Overview

overview

10

Static

static

3

5a7c45218b...93.exe

windows7-x64

7

5a7c45218b...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe

  • Size

    128KB

  • MD5

    21e9a4adbf70b295fb6b81f7998e9c39

  • SHA1

    2f6b14983570185fa111ca30a2848a7cae32792e

  • SHA256

    5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293

  • SHA512

    ab67f371ae40645de366052359b94fd28feefdda6afcfb794407f0460905a68375af5eeb1e9c7453509450d68b165c7a46af76b893bf611fb5243a5dfa65ff91

  • SSDEEP

    3072:uftffjmNmcoa3b9OBFhfY6XHNNTGkZm1MOTLjAimC:WVfjmNm+BOBbfY6XHjSkZmGgjAiF

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:780
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:784
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:336
        • C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe
          "C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe"
          1⤵
          • Modifies firewall policy service
          • UAC bypass
          • Windows security bypass
          • Windows security modification
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4192
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E9D.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4704
            • C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe
              "C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe"
              3⤵
              • Executes dropped EXE
              PID:4172

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\$$a4E9D.bat
          Filesize

          722B

          MD5

          6f83ffd26026e70245c70cace09743a0

          SHA1

          55337d3a33cfb12e03567829557a2daa6effdb6d

          SHA256

          64f4c55958cc975b7f0a81d256f016b1f9a1751e9a2b7bb8360462cde1d92621

          SHA512

          c990160c378be1a2ebad92af629636985a50941bc9c9287805ae2f76809da99b49728d0fb4af11de8f55940242e77f65ed4867aa03c46b068e6602f2888601c4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe.exe
          Filesize

          102KB

          MD5

          d042a1b8aec96fa4b7f90aa94efd8933

          SHA1

          a222c4bc14d3b59d11d2100b038ab478f02b3fca

          SHA256

          e38f132e21d0cd2fbae0ca84531c4d69a1b7a6d72cf476039428e56c8e3b1640

          SHA512

          0f8f5574459e36b63d13aba54a908384d9e3cc23a522e272c034b4b5d5f9e2eed73972b5d0348a5d2ad855fb429815a0678561f61df42922e8e72d0f49c40e7a

          Download Submit
        • memory/4192-0-0x0000000000400000-0x0000000000446000-memory.dmp
          Filesize

          280KB

          Download
        • memory/4192-1-0x00000000007A0000-0x000000000182E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/4192-15-0x00000000007A0000-0x000000000182E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/4192-19-0x0000000000400000-0x0000000000446000-memory.dmp
          Filesize

          280KB

          Download
        • memory/4192-14-0x00000000007A0000-0x000000000182E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/4192-11-0x00000000007A0000-0x000000000182E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/4192-9-0x00000000007A0000-0x000000000182E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/4192-10-0x00000000007A0000-0x000000000182E000-memory.dmp
          Filesize

          16.6MB

          Download