Overview

overview

10

Static

static

88d23ec88d...88.exe

windows7-x64

10

88d23ec88d...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 18:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    88d23ec88d03cf6d4e564b73834560b32f2d56220ef25cae28d04edfe0112488.exe

  • Size

    486KB

  • MD5

    3cdc2d619569452fff5184857a7a4b30

  • SHA1

    9caef5764088dae4d2700a469cf78f938c57aa9a

  • SHA256

    88d23ec88d03cf6d4e564b73834560b32f2d56220ef25cae28d04edfe0112488

  • SHA512

    fd7748f114a2cc9100bd7933ee835ce64c84677cf84c1764b5bc66591baf3d0d7c32add928b3565ab0b8096026abc69785d1646e4048211eca37c4045633f305

  • SSDEEP

    12288:EMu1xxPb2iBlBqOLMwNr5AmU91315a4p8Nf4QsYVx:y1x9Bldt5ABz1w4p8NfLX

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1308
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1348
        • C:\Users\Admin\AppData\Local\Temp\88d23ec88d03cf6d4e564b73834560b32f2d56220ef25cae28d04edfe0112488.exe
          "C:\Users\Admin\AppData\Local\Temp\88d23ec88d03cf6d4e564b73834560b32f2d56220ef25cae28d04edfe0112488.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1408
          • C:\Windows\SysWOW64\RunDll32.exe
            RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsiCB0.tmp\OCSetupHlp.dll",_RLID994RecLib2@16 1408,0495E326F36A4CE2A3C5A5A4991C89B3,0C164E5D799C4DEC8820E1DF32556E25,4F16C4E3FFCC40719E4AEE7F390376C0
            3⤵
            • Loads dropped DLL
            PID:1684
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1200

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\nsiCB0.tmp\OCSetupHlp.dll
                Filesize

                825KB

                MD5

                c40fc4a0a9daa6635d4fe6b0acf312b5

                SHA1

                2955ad4cd5c12e720632feb2371b335ba9d69dac

                SHA256

                6b9e366de7849631bad0a86890e605230bc6d29dce670e098a650687cb557f8c

                SHA512

                186e4e1c73de9441cbb752895303260eaf1e4b01e8ca1f19de195a67521162eb808c190570d531eaab0d43e62833f64dde8303615edbb5314bdc6b46552c13e4

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nsiCB0.tmp\OCSetupHlp.dll
                Filesize

                825KB

                MD5

                c40fc4a0a9daa6635d4fe6b0acf312b5

                SHA1

                2955ad4cd5c12e720632feb2371b335ba9d69dac

                SHA256

                6b9e366de7849631bad0a86890e605230bc6d29dce670e098a650687cb557f8c

                SHA512

                186e4e1c73de9441cbb752895303260eaf1e4b01e8ca1f19de195a67521162eb808c190570d531eaab0d43e62833f64dde8303615edbb5314bdc6b46552c13e4

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nsiCB0.tmp\OCSetupHlp.dll
                Filesize

                825KB

                MD5

                c40fc4a0a9daa6635d4fe6b0acf312b5

                SHA1

                2955ad4cd5c12e720632feb2371b335ba9d69dac

                SHA256

                6b9e366de7849631bad0a86890e605230bc6d29dce670e098a650687cb557f8c

                SHA512

                186e4e1c73de9441cbb752895303260eaf1e4b01e8ca1f19de195a67521162eb808c190570d531eaab0d43e62833f64dde8303615edbb5314bdc6b46552c13e4

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nsiCB0.tmp\OCSetupHlp.dll
                Filesize

                825KB

                MD5

                c40fc4a0a9daa6635d4fe6b0acf312b5

                SHA1

                2955ad4cd5c12e720632feb2371b335ba9d69dac

                SHA256

                6b9e366de7849631bad0a86890e605230bc6d29dce670e098a650687cb557f8c

                SHA512

                186e4e1c73de9441cbb752895303260eaf1e4b01e8ca1f19de195a67521162eb808c190570d531eaab0d43e62833f64dde8303615edbb5314bdc6b46552c13e4

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nsiCB0.tmp\System.dll
                Filesize

                11KB

                MD5

                be2621a78a13a56cf09e00dd98488360

                SHA1

                75f0539dc6af200a07cdb056cddddec595c6cfd2

                SHA256

                852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

                SHA512

                b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nsiCB0.tmp\nsDialogs.dll
                Filesize

                9KB

                MD5

                42d9a1b3f4901cd033a9317a1ca1433c

                SHA1

                0507fb0257b81ab9365ab900b4274aedbfde1115

                SHA256

                bf01742982edb498fe9f0e4fe408eb20d1d1027df19fc2c0415bd54ab9302cfd

                SHA512

                bbfbdc13b0792340c3ec8c8b0ec2426c5890fc4a649eafe6bf1267d7310d27da0abd74fdc5702f849b3604fa569191250747058de84b217841ba924c2a06c4c0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\nsiCB0.tmp\skinnedbutton.dll
                Filesize

                5KB

                MD5

                ab34d8a54627f76d11bb3a5099f266bf

                SHA1

                f16254263376227b4944c4e0e7694262d405a95c

                SHA256

                f1f408c3d9ceef9c86662cea55479147c119bc5e4aa281942f3e6907800406a9

                SHA512

                89d98ea1edc472825ff7a0138f7d65450c3ced986ae9c3daae62a0d836e32ff0da5935144aec9972457e52d6de6ab39a03d1d224d7167ffe9b087cd7ba43f93b

                Download Submit

              • memory/1408-58-0x0000000000300000-0x0000000000302000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1408-57-0x0000000001E00000-0x0000000002E8E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1408-66-0x00000000040F0000-0x00000000040FE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1408-56-0x0000000000400000-0x0000000000470000-memory.dmp

                Filesize

                448KB

                Download

              • memory/1408-55-0x0000000001E00000-0x0000000002E8E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1408-70-0x0000000001E00000-0x0000000002E8E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1408-71-0x0000000000300000-0x0000000000302000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1408-72-0x00000000040F0000-0x00000000040FE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1408-73-0x0000000000400000-0x0000000000470000-memory.dmp

                Filesize

                448KB

                Download

              • memory/1684-67-0x0000000000260000-0x0000000000262000-memory.dmp

                Filesize

                8KB

                Download