General
-
Target
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
-
Size
124KB
-
Sample
240523-e59qvadh4z
-
MD5
fd127c6270d8c359a72ca527bc0e3909
-
SHA1
1eb9d4278b845e7fa5df7795da4a4b8a8d04e198
-
SHA256
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
-
SHA512
059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8
-
SSDEEP
3072:oCGVhOg013Uh59Td/9L+Ik0IrylyrgZQMHXSaj3A:ooUV11+T0Iryly8xXQ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
-
Size
124KB
-
MD5
fd127c6270d8c359a72ca527bc0e3909
-
SHA1
1eb9d4278b845e7fa5df7795da4a4b8a8d04e198
-
SHA256
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
-
SHA512
059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8
-
SSDEEP
3072:oCGVhOg013Uh59Td/9L+Ik0IrylyrgZQMHXSaj3A:ooUV11+T0Iryly8xXQ
Score10/10-
Modifies firewall policy service
-
Modifies visibility of file extensions in Explorer
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass
-
Windows security bypass
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
-
UPX dump on OEP (original entry point)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
9Hide Artifacts
1Hidden Files and Directories
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3