Overview

overview

10

Static

static

3

cd5fb931ce...fN.exe

windows7-x64

10

cd5fb931ce...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe

  • Size

    248KB

  • MD5

    83d98a6cd986e6b33ff55f52b79d3080

  • SHA1

    ee8d6e58d27211c1c803e65f66307f85323bcdcc

  • SHA256

    cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9f

  • SHA512

    bf951003f45a2ddebf5a4d4295a85f4b13eeeef91d6d0e02bc579b6fc4da2140483c1183c65b447e31f180879a2e22d6ff64a6172650aaa54396dd7cb0b6afd3

  • SSDEEP

    3072:rmsDm4U1esoRoNRkLUzQwF9qhnfNc5MOt8MaqHE8KXzOKSNzV9brTzTnxIH38MQj:rmgm4KoRIRkGQ4sxMMlMJ5tWHsLZOzov

Score
10/10
salitybackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 20 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe
            "C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2140
            • C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe
              C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -start
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2560
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1208
          • C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe
            C:\Users\Admin\AppData\Local\Temp\cd5fb931ce270ebec45d49a842a0427e5c6e837b9e35119880ff7caa95002a9fN.exe -dispatch
            1⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2888

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
            Filesize

            209KB

            MD5

            a6112ed614c5762528e2d2c8daf71f62

            SHA1

            e004bc4156f98ea3715559093179f6d882c6088c

            SHA256

            a79e62894d8c36fad040a9c04a495e85b8ad3c0066157c9284155a2381f7cbf5

            SHA512

            fbf412673d0dec08fa4e8e51bfda1c3daaa0fcb72ae3bd443fdcfc19e5814514f3cb223a66fd01752e408cf47539e113fbcd530408758f2d65dbf3454f158acf

            Download Submit

          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
            Filesize

            1.1MB

            MD5

            aeeb3df56a9d808fe7853e9d9c0884fb

            SHA1

            ad8bda173c6268fa4b35080f4c959889b63da7e3

            SHA256

            e373b10d55a647a1ff9bff324e620612687ede8945274c9288989ef00934d4c9

            SHA512

            662fbc3a7c659039e94984c3f34c3afc2df40e5e984dc71ba4c0a1ed5477da36fcb37a062a0648b596fdd5359cb0e1afb226b0788c7a422b5933f0ead2308278

            Download Submit

          • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
            Filesize

            890KB

            MD5

            72ea6905fef13dd0b94a4c9be74fc236

            SHA1

            5c62480816983d4463a82ca56c3c6c8a38a605a3

            SHA256

            86f843da2384c3b8152fef78043ab32eb7388461a1735eb6b8f0e0b9fd52691b

            SHA512

            dba63ac31d56f6529fa1dfde14472757d37752b1ce2df9d0c06507a91fd6ab5696895a408550419f0f51c9c36a32070c2c00ebb12539aa573892aadfcf3e6412

            Download Submit

          • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
            Filesize

            579KB

            MD5

            617529d5e6d5519aee2e69538908c910

            SHA1

            8cd0b554017bceb75a333260138debd19fd7645a

            SHA256

            b18315a8a7c691091c3390deced94724ce361f18e676299a3aed5fa1ee073055

            SHA512

            0446b72319cad143adcdca4d8b7d1e9b3d3d63dd976b68f82f638f0c0b2aa975007c368b13d1f03414ea4abf285767ea0a8d677fd1d10f22730f9ab0b6cfef6d

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
            Filesize

            153KB

            MD5

            85f21b58d4064cdb928fc5862fb906b0

            SHA1

            21af4505f6e1b10aa54a6f276fb036d68d562fd9

            SHA256

            eaf7a70ffe473904eb489bc300aa904488ce7e05772d50aa6e763c7a09f51198

            SHA512

            ffb0809e6425739a0412935be953795ed8ea23be0eeec56a6e46b063c6fb61aa90d1849b0cb4dd41279e2e49e6ae1b04c4f853d0788e2afc0b15b179d1fef926

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            4a39bcae777f76b247b2b2725823600f

            SHA1

            26f70ccbd395ae4f413b60049070dbb534b2d653

            SHA256

            f9ad73b94de14a814a8ce3da9c2316a73da5e04571b1b6b66947a34ed6c43533

            SHA512

            d6d00943ebe608bf27a5d9fca44a3a3096bee9d1d25204db3db7899059e6537932c6ddb3c430851e064080f57ed3d044a9aa53cb1e72bb50a13d804507c3f766

            Download Submit

          • C:\autorun.inf
            Filesize

            249B

            MD5

            cf0e31e44a812561bc1ebaa3625a01c0

            SHA1

            c6a0705e77e66603eee49f5364f266c4e6c97d4f

            SHA256

            14d312f9649178007320ea4d010fff2027906d092eef208eb4d7ad07a976b2b9

            SHA512

            56ec1c1ef8963a26d172e23c419987fb69db5164009818a2460d238110d25ea8303c4b0d1d0a8b5e5f03d5634b7152324056c020c7f93455481dacc2664a4a41

            Download Submit

          • C:\txjxcu.pif
            Filesize

            97KB

            MD5

            6c28a813820ba1c6002a49bf133453c8

            SHA1

            bdd2b69a01c1672877f348cbf562f50a0cb41c96

            SHA256

            15d8e28f9aa50dd213cab58191180201788e28653f7bf4d6dc111f03d48e444c

            SHA512

            b596a4e60e06ddf039882f714136806d490ab6e895d7480bf3495c3490fc6a732b91d9920097f2e72a299a40b0e44e8ca15708c30860f293ae21c8c98fe5197e

            Download Submit

          • F:\autorun.inf
            Filesize

            197B

            MD5

            f1fde455e69f1b3d6c4bde34aa0c3b00

            SHA1

            ec94be3ef25e000a758126077e8586eedd955ecd

            SHA256

            282e305b319d16d544bd17441e8f9fa152f43cebd952d6ea0dd650a8b805009f

            SHA512

            b439b3dacec647c63a8d1142e3f52b967d6739545d2a65a05b901981118aef9fb7cb4a53266054764d5446780d86119f852ed32e614ac5cff5623bf2849b23ce

            Download Submit

          • memory/1100-20-0x00000000020F0000-0x00000000020F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2140-3-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-88-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-7-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-55-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2140-6-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-30-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2140-9-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-11-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-14-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-92-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-91-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-4-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-5-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-8-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-13-0x0000000000450000-0x000000000049A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2140-0-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2140-76-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-12-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-29-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2140-75-0x0000000002440000-0x00000000034FA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2140-32-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2560-41-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2560-38-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2560-39-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2560-10-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2560-60-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2888-71-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-112-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-89-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-49-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-90-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-53-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-42-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-48-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-51-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-57-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-45-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-52-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-50-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-54-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-44-0x0000000001000000-0x00000000020BA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2888-40-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download