Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 17:30

General

  • Target

    ac73a098fc0087786195da49233085df.exe

  • Size

    107KB

  • MD5

    ac73a098fc0087786195da49233085df

  • SHA1

    d3e97fa079bdee8db1b62dd9985328c77de8658f

  • SHA256

    26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b

  • SHA512

    8aad6af134c72f6166bf983b07994831e9b522d98cc3eff0d70c98ce476cb21d2c6e1d3320251bfcf399eb704eaf603c1342135eb1d01a089674f68b696b2218

  • SSDEEP

    3072:BOlMfxs5l0ecVmSK8IT5wKFxmwRDOU+SrO1azi:BUEsswStowQmwAUFrEazi

Score
10/10

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe
    "C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\sss2.exe
      "C:\Windows\system32\sss2.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\sss2.exe > nul
        3⤵
          PID:1776
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\AC73A0~1.EXE > nul
        2⤵
          PID:2284

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\sss2.exe

              Filesize

              107KB

              MD5

              ac73a098fc0087786195da49233085df

              SHA1

              d3e97fa079bdee8db1b62dd9985328c77de8658f

              SHA256

              26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b

              SHA512

              8aad6af134c72f6166bf983b07994831e9b522d98cc3eff0d70c98ce476cb21d2c6e1d3320251bfcf399eb704eaf603c1342135eb1d01a089674f68b696b2218

            • memory/1284-8-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/1556-0-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

            • memory/1556-1-0x00000000022E0000-0x0000000003313000-memory.dmp

              Filesize

              16.2MB

            • memory/1556-7-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB