Overview

overview

10

Static

static

38667f5ed3...99.exe

windows7-x64

10

38667f5ed3...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 01:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399.exe

  • Size

    386KB

  • MD5

    5c15c1d455043105018b0a238d4ca930

  • SHA1

    c84c775104892134f6170e288496ba084c781ce6

  • SHA256

    38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399

  • SHA512

    dadc9b18b97c0723ba1b7007834acb6d849d7c8089271bd391f8180ce2c6e37acbd64f8aca998d31bbb9af1e676bac015b13e10f361a0067d61ffc6bdfeecb63

  • SSDEEP

    6144:EWH8H1bmbUWC3mzu84CGjvHyVHys1ifpkzpVuZABdg2+coSbjNp6tDm:gbmb/C3IzQyHyop8Zad/vjNE9m

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1236
      • C:\Users\Admin\AppData\Local\Temp\38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399.exe
        "C:\Users\Admin\AppData\Local\Temp\38667f5ed3c6f2ecb44cee7425168d88e0899115d6bb00f7b3dc2d9ebd5ab399.exe"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Loads dropped DLL
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1708
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:768
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1180
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1116

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
                Filesize

                61KB

                MD5

                d3dcf192c9420cff748bf553b05edcd3

                SHA1

                a0bd2b9f69597c9401891b48a87d3193f011ea57

                SHA256

                ad672597c675a160dbc9b5321c4b1720f05e11af22fb8723ab93d0510bab4e01

                SHA512

                92cbf24be9afa03762d730b5d8bef37619b63a6930cd1c762e2d12eefc6556a3c699a4e3eafeda56b30036d1decc3b393da8e1f114ce6076aeb00fe25aaffc6c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
                Filesize

                2.1MB

                MD5

                209201efab0b251eb90a18639b68c841

                SHA1

                1a612dfc41961571b63a85e2531d72d003e6884d

                SHA256

                79ba6d7ef7f8ffeb7cfec21b14003a121314b831e3522c24bb0a581406cc6c9a

                SHA512

                41eb5629018ad1a3bc2fe8a1ca2f8f126422b740a91cd7fb532ee4bfd0c5cc6e143e6dc37e58f570e82ded251dbb712248f999e77dc24cab2b3c72af9dc2a043

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Filesize

                444KB

                MD5

                ad7b4540d252cf3b88da3d5dde791827

                SHA1

                5436a887e3f008c65fe18d9f2cd1cef981f67f23

                SHA256

                516cf437f2610fda3975646e7ac5ca6d247ce3da5c09309c05e7daffae065d28

                SHA512

                30f5d4230838f02f95518caaec4eba362603cce534942df1c23abe113f3934041ccd8cdf20136443bc27e2a6a3f1d0213c68b0479ed78b11b03b0191d6db8e51

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Filesize

                444KB

                MD5

                ad7b4540d252cf3b88da3d5dde791827

                SHA1

                5436a887e3f008c65fe18d9f2cd1cef981f67f23

                SHA256

                516cf437f2610fda3975646e7ac5ca6d247ce3da5c09309c05e7daffae065d28

                SHA512

                30f5d4230838f02f95518caaec4eba362603cce534942df1c23abe113f3934041ccd8cdf20136443bc27e2a6a3f1d0213c68b0479ed78b11b03b0191d6db8e51

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
                Filesize

                598B

                MD5

                c5ec2694c87c652e037967dee2492bf3

                SHA1

                e9506391b871880ede5b3ae3b5f6c87b7beb7bf8

                SHA256

                548d157d348281f9708d4e79bb34e7a4af13bf56b732023a7deeb1a3983c5df0

                SHA512

                b7ce8e6c0b61fc07023b1cbae052649db0f9ffaa1dc04cfc0b060e1ace0c81e5346989cbe6cdc62ea5c6eb98efa5afe057160788c98313936f5f4eeeb8378c1f

