Overview

overview

10

Static

static

abb7ce370f...d6.exe

windows7-x64

10

abb7ce370f...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 05:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe

  • Size

    677KB

  • MD5

    4b6713a3f4b49c317fd14823bc9bf9d0

  • SHA1

    7392852e0a99616ce988b0a8a957bdd60bb6d14a

  • SHA256

    abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6

  • SHA512

    21d1858af3ad4762d599f7c79b95b61bfd6d11c95f72b912578894d52e3940bf70806f14b5168e7ed79792dc6c4081890f700f9b4f73be24bd2557f0a9bc4271

  • SSDEEP

    12288:L4paur/3PRgXjqAu2IyMDpomrfuAYYmeb0Yo/eIPOoN3iEfGIzaw:L43/RHAu2I1D27YSvNPJiAGkv

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1372
      • C:\Users\Admin\AppData\Local\Temp\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe
        "C:\Users\Admin\AppData\Local\Temp\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1280
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe C:\Users\Admin\AppData\Local\Temp\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6
          3⤵
            PID:624
          • C:\ProgramData\srtserv\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe
            C:\ProgramData\srtserv\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe -wait
            3⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Deletes itself
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1068
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1316
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1248
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            PID:1240

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\srtserv\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe
            Filesize

            677KB

            MD5

            4b6713a3f4b49c317fd14823bc9bf9d0

            SHA1

            7392852e0a99616ce988b0a8a957bdd60bb6d14a

            SHA256

            abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6

            SHA512

            21d1858af3ad4762d599f7c79b95b61bfd6d11c95f72b912578894d52e3940bf70806f14b5168e7ed79792dc6c4081890f700f9b4f73be24bd2557f0a9bc4271

            Download Submit

          • C:\ProgramData\srtserv\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe
            Filesize

            677KB

            MD5

            4b6713a3f4b49c317fd14823bc9bf9d0

            SHA1

            7392852e0a99616ce988b0a8a957bdd60bb6d14a

            SHA256

            abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6

            SHA512

            21d1858af3ad4762d599f7c79b95b61bfd6d11c95f72b912578894d52e3940bf70806f14b5168e7ed79792dc6c4081890f700f9b4f73be24bd2557f0a9bc4271

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            255B

            MD5

            6b361e2848bcfaf5a9a8caa69ace0571

            SHA1

            c7d50dc186bcd4348cf66485e243100afbf46215

            SHA256

            7836cda7f04c5111216c119493220534a56cca4f7f889514e4c79a9f8436c18a

            SHA512

            020b4c650300e277033c32d6f328f56405247a98720f2ae2e99e6e25913c4f72e0f97696631af2179afa4212eddd9e7a56e86291db4b012f31067dec42fe4fa2

            Download Submit

          • \ProgramData\srtserv\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe
            Filesize

            677KB

            MD5

            4b6713a3f4b49c317fd14823bc9bf9d0

            SHA1

            7392852e0a99616ce988b0a8a957bdd60bb6d14a

            SHA256

            abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6

            SHA512

            21d1858af3ad4762d599f7c79b95b61bfd6d11c95f72b912578894d52e3940bf70806f14b5168e7ed79792dc6c4081890f700f9b4f73be24bd2557f0a9bc4271

            Download Submit

          • \ProgramData\srtserv\abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6.exe
            Filesize

            677KB

            MD5

            4b6713a3f4b49c317fd14823bc9bf9d0

            SHA1

            7392852e0a99616ce988b0a8a957bdd60bb6d14a

            SHA256

            abb7ce370f2e0b789f7fcb36348c3cb4477b3c2a29410a1e7b3b798e7e6832d6

            SHA512

            21d1858af3ad4762d599f7c79b95b61bfd6d11c95f72b912578894d52e3940bf70806f14b5168e7ed79792dc6c4081890f700f9b4f73be24bd2557f0a9bc4271

            Download Submit

          • \ProgramData\srtserv\sdata.dll
            Filesize

            23KB

            MD5

            374f995dd3d9e5d293c98f0ddab39618

            SHA1

            f27b6bdf00907065c1403a019addd2021e0b4943

            SHA256

            a81ce38be4c24ab23b0adce23f1be7c0605dce20a16715298b8c4b18bffef457

            SHA512

            a7dee38640eaa780daebdab9b3016da48a3ebcd9a972290bd379a52bde5327205b1ed86e7f93660553b37d2a106bf26f1fab3c13d42d52f2b6ffbccd43d13726

            Download Submit

          • memory/624-64-0x0000000074851000-0x0000000074853000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1068-72-0x0000000000400000-0x00000000004B1000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1068-80-0x0000000000400000-0x00000000004B1000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1068-83-0x0000000003460000-0x0000000003462000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1068-82-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1068-68-0x0000000000400000-0x00000000004B1000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1068-81-0x0000000000400000-0x00000000004B1000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1068-76-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1068-79-0x0000000003460000-0x0000000003462000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1068-78-0x0000000003CD0000-0x0000000004D5E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1068-75-0x00000000003D0000-0x00000000003E2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1240-71-0x0000000003780000-0x0000000003790000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1240-70-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1280-57-0x00000000006E0000-0x000000000176E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1280-56-0x0000000000400000-0x00000000004B1000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1280-67-0x0000000004670000-0x0000000004721000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1280-69-0x00000000006E0000-0x000000000176E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1280-66-0x0000000000400000-0x00000000004B1000-memory.dmp

            Filesize

            708KB

            Download

          • memory/1280-58-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1280-55-0x00000000006E0000-0x000000000176E000-memory.dmp

            Filesize

            16.6MB

            Download