Overview

overview

10

Static

static

e07bf599cc...26.exe

windows7-x64

10

e07bf599cc...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 07:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe

  • Size

    148KB

  • MD5

    8c21a370bd149784cb7128d666543cc1

  • SHA1

    7ad1dea7887f3f8256825b19590604b0d2c5beb7

  • SHA256

    e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26

  • SHA512

    5a91000b2b57063899f2744ddffddbdb7095088de70e46ccccc0ceaeab77b012cf81fd5b7db7b01136f63bae4051d88cc8c600ab0729206e036ae95644cf0fc0

  • SSDEEP

    3072:eahsmpcReL9DxyjcI4zhawZ1CWRtHD24gEtYqniX:/hsmxLKIaMrR12lsYqS

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe
        "C:\Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Loads dropped DLL
        • Windows security modification
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:956
        • C:\Users\Admin\foeuvo.exe
          "C:\Users\Admin\foeuvo.exe"
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1816
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1184
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:1016
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1228
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1128

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\foeuvo.exe
                Filesize

                148KB

                MD5

                b5fc37abebd9f7b5f166d42cc8fa2952

                SHA1

                01d4da7d332376a2619912a782e9c607001ddb49

                SHA256

                9070d78be05bb5032a350f0305166ebe36cef8afa42dd9b94640ec6617a97db4

                SHA512

                1d882b0a6cad51c87efd8d8c084f57471d3b7898653c10285bbd8a9678595db0a2dccdad4765f5f7cae5725a470e1bb45cf978723d17f184e3ce76347bd4d428

                Download Submit

              • C:\Users\Admin\foeuvo.exe
                Filesize

                148KB

                MD5

                b5fc37abebd9f7b5f166d42cc8fa2952

                SHA1

                01d4da7d332376a2619912a782e9c607001ddb49

                SHA256

                9070d78be05bb5032a350f0305166ebe36cef8afa42dd9b94640ec6617a97db4

                SHA512

                1d882b0a6cad51c87efd8d8c084f57471d3b7898653c10285bbd8a9678595db0a2dccdad4765f5f7cae5725a470e1bb45cf978723d17f184e3ce76347bd4d428

                Download Submit

              • \Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe
                Filesize

                148KB

                MD5

                8c21a370bd149784cb7128d666543cc1

                SHA1

                7ad1dea7887f3f8256825b19590604b0d2c5beb7

                SHA256

                e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26

                SHA512

                5a91000b2b57063899f2744ddffddbdb7095088de70e46ccccc0ceaeab77b012cf81fd5b7db7b01136f63bae4051d88cc8c600ab0729206e036ae95644cf0fc0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe
                Filesize

                148KB

                MD5

                8c21a370bd149784cb7128d666543cc1

                SHA1

                7ad1dea7887f3f8256825b19590604b0d2c5beb7

                SHA256

                e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26

                SHA512

                5a91000b2b57063899f2744ddffddbdb7095088de70e46ccccc0ceaeab77b012cf81fd5b7db7b01136f63bae4051d88cc8c600ab0729206e036ae95644cf0fc0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe
                Filesize

                148KB

                MD5

                8c21a370bd149784cb7128d666543cc1

                SHA1

                7ad1dea7887f3f8256825b19590604b0d2c5beb7

                SHA256

                e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26

                SHA512

                5a91000b2b57063899f2744ddffddbdb7095088de70e46ccccc0ceaeab77b012cf81fd5b7db7b01136f63bae4051d88cc8c600ab0729206e036ae95644cf0fc0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe
                Filesize

                148KB

                MD5

                8c21a370bd149784cb7128d666543cc1

                SHA1

                7ad1dea7887f3f8256825b19590604b0d2c5beb7

                SHA256

                e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26

                SHA512

                5a91000b2b57063899f2744ddffddbdb7095088de70e46ccccc0ceaeab77b012cf81fd5b7db7b01136f63bae4051d88cc8c600ab0729206e036ae95644cf0fc0

                Download Submit

              • \Users\Admin\AppData\Local\Temp\e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26.exe
                Filesize

                148KB

                MD5

                8c21a370bd149784cb7128d666543cc1

                SHA1

                7ad1dea7887f3f8256825b19590604b0d2c5beb7

                SHA256

                e07bf599cc6052136e2c987848f9e2ac32a2d2e8519410a1943c32d4dbc0fe26

                SHA512

                5a91000b2b57063899f2744ddffddbdb7095088de70e46ccccc0ceaeab77b012cf81fd5b7db7b01136f63bae4051d88cc8c600ab0729206e036ae95644cf0fc0

                Download Submit

              • \Users\Admin\foeuvo.exe
                Filesize

                148KB

                MD5

                b5fc37abebd9f7b5f166d42cc8fa2952

                SHA1

                01d4da7d332376a2619912a782e9c607001ddb49

                SHA256

                9070d78be05bb5032a350f0305166ebe36cef8afa42dd9b94640ec6617a97db4

                SHA512

                1d882b0a6cad51c87efd8d8c084f57471d3b7898653c10285bbd8a9678595db0a2dccdad4765f5f7cae5725a470e1bb45cf978723d17f184e3ce76347bd4d428

                Download Submit

              • \Users\Admin\foeuvo.exe
                Filesize

                148KB

                MD5

                b5fc37abebd9f7b5f166d42cc8fa2952

                SHA1

                01d4da7d332376a2619912a782e9c607001ddb49

                SHA256

                9070d78be05bb5032a350f0305166ebe36cef8afa42dd9b94640ec6617a97db4

                SHA512

                1d882b0a6cad51c87efd8d8c084f57471d3b7898653c10285bbd8a9678595db0a2dccdad4765f5f7cae5725a470e1bb45cf978723d17f184e3ce76347bd4d428

                Download Submit

              • memory/956-66-0x0000000005F30000-0x0000000005F58000-memory.dmp

                Filesize

                160KB

                Download

              • memory/956-84-0x0000000005F30000-0x0000000005F58000-memory.dmp

                Filesize

                160KB

                Download

              • memory/956-67-0x0000000005F30000-0x0000000005F58000-memory.dmp

                Filesize

                160KB

                Download

              • memory/956-83-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/956-61-0x00000000047C0000-0x00000000047C2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/956-72-0x00000000024B0000-0x000000000353E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/956-73-0x0000000000240000-0x0000000000242000-memory.dmp

                Filesize

                8KB

                Download

              • memory/956-60-0x0000000000240000-0x0000000000242000-memory.dmp

                Filesize

                8KB

                Download

              • memory/956-76-0x00000000047C0000-0x00000000047C2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/956-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/956-59-0x00000000024B0000-0x000000000353E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/956-57-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/956-55-0x00000000024B0000-0x000000000353E000-memory.dmp

                Filesize

                16.6MB

                Download

              • memory/1816-75-0x00000000002C0000-0x00000000002C2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1816-68-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/1816-85-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download