4e6b3ca31604a68a328ccf

            SHA256

            2aafe1803c23ce34522e6d34835eac40e7715b11ccada95a256066a9a38426dd

            SHA512

            a74d5126519aba5ec2855a84bdd3e137ad1dcd6c94eafe7e6c7835979a7a2580f7a366bb3e8c7facd1f42003bfdb5525dde457d19fa698dc5073e91a30c9f321

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nso2C7F.tmp\System.dll
            Filesize

            11KB

            MD5

            c17103ae9072a06da581dec998343fc1

            SHA1

            b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

            SHA256

            dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

            SHA512

            d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

            Download Submit

          • memory/992-59-0x0000000000290000-0x0000000000292000-memory.dmp

            Filesize

            8KB

            Download

          • memory/992-66-0x0000000000240000-0x000000000024D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/992-65-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

            Download

          • memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

            Filesize

            8KB

            Download

          • memory/992-58-0x0000000002040000-0x00000000030FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/992-57-0x0000000000240000-0x0000000000281000-memory.dmp

            Filesize

            260KB

            Download

          • memory/992-72-0x0000000002040000-0x00000000030FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/992-56-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

            Download

          • memory/992-55-0x0000000002040000-0x00000000030FA000-memory.dmp

            Filesize

            16.7MB

            Download