Overview

overview

10

Static

static

5

e849a572a9...aN.exe

windows7-x64

10

e849a572a9...aN.exe

windows10-2004-x64

10

$PLUGINSDIR/calc.exe

windows7-x64

7

$PLUGINSDIR/calc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e849a572a97e2c481768278f885a774bd60291f9d7aa75954470037709252d4aN.exe

  • Size

    1.5MB

  • MD5

    035540cc3211f5648f6aef5998678ea0

  • SHA1

    f55d2aa510d18c9d4f83e3d3b0ada6566a7ae58b

  • SHA256

    e849a572a97e2c481768278f885a774bd60291f9d7aa75954470037709252d4a

  • SHA512

    f2c91ff337cae040c1abf25bef2ecc93827c21689be7ad3ed671ac2591bd7a1d84c68595187ed75a5e5c2887f64b8e4037bdf9fd57a3281324d0a4cab8761a20

  • SSDEEP

    49152:kYyk+aDRiEmsQnMG0N8MZs3nvQFExBibij:hyk+aDRZQMFC5noFd2j

Score
10/10
salityaspackv2backdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of SetWindowsHookEx 35 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1072
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1120
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1184
          • C:\Users\Admin\AppData\Local\Temp\e849a572a97e2c481768278f885a774bd60291f9d7aa75954470037709252d4aN.exe
            "C:\Users\Admin\AppData\Local\Temp\e849a572a97e2c481768278f885a774bd60291f9d7aa75954470037709252d4aN.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1876
            • C:\Users\Admin\AppData\Local\Temp\nsd89AA.tmp\calc.exe
              C:\Users\Admin\AppData\Local\Temp\nsd89AA.tmp\calc.exe
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2644
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:324

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\E_4\SkinH_EL.dll
            Filesize

            107KB

            MD5

            2c9e22f960ca9c2f4caaa2a37d443eda

            SHA1

            3b90206f1ebb726013067adba3bc180f3c388f0a

            SHA256

            fbdb8ece088f95538de2690a630af44709be2c0cc5a1693bb4db2ed71d1661d3

            SHA512

            e307f5edc36695f10e20692df02fa5de661f7ef57257a2c41cc459cea9430bd162fb9eb7679b19f50e4400abf31413520a0b1a44bfc48261d56a2941094afdf4

            Download Submit

          • F:\fmvf.exe
            Filesize

            100KB

            MD5

            72264491e915844d307d5fd7ea718b2c

            SHA1

            85d0f3fa040cad484a3139f3eafbe91cc23a232c

            SHA256

            6e52cad9ceb82919a4a1c2668ee64a4c6f510c217d60009187fd91738e2d736a

            SHA512

            36da6ed1a1e80eef355aa3265921b22771af8cdf7385b637511fd61aa7a428d0f2d07bf82c53d2eec1f64acb5e8de42dd36fdcb9c8879033e94c807ba43b6ecd

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_4\eGrid.fne
            Filesize

            408KB

            MD5

            709f1646c30262b9f77a8aa72b29c59f

            SHA1

            3167a0f7382fdbd7990d63ffc2160b976690f1df

            SHA256

            7172c513f350e70465f2015e3bfa4e58a1ba69d1bf783c684f40fd8483f1c883

            SHA512

            3377556481f9c9734fcff765b0d48b38939ac68fe46f7a369fd627acc07d08cfe371847177965b07635c1ad028ff4d03d4bf98505d37233c829d5f996ebabec0

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_4\iext.fnr
            Filesize

            200KB

            MD5

            c597e19abcd8c10ea2ac0d33c419a93e

            SHA1

            18df89699e55745ef26bbffafb2ecfc8492a4492

            SHA256

            5ed76826bd31aa480d6e615da89fd023921810bcdacfdbf5ec090974afe321d6

            SHA512

            73a9869466e3c59112e22e6ba75f8e4d901fbd6acc6a1c1248963a7371d6a27b197f35ab7605559428262be852291bc78b081259a8a2f0f6ed066be371678c25

