Overview

overview

10

Static

static

3

f7acdc93b4...57.exe

windows7-x64

10

f7acdc93b4...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    26s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe

  • Size

    287KB

  • MD5

    763214b9365b3514da15e89e5aa36cad

  • SHA1

    0c427a0142f62951fd2c818ec754f2b0b82179a2

  • SHA256

    f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957

  • SHA512

    c32e1e70bef83862cd5e4ad307cfbf8064a6edcd839355b93c64c109b9826ba4a69d20aaf1d1819ac35d80744d9fa3bfbbc66675497a836fd5c60656878bf0a5

  • SSDEEP

    6144:TvEa2U+T6i5LirrllHy4HUcMQY6J27Ox0+MeyI:TEaN+T5xYrllrU7QY6A7ObMC

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 21 IoCs
  • UPX dump on OEP (original entry point) 25 IoCs
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1072
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1128
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1152
          • C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe
            "C:\Users\Admin\AppData\Local\Temp\f7acdc93b42f5033678311972af00b0674db783e5a88d7c5d59617c41eb97957.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2916
            • \??\c:\windows\system\explorer.exe
              c:\windows\system\explorer.exe
              3⤵
              • Modifies WinLogon for persistence
              • Modifies firewall policy service
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Windows security bypass
              • Modifies Installed Components in the registry
              • Deletes itself
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2676
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Windows directory
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2368
                • \??\c:\windows\system\svchost.exe
                  c:\windows\system\svchost.exe
                  5⤵
                  • Modifies WinLogon for persistence
                  • Modifies visiblity of hidden/system files in Explorer
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2288
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe PR
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2572
                  • C:\Windows\SysWOW64\at.exe
                    at 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                    6⤵
                      PID:288
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:1712

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            3
            T1547

            Registry Run Keys / Startup Folder

            2
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Privilege Escalation

            Boot or Logon Autostart Execution

            3
            T1547

            Registry Run Keys / Startup Folder

            2
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Defense Evasion

            Modify Registry

            9
            T1112

            Hide Artifacts

            1
            T1564

            Hidden Files and Directories

            1
            T1564.001

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Credential Access

            Discovery

            System Information Discovery

            3
            T1082

            Query Registry

            1
            T1012

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\mrsys.exe
              Filesize

              287KB

              MD5

              3f5e9e1d134bdd1c640cb6cf67675dcf

              SHA1

              1a2bb871f04a5deffe69580d96abaf055efbc928

              SHA256

              e94df1d34cd4e051992931c90da077cf514cdfa311441c5aafc2c06705595724

              SHA512

              df649d1c00505d1dbfbba381d4b8e5406752eefe0bd7db1f358caa1b563d33470da5e3d69f2fe4fce36ed34537570c0b574e7d56bd0924733a751fc408a032a1

              Download Submit
            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              15dff41f3ca4be6835a2e520348dc73d

              SHA1

              555b2d92ae13946f0416d8d064d5d6ffa63eb105

              SHA256

              8d6dd2f0bf34e1ca623fc7d4b0476809587833105aec362acb059e888f1a0afd

              SHA512

              53c6ae79a1b7a6af5d96dc23f1ba23aa009c22b1ef8d0a639ef4637450b1790a22cc509b5af59ffedeecf4accf487ee32c57394ad481c11eaa56af470328453a

              Download Submit
            • C:\Windows\system\svchost.exe
              Filesize

              287KB

              MD5

              0298d3c8e24ba4f117a139a8106e268d

              SHA1

              2738cb01df3d30cdd3e14ba17e2492986667398a

              SHA256

              ba2a1ae76d3c9511458811902d09e74cc4fa7a13af5ff3b47e88f4a44b5eae3b

              SHA512

              2263cc0050642e60f0485a799cf52af9210f6b56ac9769b6d512bb0ae5a215f9554a7e9a51aabaf6f145345c71438e17ef5b5f4bdeaf7f7c4dd046f77ccfdec3

              Download Submit
            • C:\hfyji.pif
              Filesize

              100KB

              MD5

              cc3c654c48cd6400c85b99dedea71a4c

              SHA1

              e373bcb6ae064517da8b41fae03e38c6fc9e3536

              SHA256

              9cf9493edad5606f7e6fb274f2f82e6c7e3f1ce5acf6ecb90a9bc9b6bc7d6c5d

              SHA512

              c43dd3d8a2ab6dd926768fe995540afe25094da12550905a453f5fe3736688fa6c213c1a891e3e707d6e5a7dadf9e64bdf299aebba9362933b188397328cac36

              Download Submit
            • \Windows\system\explorer.exe
              Filesize

              288KB

              MD5

              3c0247cac506cb11d03cb4912ba16d70

              SHA1

              a49f87cf189c3a3bcac30b3443a7abe14a0bd691

              SHA256

              b9b507a6597f26ba87c872254de9cfa316f494d2acdc81a6260bf0b1e3bd2ee8

              SHA512

              25339dcf1ee18d2366309331f4ba3c68fb7a9d6b7c0ad0c8bd4e82f29033a473cf683d793a348579a5473601efa27e2447f66464da0ce7037261c9f40f23207c

              Download Submit
            • \Windows\system\spoolsv.exe
              Filesize

              287KB

              MD5

              97cbe5b711a1e4ba9bfe7f3f56b2a1de

              SHA1

              880f3afb6ae7247ff763b09ff662044bf2d5ab07

              SHA256

              d785d954c54cc0ab3ee1179bdc71fa2fdc5d1809ab33212e88765fdb1d57657d

              SHA512

              0a8072587cd54be98bc65417bd475e118957877adab170d9f5a10e0120db08c6ca0ff47236c20d2fa06dd1a863dbe673ce3b5f1a8c3fd581f12318da1b880aac

              Download Submit
            • memory/1072-13-0x0000000002010000-0x0000000002012000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2288-126-0x0000000002520000-0x0000000002521000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2368-57-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2368-87-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2572-84-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2572-81-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2676-104-0x00000000033B0000-0x000000000443E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2676-107-0x00000000033B0000-0x000000000443E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2676-120-0x0000000000550000-0x0000000000551000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2676-108-0x00000000033B0000-0x000000000443E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2676-50-0x00000000033B0000-0x00000000033F1000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2676-127-0x00000000033B0000-0x000000000443E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2676-106-0x00000000033B0000-0x000000000443E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2676-56-0x00000000033B0000-0x00000000033F1000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2676-129-0x00000000033B0000-0x000000000443E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2676-41-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2916-20-0x0000000000700000-0x0000000000702000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2916-102-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2916-39-0x0000000005750000-0x0000000005791000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2916-27-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-33-0x0000000005610000-0x0000000005651000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2916-28-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-74-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-78-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-12-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-9-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-11-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-34-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-0-0x0000000000400000-0x0000000000441000-memory.dmp
              Filesize

              260KB

              Download
            • memory/2916-21-0x00000000007D0000-0x00000000007D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2916-23-0x00000000007D0000-0x00000000007D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2916-25-0x0000000000700000-0x0000000000702000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2916-24-0x0000000000700000-0x0000000000702000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2916-8-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-10-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-4-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-7-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-6-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download
            • memory/2916-1-0x0000000002680000-0x000000000370E000-memory.dmp
              Filesize

              16.6MB

              Download