                Download Submit

              • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Filesize

                444KB

                MD5

                ad7b4540d252cf3b88da3d5dde791827

                SHA1

                5436a887e3f008c65fe18d9f2cd1cef981f67f23

                SHA256

                516cf437f2610fda3975646e7ac5ca6d247ce3da5c09309c05e7daffae065d28

                SHA512

                30f5d4230838f02f95518caaec4eba362603cce534942df1c23abe113f3934041ccd8cdf20136443bc27e2a6a3f1d0213c68b0479ed78b11b03b0191d6db8e51

                Download Submit

              • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Filesize

                444KB

                MD5

                ad7b4540d252cf3b88da3d5dde791827

                SHA1

                5436a887e3f008c65fe18d9f2cd1cef981f67f23

                SHA256

                516cf437f2610fda3975646e7ac5ca6d247ce3da5c09309c05e7daffae065d28

                SHA512

                30f5d4230838f02f95518caaec4eba362603cce534942df1c23abe113f3934041ccd8cdf20136443bc27e2a6a3f1d0213c68b0479ed78b11b03b0191d6db8e51

                Download Submit

              • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Filesize

                444KB

                MD5

                ad7b4540d252cf3b88da3d5dde791827

                SHA1

                5436a887e3f008c65fe18d9f2cd1cef981f67f23

                SHA256

                516cf437f2610fda3975646e7ac5ca6d247ce3da5c09309c05e7daffae065d28

                SHA512

                30f5d4230838f02f95518caaec4eba362603cce534942df1c23abe113f3934041ccd8cdf20136443bc27e2a6a3f1d0213c68b0479ed78b11b03b0191d6db8e51

                Download Submit

              • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
                Filesize

                444KB

                MD5

                ad7b4540d252cf3b88da3d5dde791827

                SHA1

                5436a887e3f008c65fe18d9f2cd1cef981f67f23

                SHA256

                516cf437f2610fda3975646e7ac5ca6d247ce3da5c09309c05e7daffae065d28

                SHA512

                30f5d4230838f02f95518caaec4eba362603cce534942df1c23abe113f3934041ccd8cdf20136443bc27e2a6a3f1d0213c68b0479ed78b11b03b0191d6db8e51

                Download Submit

              • \Windows\SysWOW64\directx\websetup\dsetup.dll
                Filesize

                61KB

                MD5

                d3dcf192c9420cff748bf553b05edcd3

                SHA1

                a0bd2b9f69597c9401891b48a87d3193f011ea57

                SHA256

                ad672597c675a160dbc9b5321c4b1720f05e11af22fb8723ab93d0510bab4e01

                SHA512

                92cbf24be9afa03762d730b5d8bef37619b63a6930cd1c762e2d12eefc6556a3c699a4e3eafeda56b30036d1decc3b393da8e1f114ce6076aeb00fe25aaffc6c

                Download Submit

              • \Windows\SysWOW64\directx\websetup\dsetup32.dll
                Filesize

                2.1MB

                MD5

                209201efab0b251eb90a18639b68c841

                SHA1

                1a612dfc41961571b63a85e2531d72d003e6884d

                SHA256

                79ba6d7ef7f8ffeb7cfec21b14003a121314b831e3522c24bb0a581406cc6c9a

                SHA512

                41eb5629018ad1a3bc2fe8a1ca2f8f126422b740a91cd7fb532ee4bfd0c5cc6e143e6dc37e58f570e82ded251dbb712248f999e77dc24cab2b3c72af9dc2a043

                Download Submit

              • memory/768-74-0x0000000000790000-0x00000000007A4000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1708-64-0x0000000001000000-0x0000000001062000-memory.dmp

                Filesize

                392KB

                Download

              • memory/1708-67-0x0000000002470000-0x00000000034FE000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1708-69-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1708-55-0x0000000002470000-0x00000000034FE000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1708-65-0x0000000000170000-0x00000000001D2000-memory.dmp

                Filesize

                392KB

                Download

              • memory/1708-73-0x00000000037A0000-0x00000000037A2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1708-76-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1708-75-0x0000000002470000-0x00000000034FE000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1708-77-0x00000000037A0000-0x00000000037A2000-memory.dmp

                Filesize

                8KB

                Download