Overview

overview

10

Static

static

3

ec73db81b9...7b.exe

windows7-x64

10

ec73db81b9...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    26s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

  • Size

    124KB

  • MD5

    fd127c6270d8c359a72ca527bc0e3909

  • SHA1

    1eb9d4278b845e7fa5df7795da4a4b8a8d04e198

  • SHA256

    ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b

  • SHA512

    059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8

  • SSDEEP

    3072:oCGVhOg013Uh59Td/9L+Ik0IrylyrgZQMHXSaj3A:ooUV11+T0Iryly8xXQ

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 14 IoCs
  • UPX dump on OEP (original entry point) 15 IoCs
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 23 IoCs
  • Runs .reg file with regedit 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1060
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1152
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1180
          • C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
            "C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1860
            • C:\Windows\SysWOW64\explorer.exe
              explorer C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
              3⤵
                PID:2648
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg
                3⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Modifies system executable filetype association
                • Adds Run key to start application
                • Modifies registry class
                • Runs .reg file with regedit
                PID:2744
              • C:\Program Files\EXPLORER.EXE
                "C:\Program Files\EXPLORER.EXE"
                3⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Deletes itself
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops autorun.inf file
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2472
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2300
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2948
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:664
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1016
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1296
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2248
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2108
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1988
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1860
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2812
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1560
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1504
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2032
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Program Files\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2552
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1560
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
              1⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              PID:2508

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Replication Through Removable Media

            1
            T1091

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Change Default File Association

            1
            T1546.001

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Change Default File Association

            1
            T1546.001

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Hide Artifacts

            1
            T1564

            Hidden Files and Directories

            1
            T1564.001

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            9
            T1112

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Replication Through Removable Media

            1
            T1091

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Autorun.inf
              Filesize

              99B

              MD5

              9bf1e5a2afbe7da98a68e24153056e89

              SHA1

              a081dd05387f0a820c090d1d1d003af4f4374b63

              SHA256

              bca0db21212fb26b90ca976ad73636249ee40e70f59d867698a760b674ef13d2

              SHA512

              591855a387d8e28b89821e3d5c0c9418ebc2d644732ab9ce75e90e9db0b2bf7fecfd273fd6ef22a8d8fde87b97002e176d49e274b6c6cfa5798ef151092fcdcf

              Download Submit

            • C:\Program Files\Funny!.reg
              Filesize

              572B

              MD5

              c2ab01b697609862244ae7365e7e03d9

              SHA1

              63f95bf1efc2f7fb66a51627131150a01856ab36

              SHA256

              3e8770c1a3b8112a25d08b47a1bc0eed22aae31389b16dc03b07f3f10093e092

              SHA512

              afb30a04c3b50ccd913200b012409a9a1e2411ca97f1143a8e6f879fb8bc50acb3ec0c32a76fa4aea2b5ad35450578b53c51bb6e5e982da4f63136f8734f7da2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Funny!.reg
              Filesize

              649B

              MD5

              04fdb91e4f31252545a98d94582f222a

              SHA1

              6e9144b93384d4d76975a96d96d912204515a06b

              SHA256

              8758c9438a12a9576a69b1b88ba51938f5c92b9bfe4ced50281bf98ce5dfd670

              SHA512

              f3beb767e01c1089ffe35d9e5d5f2fee3253c45d8c96ce6a9c6796775e5363fbeb2c5e89af063cccff9e6bcc9d248f1db3e29e540a25f1b9aeacce6d565030e4

              Download Submit

            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              1c45604d72300631bf64f54de5afab62

              SHA1

              bd60852d87afd11b1bc8d99273707ab4e1c8615f

              SHA256

              23b144029bd69fd25e471701f74812430d8c4dedc259ab6e01b5130d56bdee98

              SHA512

              91ec46f3f9636dda2c3c5b94e2b9dd3e9553d821c904835cfb2091dc656547ccd0d8c4397982ab352c04eb859a8b46aaab89d46edebe8eaebab0fa28fb910f2e

              Download Submit

            • \Program Files\EXPLORER.EXE
              Filesize

              124KB

              MD5

              fd127c6270d8c359a72ca527bc0e3909

              SHA1

              1eb9d4278b845e7fa5df7795da4a4b8a8d04e198

              SHA256

              ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b

              SHA512

              059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8

              Download Submit

            • memory/1060-15-0x0000000002090000-0x0000000002092000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1860-27-0x0000000000470000-0x0000000000472000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1860-25-0x0000000000480000-0x0000000000481000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1860-10-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-5-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-13-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-14-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-26-0x0000000000470000-0x0000000000472000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1860-3-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-1-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-11-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-0-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1860-12-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-23-0x0000000000480000-0x0000000000481000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1860-22-0x0000000000470000-0x0000000000472000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1860-4-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-8-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-6-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-48-0x00000000025B0000-0x00000000025D0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1860-47-0x00000000025B0000-0x00000000025D0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1860-67-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1860-66-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2472-104-0x0000000003AD0000-0x0000000004B5E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2472-123-0x0000000000340000-0x0000000000342000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2472-122-0x00000000003E0000-0x00000000003E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2472-107-0x0000000003AD0000-0x0000000004B5E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2508-75-0x0000000003A90000-0x0000000003AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2648-33-0x00000000001F0000-0x00000000001F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2648-35-0x00000000001E0000-0x00000000001E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2648-34-0x00000000001E0000-0x00000000001E2000-memory.dmp

              Filesize

              8KB

              Download