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_4\iext2.fne
            Filesize

            113KB

            MD5

            90598b9170d705d6ba5f4a8fd99359f0

            SHA1

            154505937c94821696f65c94af869b3393415f6b

            SHA256

            962dc01fdbe0aa30a0b7c1b235073e8bdf285cceaa7b98e19257d68e5164a0d2

            SHA512

            7024123f2648258638696a3258932444827dc4ef98453d244d3392e9411369de50a6dc373b2fcc300c9a6a3db9d069f22222168073f632a29dd2c36e1285c000

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_4\krnln.fnr
            Filesize

            429KB

            MD5

            4fbc687f3af1e007a5ffabbda393ec7b

            SHA1

            b714435f7150608adc23d3df4d783bae1066b10e

            SHA256

            1d4bb9515b54e265985129591a53af9eba38dac98094d352427bd9f819b8c6fe

            SHA512

            694a43b8cfa41357065f948df1036e954d730038156a079d7528f732b574dc60d0dbd0fc88bbba615e9c26ed04821260a1740f3d15769e8730885a51859d7502

            Download Submit

          • \Users\Admin\AppData\Local\Temp\nsd89AA.tmp\calc.exe
            Filesize

            1.3MB

            MD5

            97e47588a35219417f64ee2184e99118

            SHA1

            37d77f2594d3a5e81f4aebe0efdc24506b17f542

            SHA256

            fd20d30fb61ae75dfb715837d811250b2dcce0fc40b2bd3af6533dac50860513

            SHA512

            39c550d772940d06be3dfdd27ae051a895a2e9887a837131b21ac9470f5e9fb929e8c29d4338cdd8b5406c42973d84546312ac3767c28006a1b77192937bfa1a

            Download Submit

          • memory/1072-12-0x00000000021F0000-0x00000000021F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-60-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-220-0x0000000000400000-0x000000000044E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1876-7-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-10-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-11-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-5-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-27-0x0000000000490000-0x0000000000492000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-9-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-24-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-25-0x0000000000490000-0x0000000000492000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-26-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-8-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-38-0x0000000005D70000-0x0000000005DD3000-memory.dmp

            Filesize

            396KB

            Download

          • memory/1876-21-0x00000000004A0000-0x00000000004A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1876-221-0x00000000002C0000-0x000000000030E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1876-39-0x0000000005D70000-0x0000000005DD3000-memory.dmp

            Filesize

            396KB

            Download

          • memory/1876-4-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-87-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-6-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-0-0x0000000000400000-0x000000000044E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1876-1-0x00000000002C0000-0x000000000030E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1876-23-0x00000000004A0000-0x00000000004A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1876-113-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-112-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-2-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-20-0x0000000000490000-0x0000000000492000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-109-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-105-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-77-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-78-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-80-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-81-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-82-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1876-84-0x0000000000490000-0x0000000000492000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1876-85-0x00000000023E0000-0x000000000346E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2644-69-0x0000000002550000-0x00000000025B0000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2644-90-0x0000000000360000-0x00000000003B8000-memory.dmp

            Filesize

            352KB

            Download

          • memory/2644-89-0x0000000000400000-0x0000000000463000-memory.dmp

            Filesize

            396KB

            Download

          • memory/2644-103-0x0000000010000000-0x000000001012A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2644-102-0x0000000002790000-0x0000000002791000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2644-99-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2644-76-0x0000000002551000-0x0000000002591000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2644-107-0x0000000010000000-0x000000001012A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2644-75-0x0000000002550000-0x00000000025B0000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2644-61-0x0000000000360000-0x00000000003B8000-memory.dmp

            Filesize

            352KB

            Download

          • memory/2644-64-0x00000000023A0000-0x0000000002415000-memory.dmp

            Filesize

            468KB

            Download

          • memory/2644-62-0x0000000010000000-0x000000001012A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2644-57-0x00000000003C0000-0x0000000000400000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2644-40-0x0000000000400000-0x0000000000463000-memory.dmp

            Filesize

            396KB

            Download