Overview

overview

10

Static

static

1

e07e15b588...63.exe

windows7-x64

10

e07e15b588...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563.exe

  • Size

    243KB

  • MD5

    474e6cf3450bfe79631eb1aa0365db7c

  • SHA1

    b42b1fd4a02f74018fbf3ae97d04e1a96e93d426

  • SHA256

    e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563

  • SHA512

    f61b105edca3499f5eee9619bf3b6ee5e3a2914a9e17990002fb3085fd553a384eb099e791b0383d1611a6f0ffdc7c37a8af764a6c14568093ea7004281f3564

  • SSDEEP

    6144:Aiv0A7NvO+K0l0mvoZELgDBYeSfq9a34/8MRWt6e:ZFNjK0zvov9VSfqQKRWt6e

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 20 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1132
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1264
        • C:\Users\Admin\AppData\Local\Temp\e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563.exe
          "C:\Users\Admin\AppData\Local\Temp\e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1236
          • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
            "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
            3⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Deletes itself
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:568
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1216

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Modify Registry

        5
        T1112

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        3
        T1089

        Credential Access

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\006C2B07_Rar\e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563.exe
          Filesize

          175KB

          MD5

          98a340c720df3a50e4549a0b755096ab

          SHA1

          800c259789099e7cb01b54b9858b2e2f7a90d1c5

          SHA256

          40620458f14b2b8b79af2796613a4a2367192a1563d2e732d245989f3499d228

          SHA512

          c1c40edfb4ed1ed3e7f8f6486f42400aed9d241dd74b510e11f424fbc9578c262e10733cede4857af82009a64cc1b01a2b706092b7c7add83a2a8f887a237ae8

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          243KB

          MD5

          474e6cf3450bfe79631eb1aa0365db7c

          SHA1

          b42b1fd4a02f74018fbf3ae97d04e1a96e93d426

          SHA256

          e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563

          SHA512

          f61b105edca3499f5eee9619bf3b6ee5e3a2914a9e17990002fb3085fd553a384eb099e791b0383d1611a6f0ffdc7c37a8af764a6c14568093ea7004281f3564

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          243KB

          MD5

          474e6cf3450bfe79631eb1aa0365db7c

          SHA1

          b42b1fd4a02f74018fbf3ae97d04e1a96e93d426

          SHA256

          e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563

          SHA512

          f61b105edca3499f5eee9619bf3b6ee5e3a2914a9e17990002fb3085fd553a384eb099e791b0383d1611a6f0ffdc7c37a8af764a6c14568093ea7004281f3564

          Download Submit
        • C:\Windows\SYSTEM.INI
          Filesize

          255B

          MD5

          8912cc9b989f021ebf33dfe939d5d6e4

          SHA1

          a7dd1f3d89e96dc0e7f28d5e6e197a782601c574

          SHA256

          bf8bc24ef34a3609c3fe1e279029d4b58226df0bd3aa8f845bf864cb44c076d1

          SHA512

          0fccbaf55b96b7789bdc85069aa5dd9527b57ba7f322e1020c72cb25b83b941e5562c438aa524c1b9d31bb6c3fdbba394eb79ed36d36dd02628662cbe5ce2375

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsj2FBB.tmp\InstallOptions.dll
          Filesize

          14KB

          MD5

          3809b1424d53ccb427c88cabab8b5f94

          SHA1

          bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

          SHA256

          426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

          SHA512

          626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsj2FBB.tmp\System.dll
          Filesize

          10KB

          MD5

          32465a07028b927b22c38e642c2cb836

          SHA1

          309cac412b2ecf6a36f6e989c828afcdd8c7a6e4

          SHA256

          eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292

          SHA512

          9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsj2FBB.tmp\nsDialogs.dll
          Filesize

          120KB

          MD5

          5fa1d819dd6a34dd409482a5911267a0

          SHA1

          f8a2509dfe6dfa4a9aec99033478892609eab70c

          SHA256

          ecb3f1745770b6a0ab9e6d4255651ce5812b46713f45790f1f98ba811c67a518

          SHA512

          369361b3752dd8ada9b06fa0388f2c7b4553d102d7d2cc8eb7d061055dab56b5bbb8e9615e8bada57121157ddbd557977c7ab5985d4ec8df0eb9a69b5d5c252e

          Download Submit
        • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
          Filesize

          243KB

          MD5

          474e6cf3450bfe79631eb1aa0365db7c

          SHA1

          b42b1fd4a02f74018fbf3ae97d04e1a96e93d426

          SHA256

          e07e15b58842f709e023b0bbf4d3b932283e21377d72cc4347712bba74a69563

          SHA512

          f61b105edca3499f5eee9619bf3b6ee5e3a2914a9e17990002fb3085fd553a384eb099e791b0383d1611a6f0ffdc7c37a8af764a6c14568093ea7004281f3564

          Download Submit
        • memory/568-70-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/568-63-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/568-58-0x0000000000000000-mapping.dmp
          Download
        • memory/568-69-0x0000000000400000-0x0000000000453000-memory.dmp
          Filesize

          332KB

          Download
        • memory/568-71-0x0000000002F70000-0x0000000002F76000-memory.dmp
          Filesize

          24KB

          Download
        • memory/568-73-0x0000000001DD0000-0x0000000002E8A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/568-75-0x0000000000400000-0x0000000000453000-memory.dmp
          Filesize

          332KB

          Download
        • memory/1236-62-0x0000000001DB0000-0x0000000002E6A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/1236-59-0x0000000000400000-0x0000000000453000-memory.dmp
          Filesize

          332KB

          Download
        • memory/1236-56-0x0000000000400000-0x0000000000453000-memory.dmp
          Filesize

          332KB

          Download
        • memory/1236-54-0x0000000076941000-0x0000000076943000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1236-72-0x0000000001DB0000-0x0000000002E6A000-memory.dmp
          Filesize

          16.7MB

          Download
        • memory/1236-55-0x0000000001DB0000-0x0000000002E6A000-memory.dmp
          Filesize

          16.7MB

          Download