Overview

overview

10

Static

static

3

ab84fa30df...75.exe

windows7-x64

10

ab84fa30df...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe

  • Size

    4.8MB

  • MD5

    cf0b2b6db9247d897dce923963cd4489

  • SHA1

    69ee0a9e0d6162cf702e57f3869eb5ae3eec8661

  • SHA256

    ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975

  • SHA512

    2d9a61c9c38f3e71c558a2fa155a9b39ed48b4fe2dd2c045bf5c38ff7c70dfa640a7b4d85533ba74156cc4fba3dfe6f6ee28e84ea1d032ee2ae9f37cdbcc1dd9

  • SSDEEP

    24576:W4L1dN9IgGFCXy3DryDNYhJkfdTazmaj9Tb9X9Pu3mmGld6oKZmMP+73lIqV:NB3pyYqhJkfdVa5TLG3mmhHmMP+bl3V

Score
10/10
salitybackdoorbootkitevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1104
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe
            "C:\Users\Admin\AppData\Local\Temp\ab84fa30df78283736e231eeb8931d333e75765c693a2916b96c47926a192975.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Writes to the Master Boot Record (MBR)
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1684
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1624
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1556

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Replication Through Removable Media

            1
            T1091

            Execution

            Persistence

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Pre-OS Boot

            1
            T1542

            Bootkit

            1
            T1542.003

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            5
            T1112

            Pre-OS Boot

            1
            T1542

            Bootkit

            1
            T1542.003

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Replication Through Removable Media

            1
            T1091

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • F:\rwhnj.pif
              Filesize

              97KB

              MD5

              8b17fe253285961fe8e4a206ac3a81fb

              SHA1

              d72e1905d86189f992083bd533bc198ea28c853d

              SHA256

              3b6ebf2f2487e777a23946d0e6ddcb39426aadc9b5df261f0ff4b09cbf74fe4d

              SHA512

              c35758d7b32111c614517ed693e4608dcf03dcf0154bdcd852707331bb5fd14daa44b014f4bb63b9137d4dd410b200af021b9262df2fbcd32eb99576acc3edb8

              Download Submit

            • \Users\Admin\AppData\Local\Temp\36034B7.tmp360net.dll
              Filesize

              480KB

              MD5

              d5f22fc1beff60f5fa9398effca73e2f

              SHA1

              f84c5f048b5269381a8c6d1dc21905458856543b

              SHA256

              214a5e9aab33148866db82ab51c5bcce9e4240794c2c2850fa0f7b3bc3aa34e6

              SHA512

              b031336bf42a55e738a412b39acff8b57892f8d2b49c3ec4eadc9f7c9ad45cbc0f5b06a921fd07cfed2faf2de07c6957dfd8975de5e322f0f82c558ee9dcf1c3

              Download Submit

            • memory/1104-9-0x00000000001B0000-0x00000000001B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1684-44-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-23-0x0000000002360000-0x0000000002361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1684-22-0x0000000002350000-0x0000000002352000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1684-46-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-25-0x0000000002360000-0x0000000002361000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1684-6-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-4-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-7-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-14-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-12-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-45-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-8-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-47-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-31-0x0000000002350000-0x0000000002352000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1684-32-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-33-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-0-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-42-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-43-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-2-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-17-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-13-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-5-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-49-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-50-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-51-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-54-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-55-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-62-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-64-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-66-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-68-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-71-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-72-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-75-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-77-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-81-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-83-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-84-0x0000000002950000-0x0000000003A0A000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/1684-98-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-103-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-110-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-1-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download

            • memory/1684-177-0x0000000000400000-0x000000000091B000-memory.dmp

              Filesize

              5.1MB

              Download