Overview

overview

10

Static

static

ac98973279...e5.exe

windows7-x64

10

ac98973279...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5.exe

  • Size

    303KB

  • MD5

    4ed2100f847ca6af006fb894c433b740

  • SHA1

    82257c6724f7832830cabbbed0ebbd12335bdb1a

  • SHA256

    ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5

  • SHA512

    35aa432bc663c5b490c571ac8d15ea5fb3e301ad23d1014a98c3b7d5ec1c82c0f06995d4766c47180be52448821229530a556e35f71e57ac92b3d32ba0b475dc

  • SSDEEP

    6144:64IumFnpizAyTjdOFrtX1kC/3sCnE/oweW215GcFm2jL:bI9ytwtXNsIE/r21lFmQL

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Users\Admin\AppData\Local\Temp\ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5.exe
        "C:\Users\Admin\AppData\Local\Temp\ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5.exe"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:952
        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
          3⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Executes dropped EXE
          • Deletes itself
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1168
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1120

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Modify Registry

        5
        T1112

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        3
        T1089

        Credential Access

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\006CAEE6_Rar\ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5.exe
          Filesize

          223KB

          MD5

          cb47cabb27471e1b903d146df5a81528

          SHA1

          98fa99265f0a8601bf1403b9c3dbd966dc498fff

          SHA256

          e8e79df93a53375f24af80dc87dd363e4bb29e91a17d365a20e273b97450c858

          SHA512

          c18a039b958ec4f13df369efc4b6522fdef35fdf60171dc94e92338dee43de94885902c8e0742e94f9c7d98a5ead45c69ca409fdd39e6b7d5c454ee028bccf40

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          303KB

          MD5

          4ed2100f847ca6af006fb894c433b740

          SHA1

          82257c6724f7832830cabbbed0ebbd12335bdb1a

          SHA256

          ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5

          SHA512

          35aa432bc663c5b490c571ac8d15ea5fb3e301ad23d1014a98c3b7d5ec1c82c0f06995d4766c47180be52448821229530a556e35f71e57ac92b3d32ba0b475dc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          303KB

          MD5

          4ed2100f847ca6af006fb894c433b740

          SHA1

          82257c6724f7832830cabbbed0ebbd12335bdb1a

          SHA256

          ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5

          SHA512

          35aa432bc663c5b490c571ac8d15ea5fb3e301ad23d1014a98c3b7d5ec1c82c0f06995d4766c47180be52448821229530a556e35f71e57ac92b3d32ba0b475dc

          Download Submit
        • C:\Windows\SYSTEM.INI
          Filesize

          255B

          MD5

          5e42300216f181b66e37622f362432eb

          SHA1

          51690d6479b2276b9c1bac4c219917ab12427774

          SHA256

          c2b1db2528b73de3eefd976b0fdea09c32e34e7c1318bb76e8d6464ef9c24973

          SHA512

          35e5275531ba5eff4d2990d089fb1cbb189464b8acd668b6189268370e50da21277009814f7e262dea546540cc6ce32744888b0ff754a3c7f3d3bea73705bc00

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsjC6DA.tmp\UAC.dll
          Filesize

          29KB

          MD5

          fc38d5993ec3c029e2a9d9068d3eb146

          SHA1

          80246043884ae50f90bd77fbe9a823de7ea7e326

          SHA256

          97c46f2c5b4a09317d2d2fd8272f2bb36cbb9d25f5003cc69908c49c18128a9e

          SHA512

          83b495210158b5084ff917fb3152b8b82fdbcc0fb2768145f32646c33294dae6d1987142908b7a52f5f736e5227f977a39d4a41b9052e89a83ef6dd1bf350c07

          Download Submit
        • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          303KB

          MD5

          4ed2100f847ca6af006fb894c433b740

          SHA1

          82257c6724f7832830cabbbed0ebbd12335bdb1a

          SHA256

          ac9897327901b6e866e307b059e605ac856e105c55b7cd8db48511c66bfc5ae5

          SHA512

          35aa432bc663c5b490c571ac8d15ea5fb3e301ad23d1014a98c3b7d5ec1c82c0f06995d4766c47180be52448821229530a556e35f71e57ac92b3d32ba0b475dc

          Download Submit
        • memory/952-59-0x0000000000310000-0x0000000000312000-memory.dmp
          Filesize

          8KB

          Download
        • memory/952-58-0x0000000001E00000-0x0000000002E8E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/952-61-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

          Download
        • memory/952-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/952-55-0x0000000001E00000-0x0000000002E8E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/952-56-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

          Download
        • memory/1168-68-0x0000000002660000-0x00000000032AA000-memory.dmp
          Filesize

          12.3MB

          Download
        • memory/1168-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1168-69-0x00000000003F0000-0x00000000003F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1168-66-0x00000000027A0000-0x000000000382E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/1168-71-0x0000000002660000-0x00000000032AA000-memory.dmp
          Filesize

          12.3MB

          Download
        • memory/1168-72-0x00000000003F0000-0x00000000003F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1168-65-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

          Download
        • memory/1168-74-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

          Download