Overview

overview

10

Static

static

3

9ac782c1c0...30.exe

windows7-x64

10

9ac782c1c0...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2024 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe

  • Size

    132KB

  • MD5

    8bd5d568d369a2879c839bdab44f29b9

  • SHA1

    214e2e43c691751bc058e2b2db8eb02066c86505

  • SHA256

    9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930

  • SHA512

    e486f6758391034ec3461efd6d3b1e35425dfa4facd0a5633cbc706899afc7926754d127b86135c3bf2887e1b45c8fbc6e90344958609ad9eb64d35c02fc5daa

  • SSDEEP

    3072:fftffhJCuEmUBCSjGoLpmSTLd4W1CV9uymmH2Ri/:HVfhgujiXxfdA9Pm

Score
10/10
salitybackdoorupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 1 IoCs
  • UPX dump on OEP (original entry point) 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe
    "C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5D43.bat
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$$a5D43.bat
    Filesize

    722B

    MD5

    541115b184f6d1e090847428e60fe916

    SHA1

    0f49d6fc72c18d0ae5bd7036bd01fa81598cedce

    SHA256

    4d27906e0bf42e750ca254988f90623b8f8e3b3c64b6777aeef4d745f08b9cd1

    SHA512

    a6b78bcec3be6d5ce3c68412e3f3b8bd1d147d7c525be84f3721028bbd4dd1bde7fb2e794b68be23c6354a5654b4c491c46abfbc77dd7cf505225357dd58dd34

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9ac782c1c0a23ad6a1092bdaaa78c17561335625446f438d7d934b49aa523930.exe.exe
    Filesize

    105KB

    MD5

    a5e228e5d234a4f52917056191c3f20e

    SHA1

    e7c3d31c4fc8d61491e78e918ad837262a6a2ce7

    SHA256

    03bffa2faa622e0f285400d8adccf7480052cb2a4f334b88de895dec5b1eb08a

    SHA512

    b35a1f87f056c71ba783e7196161e265fca9970833b02d90fc2bda2436ca78a20dde05e6dba6c4fa8c26fd25229bf4be311f333cf05b42df6ed5c8fd5346f13f

    Download Submit
  • memory/4900-0-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/4900-9-0x0000000000400000-0x0000000000447000-memory.dmp
    Filesize

    284KB

    Download
  • memory/4900-8-0x00000000007D0000-0x000000000185E000-memory.dmp
    Filesize

    16.6MB

    Download