Overview

overview

10

Static

static

3

01e6b8c6f9...86.exe

windows7-x64

10

01e6b8c6f9...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01e6b8c6f9a783a38e5db34d0fac0786.exe

  • Size

    163KB

  • MD5

    01e6b8c6f9a783a38e5db34d0fac0786

  • SHA1

    c47e0a1754a09d3488defc1f60bcf380d4befea1

  • SHA256

    e194c269292c77ec647d41b210f124caaf9a4e7f921be2b5e5568637bb8ca829

  • SHA512

    0baec11b16bfe4528e0a094510d932244786c0a938184cc4729cb69cbacc1a47f9fa17f9ca3026db460b3567f1dd5151871e94f790d49bbcb0b3b9679bb74154

  • SSDEEP

    3072:g887lQUdaQCFsISRmnHgUb0lNrGSHrOLbHg9PzZV4vK+OmnW:g83UsNqCSHiA9LZV4vK+dn

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe
    "C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2272
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1608
      • C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe
        "C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Users\Admin\AppData\Roaming\Jorurd.exe
          "C:\Users\Admin\AppData\Roaming\Jorurd.exe"
          3⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Deletes itself
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1700
          • C:\Users\Admin\AppData\Roaming\Jorurd.exe
            "C:\Users\Admin\AppData\Roaming\Jorurd.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1800
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3404

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD78A.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CCM17AA0\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\01e6b8c6f9a783a38e5db34d0fac0786.exe
      Filesize

      163KB

      MD5

      01e6b8c6f9a783a38e5db34d0fac0786

      SHA1

      c47e0a1754a09d3488defc1f60bcf380d4befea1

      SHA256

      e194c269292c77ec647d41b210f124caaf9a4e7f921be2b5e5568637bb8ca829

      SHA512

      0baec11b16bfe4528e0a094510d932244786c0a938184cc4729cb69cbacc1a47f9fa17f9ca3026db460b3567f1dd5151871e94f790d49bbcb0b3b9679bb74154

      Download Submit

    • C:\Windows\SYSTEM.INI
      Filesize

      257B

      MD5

      1137db7f93337f37582f25a0d90856fc

      SHA1

      77b55e0bdcea835fde1aa3aaecd33b944008908b

      SHA256

      87b20c150afad5edacb5f15c036b7b0a1adc61b7aad09a42c78be390e3f5c7ad

      SHA512

      c25a749cd3d80aa2234b68170ef3c5a9b259a29488681282cf9337548714336375b043a6a2e6fbae5d63ab134c8ea8c47dd16c4ea79fb09ea61a09194600bb91

      Download Submit

    • memory/60-23-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/60-30-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/60-24-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/60-12-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1556-59-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1556-58-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1556-55-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1556-48-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1700-41-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-47-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-56-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1700-43-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-42-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-35-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-40-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-33-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-36-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-38-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1700-39-0x0000000002280000-0x000000000330E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-9-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-0-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2272-10-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-11-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-8-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-22-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2272-7-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-13-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-6-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-4-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-3-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/2272-1-0x00000000023B0000-0x000000000343E000-memory.dmp

      Filesize

      16.6MB

      Download