Overview

overview

10

Static

static

3

ddd6f076f4...77.exe

windows7-x64

10

ddd6f076f4...77.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577

  • Size

    316KB

  • Sample

    240527-d44mrsfg47

  • MD5

    c7248067bc8c5a1f5c33c3d55cb12ac9

  • SHA1

    6e2961c103372907db29a9b3e1cc939a54084ca1

  • SHA256

    ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577

  • SHA512

    691618e24ffc93fdceae880be28a771d6683708619255a298eccfc63e080db088bb722a72af525d274c685fefb5a53146dd448f7231b229786fa1c7e44580d0a

  • SSDEEP

    3072:aOXQxG+IpQZQneFAMx3qe8UzT+nWwXjDRJWwXjDRgjDRbL7SCqO69Z7gnWYU7Wh:l4GlpQEQAMtqNUzC7OSeDh

Score
10/10
salitybackdoorevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Targets

    • Target

      ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577

    • Size

      316KB

    • MD5

      c7248067bc8c5a1f5c33c3d55cb12ac9

    • SHA1

      6e2961c103372907db29a9b3e1cc939a54084ca1

    • SHA256

      ddd6f076f47250dc916664d8fa29e8ac4cf464a70de309e1305987c2fbfa7577

    • SHA512

      691618e24ffc93fdceae880be28a771d6683708619255a298eccfc63e080db088bb722a72af525d274c685fefb5a53146dd448f7231b229786fa1c7e44580d0a

    • SSDEEP

      3072:aOXQxG+IpQZQneFAMx3qe8UzT+nWwXjDRJWwXjDRgjDRbL7SCqO69Z7gnWYU7Wh:l4GlpQEQAMtqNUzC7OSeDh

    Score
    10/10
    salitybackdoorevasionpersistencespywarestealertrojanupx

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • UPX dump on OEP (original entry point)

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

1
T1012

Remote System Discovery

2
T1018

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks