Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-b665kaxdmr
Target e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0
SHA256 e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0

Threat Level: Known bad

The file e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Modifies firewall policy service

Sality

UAC bypass

Windows security modification

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 01:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 01:46

Reported

2024-06-25 01:49

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe

"C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1545.bat

C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe

"C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe"

Network

N/A

Files

memory/2320-0-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2320-2-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-8-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-4-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-11-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-33-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-39-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2320-10-0x0000000000740000-0x00000000017FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1545.bat

MD5 909a67e657f9c1e96519ed751571a889
SHA1 8197bceac6bec8c3e2baf18c0d9897f1163563f2
SHA256 142090691c241415497844e17c3089b84ee6738c25cf523acfbe09bcbd08475d
SHA512 f52e9c22313d41bfc1739fb34f2b937827042d00f268b459dce368e031fc242033884ede507f7fc62c389e715ec00c0ea35719f5f49f9a0f7baf673c91fbb2a9

memory/2320-5-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-9-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-7-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-6-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2320-12-0x0000000000740000-0x00000000017FA000-memory.dmp

memory/2448-48-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2448-47-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2548-46-0x00000000022A0000-0x00000000022E5000-memory.dmp

memory/2548-45-0x00000000022A0000-0x00000000022E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe

MD5 2b599c9043b30d14b8cce4a7b363b0eb
SHA1 32ace49eb9b24519421486057bf9c10ec252ea1c
SHA256 b795f09466a41152f67442a7fce1d3581d172a586f681348105e394a04dce151
SHA512 d1399a6cb8ecb63fc328154fb768bd3447bf9832ae1bf7951a40054f489ee0910f8a2db61153a862c1ac424501abc0af39373532f630669e45d1245b26309a6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 01:46

Reported

2024-06-25 01:49

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe

"C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56CB.bat

C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe

"C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1608-0-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1608-1-0x0000000000810000-0x00000000018CA000-memory.dmp

memory/1608-9-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1608-10-0x0000000000810000-0x00000000018CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a56CB.bat

MD5 4cdb9da3eedb7fc593cc53fb5b4672cc
SHA1 3c7d5ab6cafd40c1f291039007518f8c3f61f9e8
SHA256 0ea988558363d379e68a1b529433b18d78d2b5720752d690d2d96020404b6e1d
SHA512 2565d6cd5c59efc0b4528945be52ef05215f8550be9afe7f1c3c98e71367161fd8cf3c46320698b7b3344b11e61b298129e39e5c68496bcae5916c634cf16710

C:\Users\Admin\AppData\Local\Temp\e6096a4273622c8299efeb28fc2ad0b93c899168c9836a8a076d089ba0a93bc0.exe.exe

MD5 2b599c9043b30d14b8cce4a7b363b0eb
SHA1 32ace49eb9b24519421486057bf9c10ec252ea1c
SHA256 b795f09466a41152f67442a7fce1d3581d172a586f681348105e394a04dce151
SHA512 d1399a6cb8ecb63fc328154fb768bd3447bf9832ae1bf7951a40054f489ee0910f8a2db61153a862c1ac424501abc0af39373532f630669e45d1245b26309a6b

memory/3292-14-0x0000000000400000-0x0000000000445000-memory.dmp

memory/1608-15-0x0000000000810000-0x00000000018CA000-memory.dmp