Overview

overview

10

Static

static

3

9ac782c1c0...30.exe

windows7-x64

10

9ac782c1c0...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2024 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe

  • Size

    132KB

  • MD5

    8bd5d568d369a2879c839bdab44f29b9

  • SHA1

    214e2e43c691751bc058e2b2db8eb02066c86505

  • SHA256

    9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930

  • SHA512

    e486f6758391034ec3461efd6d3b1e35425dfa4facd0a5633cbc706899afc7926754d127b86135c3bf2887e1b45c8fbc6e90344958609ad9eb64d35c02fc5daa

  • SSDEEP

    3072:fftffhJCuEmUBCSjGoLpmSTLd4W1CV9uymmH2Ri/:HVfhgujiXxfdA9Pm

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 2 IoCs
  • UPX dump on OEP (original entry point) 3 IoCs
  • Deletes itself 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe
    "C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3056
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9EFD.bat
      2⤵
      • Deletes itself
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$$a9EFD.bat
    Filesize

    722B

    MD5

    9d677c9ab2594116efe24f25c59c80e2

    SHA1

    56b8468029bb0874d80af27b9c9a460bea000a95

    SHA256

    51fa40b9fe9df36c891bec03100d6e30460c80f557a5261d4f4a9b916dd72479

    SHA512

    b75dc0ecbd88067e6f00a187f1fa12e1cf9d3a68a083a0af39e3e24632e4679ce14ce4b9b1a125b62fb1a39fc1cd8496bdd3ade184e99a002e1326106dda0fae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe.exe
    Filesize

    105KB

    MD5

    a5e228e5d234a4f52917056191c3f20e

    SHA1

    e7c3d31c4fc8d61491e78e918ad837262a6a2ce7

    SHA256

    03bffa2faa622e0f285400d8adccf7480052cb2a4f334b88de895dec5b1eb08a

    SHA512

    b35a1f87f056c71ba783e7196161e265fca9970833b02d90fc2bda2436ca78a20dde05e6dba6c4fa8c26fd25229bf4be311f333cf05b42df6ed5c8fd5346f13f

    Download Submit

  • memory/2552-50-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-0-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3056-1-0x0000000000650000-0x00000000016DE000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/3056-13-0x0000000000650000-0x00000000016DE000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/3056-16-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

    Download