Overview

overview

10

Static

static

3

eb395b5e22...70.exe

windows7-x64

10

eb395b5e22...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe

  • Size

    2.3MB

  • MD5

    f904bc04d3860f4a5b2656668d1d89db

  • SHA1

    bf723e0e11def54fdc70356007d021f83fe8211a

  • SHA256

    eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970

  • SHA512

    566908fdc5583b2f3bf6129a14b8734c073f7ddea505aa2db4ed5d352090da247e08bc75e9e40144acf4529c0cfbdf65436e8d0749f7dc3adfca5529291500a5

  • SSDEEP

    49152:coN2skpzPXDFBjWRJTCAIHuDeeaJ98mjRC9YC2Ns+/X0h54GEewKQl:cy2bz/5YvpI2eey98CRC4L0ZRbe

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
  • UPX dump on OEP (original entry point) 28 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1256
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1348
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Executes dropped EXE
        PID:1408
        • C:\Users\Admin\AppData\Local\Temp\eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe
          "C:\Users\Admin\AppData\Local\Temp\eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe"
          2⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Loads dropped DLL
          • Windows security modification
          • Checks whether UAC is enabled
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2300
          • \??\c:\b2ded89db9db2a722de9b1\install.exe
            c:\b2ded89db9db2a722de9b1\.\install.exe
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2468
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1120

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\0F7694FF_Rar\eb395b5e2219fde1d2fcdb797863c794a3a4ae10e8a4f04507304aae35359970.exe
          Filesize

          2.3MB

          MD5

          a31dc1a74f1dee5caf63aec8ebb5fe20

          SHA1

          5580072a056fdd50cdf93d470239538636f8f3a9

          SHA256

          baaaeddc17bcda8d20c0a82a9eb1247be06b509a820d65dda1342f4010bdb4a0

          SHA512

          fc65d9c85503ff2a3444a6b57abe376ad78d8f476ebbc1d51e7f4bbbbc7e3a3ae1fdf4d00ef9198e4f9a356585fbdff1d932ffd95606a575dfc192fb26e40cf9

          Download Submit
        • C:\b2ded89db9db2a722de9b1\eula.1031.txt
          Filesize

          17KB

          MD5

          9147a93f43d8e58218ebcb15fda888c9

          SHA1

          8277c722ba478be8606d8429de3772b5de4e5f09

          SHA256

          a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

          SHA512

          cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

          Download Submit
        • F:\ckilyx.exe
          Filesize

          100KB

          MD5

          357b9932e65b77d4a47cf51e542abe18

          SHA1

          38bacd6385e30544182fb0f0f72917e88f2a58ed

          SHA256

          cdd93a3a9f040dc9f5c667e0918f606af3abc8f079fc73313226eb95564a3cbf

          SHA512

          e3b66321ea9198af2d5470c258e21ba66c7bf19c4a51d6d1af12645706d1bdeb6ab66f77621f51a2765aeef76dc53198f4a19e6ec4ecac68b2949c57171eab8d

          Download Submit
        • \??\c:\b2ded89db9db2a722de9b1\eula.1033.txt
          Filesize

          9KB

          MD5

          99c22d4a31f4ead4351b71d6f4e5f6a1

          SHA1

          73207ebe59f6e1073c0d76c8835a312c367b6104

          SHA256

          93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

          SHA512

          47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

          Download Submit
        • \??\c:\b2ded89db9db2a722de9b1\globdata.ini
          Filesize

          1KB

          MD5

          0a6b586fabd072bd7382b5e24194eac7

          SHA1

          60e3c7215c1a40fbfb3016d52c2de44592f8ca95

          SHA256

          7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

          SHA512

          b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

          Download Submit
        • \??\c:\b2ded89db9db2a722de9b1\install.ini
          Filesize

          843B

          MD5

          0da9ab4977f3e7ba8c65734df42fdab6

          SHA1

          b4ed6eea276f1a7988112f3bde0bd89906237c3f

          SHA256

          672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

          SHA512

          1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

          Download Submit
        • \??\c:\b2ded89db9db2a722de9b1\install.res.1033.dll
          Filesize

          88KB

          MD5

          43fb29e3a676d26fcbf0352207991523

          SHA1

          c485159b01baa676167c414fd15f1026e3ae7c14

          SHA256

          4107f4813bc41ed6a6586d1ba01a5c3703ed60c2df060cba6791f449f3689de7

          SHA512

          ad748c63d912e194bb5be42f6db192b22f59f760e0536118dfa963fe29001e7fe635d035f31d86aa5e77a1d4f7ceabf27b03645d0037f147293af1e32eab57a4

          Download Submit
        • \??\c:\b2ded89db9db2a722de9b1\vc_red.msi
          Filesize

          236KB

          MD5

          d53737cea320b066c099894ed1780705

          SHA1

          d8dc8c2c761933502307a331660bd3fb7bd2c078

          SHA256

          be6288737ea9691f29a17202eccbc0a2e3e1b1b4bacc090ceee2436970aec240

          SHA512

          0af685e4ffb9f7f2e5b28982b9cf3da4ee00e26bd05e830d5316bce277dc91dfee3fe557719ab3406ad866d1ce72644e7a5400dcd561b93d367e12eb96078ffe

          Download Submit
        • \??\c:\b2ded89db9db2a722de9b1\vcredist.bmp
          Filesize

          5KB

          MD5

          06fba95313f26e300917c6cea4480890

          SHA1

          31beee44776f114078fc403e405eaa5936c4bc3b

          SHA256

          594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

          SHA512

          7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

          Download Submit
        • \b2ded89db9db2a722de9b1\install.exe
          Filesize

          835KB

          MD5

          e015a2d8890e2a96a93ca818f834c45b

          SHA1

          30bda2b4464b1c41210cba367e444aed56502360

          SHA256

          dc1ba9cb15d0808dc2d80ce13acfa0b07acdfcfe2cdf94da47e0e570e7345f6d

          SHA512

          20a80b50486e938b92f3aef85e59307f644b69dc5d1edee38038182b57caf636f5f1909959f6fafcfc2e915010d2b3d230cba8300fbc0f63ee2ee3ad8ad64123

          Download Submit
        • memory/1256-54-0x0000000001E60000-0x0000000001E62000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2300-94-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-100-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-5-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-88-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2300-62-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-78-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-92-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-89-0x00000000003F0000-0x00000000003F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2300-84-0x00000000003F0000-0x00000000003F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2300-93-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-38-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-0-0x0000000001000000-0x0000000001268000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/2300-9-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-95-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-58-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-96-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-98-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-79-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2300-101-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-103-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-106-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-107-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-109-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-111-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-119-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-121-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-123-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-125-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-131-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-132-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-134-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-136-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-138-0x0000000002670000-0x00000000036FE000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2300-158-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2468-85-0x0000000000620000-0x0000000000621000-memory.dmp
          Filesize

          4KB

          Download