Overview

overview

10

Static

static

3

NEAS.92add...40.exe

windows7-x64

10

NEAS.92add...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2023 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.92adddbd2e93097b8b3794a979a3cc40.exe

  • Size

    648KB

  • MD5

    92adddbd2e93097b8b3794a979a3cc40

  • SHA1

    efe62bb9cc14831b1b00b1b2e14d3ebd982edc71

  • SHA256

    458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18

  • SHA512

    828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca

  • SSDEEP

    12288:Qikxc69yX030T4r0FMx2PWn4u02K/wkUzOvY:Qm00u0FMx2+42KrSX

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:760
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\NEAS.92adddbd2e93097b8b3794a979a3cc40.exe
          "C:\Users\Admin\AppData\Local\Temp\NEAS.92adddbd2e93097b8b3794a979a3cc40.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1840
          • C:\Windows\Help\schedl.exe
            C:\Windows\Help\schedl.exe
            3⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2776
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1152
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1104

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Help\schedl.exe
            Filesize

            648KB

            MD5

            92adddbd2e93097b8b3794a979a3cc40

            SHA1

            efe62bb9cc14831b1b00b1b2e14d3ebd982edc71

            SHA256

            458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18

            SHA512

            828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca

            Download Submit

          • C:\Windows\Help\schedl.exe
            Filesize

            648KB

            MD5

            92adddbd2e93097b8b3794a979a3cc40

            SHA1

            efe62bb9cc14831b1b00b1b2e14d3ebd982edc71

            SHA256

            458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18

            SHA512

            828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca

            Download Submit

          • C:\Windows\Help\schedl.exe
            Filesize

            648KB

            MD5

            92adddbd2e93097b8b3794a979a3cc40

            SHA1

            efe62bb9cc14831b1b00b1b2e14d3ebd982edc71

            SHA256

            458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18

            SHA512

            828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            1ffd287e191d7fafba9bd098c64a9f8f

            SHA1

            0de38d5b03536ba4279e3b13fd5a5e0b4785442b

            SHA256

            8eccf3304098bdb681e56be14271d455b1d5c6edf4614246fa103bece6360e35

            SHA512

            4ef857e6b8a5b2645da8915259fede4a2063a081e2151213cf68e55db9ba45577229e1330448804640555a99664119724864b0766f0ba92cf17f0a6e06cd5333

            Download Submit

          • C:\olifx.exe
            Filesize

            100KB

            MD5

            7d630b2de6eb36fa2e073003ee5ed073

            SHA1

            479e4488c14ea082faaca228d1b04c01a9e59fbf

            SHA256

            aa3d44c3a427c9c797416c8cb03d50bf8873c224af8ea646fb8891a9f6e85af3

            SHA512

            050b32059e1fcf4af488db176bf59a525fcececeda1f9c7f3d80cbe0b7481606e2ac02c823dd4de7727a299f7c8998552483996bc63e93a27eee38a32533bbb2

            Download Submit

          • \Windows\Help\schedl.exe
            Filesize

            648KB

            MD5

            92adddbd2e93097b8b3794a979a3cc40

            SHA1

            efe62bb9cc14831b1b00b1b2e14d3ebd982edc71

            SHA256

            458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18

            SHA512

            828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca

            Download Submit

          • \Windows\Help\schedl.exe
            Filesize

            648KB

            MD5

            92adddbd2e93097b8b3794a979a3cc40

            SHA1

            efe62bb9cc14831b1b00b1b2e14d3ebd982edc71

            SHA256

            458f64a52861752a369d724e3083f7154b96a7918860a7dad1cb9475929ade18

            SHA512

            828039f95c1eaf655204119db8e1ef12ebc9358f15d9ba0555aa65af894ae9a56b669cb3ba61ec9f63aee1014a12d4973488143773475356a161aacea59fd0ca

            Download Submit

          • memory/1104-5-0x0000000001D60000-0x0000000001D62000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1840-57-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-16-0x00000000008F0000-0x00000000008F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1840-15-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-17-0x0000000000900000-0x0000000000901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1840-22-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-24-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-25-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-19-0x00000000008F0000-0x00000000008F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1840-36-0x0000000005BE0000-0x0000000005C82000-memory.dmp

            Filesize

            648KB

            Download

          • memory/1840-3-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-11-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-8-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-1-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-4-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-0-0x0000000000400000-0x00000000004A2000-memory.dmp

            Filesize

            648KB

            Download

          • memory/1840-62-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-80-0x0000000002720000-0x00000000037AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1840-83-0x00000000008F0000-0x00000000008F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1840-93-0x0000000000400000-0x00000000004A2000-memory.dmp

            Filesize

            648KB

            Download

          • memory/1840-21-0x0000000000900000-0x0000000000901000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2776-95-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-97-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-98-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-103-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-107-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-110-0x0000000002750000-0x0000000002752000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2776-113-0x0000000002760000-0x0000000002761000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2776-112-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-114-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-115-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-116-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-117-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-118-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-119-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-121-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-120-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-133-0x0000000003DC0000-0x0000000004E4E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2776-140-0x0000000002750000-0x0000000002752000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2776-37-0x0000000000400000-0x00000000004A2000-memory.dmp

            Filesize

            648KB

            Download