Overview

overview

10

Static

static

10

2024-04-23...er.exe

windows7-x64

10

2024-04-23...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-23_e8bf7ddfe11907d58e59f02931c785e2_magniber.exe

  • Size

    1.2MB

  • MD5

    e8bf7ddfe11907d58e59f02931c785e2

  • SHA1

    d43706492de7e3fa0501d52942de33988bab25ef

  • SHA256

    00d226f1af9640b720ccc4c136be2b50926f03a912a9a2cbab8b491ede753263

  • SHA512

    05e90a0282fd9117e8ce7c3a2b45f3fe5be976bb51ffb794b2c4411cda0778faeaf1297f04fa2840289e918c9ce79a11a47792feff2969a06285f68eb55676e9

  • SSDEEP

    24576:JicqGTWZVfvN6aSoGsZwXV22NNNKwhfmH5abENDcCB:SZ1vSoGsZwXV2ExnbENDcC

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
  • UPX dump on OEP (original entry point) 32 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1060
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1088
        • C:\Users\Admin\AppData\Local\Temp\2024-04-23_e8bf7ddfe11907d58e59f02931c785e2_magniber.exe
          "C:\Users\Admin\AppData\Local\Temp\2024-04-23_e8bf7ddfe11907d58e59f02931c785e2_magniber.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2748
          • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
            "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
            3⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Deletes itself
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2056
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1128

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Defense Evasion

        Modify Registry

        5
        T1112

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        3
        T1562

        Disable or Modify Tools

        3
        T1562.001

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\0F76141D_Rar\Un_A.exe
          Filesize

          1.1MB

          MD5

          2cdceec96b4149a63de432d18a6d71ed

          SHA1

          1a597709952c17206e5834d7f86fb09b86b5232e

          SHA256

          5370c206f7f0e10492c387da71363eeb4f33ae2b7dc11341af71a53af7c4e3dd

          SHA512

          a875082eaca3fb3083452b71f4b2233435f29129f0e12f4b5ebe22d83d22982f2fcf69661692e7c62ab84e6a144408f336604476cc03f534d5efc6febe7d5b43

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nst141E.tmp\TvGetVersion.dll
          Filesize

          696KB

          MD5

          41c3a6594060581d3bf1a16ed4ae6a72

          SHA1

          62bdf8c2a3fa5f70e8b25e83c946debf80c8fd47

          SHA256

          e35396c7d7e32a8fe771895ed9ea16bd85c8544410bf4dc70a42ccd2884cfd83

          SHA512

          3fee7ea74b4173b2815d631c8e69f5a21f2a170a46ce60424f9b9fb03cf7a35eab6933210497f851816a1a85eb3fdb682781ccb5e2607b7ade6dbc7a098368bd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nst141E.tmp\uninstall_unicode.ini
          Filesize

          1KB

          MD5

          fdc32622be2a57f7cb07bc312692446e

          SHA1

          0d75a50bef9a5012551dafcbad62352ac314b3a0

          SHA256

          89a717cc51627b22d3db8d51557d17f517d4534dfd11ad88d3a906cf3cee364d

          SHA512

          9c56ca7fb28857f686abc5a0b3b2d0391487a3b51c4e2bf2f575ed6d4a8759e1731e408f46086f3c01e2f56add3304de07d5fb2f587bb17835eb96214d1e4fb2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nst141E.tmp\uninstall_unicode.ini
          Filesize

          1KB

          MD5

          11c043ce3c63f5ed7e76eaf4e499d0c3

          SHA1

          51eb95779e1fbf804c70878a4e3bfe2597e2023a

          SHA256

          79c28dd1af85c3643354c9cb371078b187c9822cfc08811d1384ef53d2d1ee7b

          SHA512

          4e8040671b8bde800bc1124910e2473a5d4592a11c5318a02b7944a6c2467021ac927c5d572e8fc9dfc29eb2122ed24874fa2442ba1b47cbde3c66f9c45e00bb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
          Filesize

          1.2MB

          MD5

          e8bf7ddfe11907d58e59f02931c785e2

          SHA1

          d43706492de7e3fa0501d52942de33988bab25ef

          SHA256

          00d226f1af9640b720ccc4c136be2b50926f03a912a9a2cbab8b491ede753263

          SHA512

          05e90a0282fd9117e8ce7c3a2b45f3fe5be976bb51ffb794b2c4411cda0778faeaf1297f04fa2840289e918c9ce79a11a47792feff2969a06285f68eb55676e9

          Download Submit
        • C:\Windows\SYSTEM.INI
          Filesize

          257B

          MD5

          c6262bde712cf3f5f7c0ef2a0fa04b5b

          SHA1

          b5eec6dba92ce8b44f3bd83500535049a1ddbe07

          SHA256

          87cf3373622bae734ce448c15c11c2fb8b1fc5871d54d088c4dc45ea2346aa29

          SHA512

          f8f9d6a2b1e2a2d55e5276aeafd6993f91de0083f299825b30fed3a41eccf73513fd5a9056250803a09f2088c3284e8f77d16c6413ea28087231cb4c4fffc409

          Download Submit
        • C:\yxxji.exe
          Filesize

          100KB

          MD5

          95e39edde96c6f775dba8f9d9761d450

          SHA1

          a8c97672f1bc8afea023464b96174f50b1310bfe

          SHA256

          5caa9678af51711dd7554d1b2903f1c0f1a51587f4e60818c3064e02d8892dfa

          SHA512

          066b70050c1427849463a6b2d9b63c172d8bf4227a5c244d92983938593bbe8629b15ee9bc51033a7e15323c2f6a73abce493a99780d6c16ba0abee956d43252

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst141E.tmp\InstallOptions.dll
          Filesize

          27KB

          MD5

          e87068563fc18e67a78230067cc240e5

          SHA1

          37cd2cb5581fc575b8c46383d877926bda85883b

          SHA256

          822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

          SHA512

          dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst141E.tmp\System.dll
          Filesize

          23KB

          MD5

          938c37b523d7fc08166e7a5810dd0f8e

          SHA1

          47b9663e5873669211655e0010e322f71b5a94be

          SHA256

          a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

          SHA512

          77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst141E.tmp\UAC.dll
          Filesize

          29KB

          MD5

          488819f838abfcad73a2220c151292ee

          SHA1

          4a0cbd69300694f6dc393436e56a49e27546d0fe

          SHA256

          b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

          SHA512

          b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst141E.tmp\UserInfo.dll
          Filesize

          15KB

          MD5

          77ff6a927940a0e4b8dc07bdde6ab5db

          SHA1

          8d0035242289504d050d237f7e3e548c1ddff077

          SHA256

          e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

          SHA512

          6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

          Download Submit
        • memory/1060-152-0x0000000001EA0000-0x0000000001EA2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2056-165-0x0000000004A40000-0x0000000004A42000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2056-164-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-14-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/2056-148-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-216-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-150-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-151-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-207-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-153-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-155-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-157-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-161-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-208-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-167-0x0000000005460000-0x0000000005461000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2056-169-0x0000000004A40000-0x0000000004A42000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2056-172-0x0000000005460000-0x0000000005461000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2056-170-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-200-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-173-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-174-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-175-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-176-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-177-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-179-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-180-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-181-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-184-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-192-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-194-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-195-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2056-197-0x0000000003870000-0x00000000048FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2748-16-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/2748-0-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/2748-3-0x0000000001E60000-0x0000000002EEE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2748-12-0x0000000003AA0000-0x0000000003B42000-memory.dmp
          Filesize

          648KB

          Download
        • memory/2748-1-0x0000000001E60000-0x0000000002EEE000-memory.dmp
          Filesize

          16.6MB

          Download