Overview

overview

10

Static

static

8

86518e06c6...70.exe

windows7-x64

8

86518e06c6...70.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    86518e06c64f7920881c3148c087fa8bb69f080fc96193d06b4b25e3b0b14370

  • Size

    323KB

  • Sample

    221011-ndpe9scabl

  • MD5

    44da3077419579054814498bb71817d0

  • SHA1

    9c4d67645468f222a7eec0b1fbeb31f88f7ba277

  • SHA256

    86518e06c64f7920881c3148c087fa8bb69f080fc96193d06b4b25e3b0b14370

  • SHA512

    13b618fe4fd2ba187ac5fca06cd49cdd47600ef0262bacf35622993a14ff11a48eea46ea5b588cecd5ddd8a9234b2d1d8e3098ff568efcdc31104b007bafa992

  • SSDEEP

    6144:AuMJWY+qaHEQCcYfSBYJbQCjRcqESEgm6Anhc1kG6EnyfzrBFSWUaQfm:A+YcUc6SBLLTSEgBAnhc1kGEHSWim

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      86518e06c64f7920881c3148c087fa8bb69f080fc96193d06b4b25e3b0b14370

    • Size

      323KB

    • MD5

      44da3077419579054814498bb71817d0

    • SHA1

      9c4d67645468f222a7eec0b1fbeb31f88f7ba277

    • SHA256

      86518e06c64f7920881c3148c087fa8bb69f080fc96193d06b4b25e3b0b14370

    • SHA512

      13b618fe4fd2ba187ac5fca06cd49cdd47600ef0262bacf35622993a14ff11a48eea46ea5b588cecd5ddd8a9234b2d1d8e3098ff568efcdc31104b007bafa992

    • SSDEEP

      6144:AuMJWY+qaHEQCcYfSBYJbQCjRcqESEgm6Anhc1kG6EnyfzrBFSWUaQfm:A+YcUc6SBLLTSEgBAnhc1kGEHSWim

    Score
    10/10
    upxsalitybackdoorevasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks