Overview

overview

10

Static

static

3

77435dd40d...cf.exe

windows7-x64

10

77435dd40d...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf.exe

  • Size

    2.3MB

  • MD5

    a2c9346724c49126940e5a6ef55e0b02

  • SHA1

    d906af9d21e28d9432456e92e090063504277477

  • SHA256

    77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf

  • SHA512

    737f573b40c50694c566680b1544c14b603cf4fe816cd6734f6ca754f58f37bdd79befd197af63fb4cf673cec3cadbf91f96fdb266946bae9892a06ff1739567

  • SSDEEP

    49152:2Parn/x9Pwrn/POzMQGEvGH7DtN1dwQXalyJ3ns+Parn/x9Pwrn/POzMQGEvGH7k:brn/x9Pwrn/POzMQGEutNjwkaERszrnl

Score
10/10
salitybackdoorbootkitdiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops autorun.inf file 1 TTPs 36 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1040
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1096
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1176
          • C:\Users\Admin\AppData\Local\Temp\77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf.exe
            "C:\Users\Admin\AppData\Local\Temp\77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf.exe"
            2⤵
            • Modifies WinLogon for persistence
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Writes to the Master Boot Record (MBR)
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1968
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Users\Admin\AppData\Local\Temp\CQ.bat
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2364
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /im qq.exe /f
                4⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2052
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c C:\Users\Admin\AppData\Local\Temp\temp.bat
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:400
              • C:\Windows\SysWOW64\cacls.exe
                cacls "C:\Program Files\Windows Media Player\0" /d everyone /e
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1148
            • C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
              "C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡" pid 1968"C:\Users\Admin\AppData\Local\Temp\77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Deletes itself
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops autorun.inf file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:332
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1796

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          1
          T1547

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\9\e\3\b\3\c\8\c\0\2\1\a\2\f\1\6\8\b\4\autorun.inf\svchost.exe¡¡
            Filesize

            2.3MB

            MD5

            a2c9346724c49126940e5a6ef55e0b02

            SHA1

            d906af9d21e28d9432456e92e090063504277477

            SHA256

            77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf

            SHA512

            737f573b40c50694c566680b1544c14b603cf4fe816cd6734f6ca754f58f37bdd79befd197af63fb4cf673cec3cadbf91f96fdb266946bae9892a06ff1739567

            Download Submit

          • C:\Program Files\Windows Media Player\0\e\e\3\7\c\c\5\a\d\e\1\1\autorun.inf\desktop.ini
            Filesize

            65B

            MD5

            ad0b0b4416f06af436328a3c12dc491b

            SHA1

            743c7ad130780de78ccbf75aa6f84298720ad3fa

            SHA256

            23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

            SHA512

            884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0F769B75_Rar\77435dd40d7958451986fd967e883cfcec6e60a53e5ed61b871887b8ccf9d1cf.exe
            Filesize

            1.1MB

            MD5

            1e76f7a593c48b9535b0fbdf30be48cf

            SHA1

            f77a1f0cc994f77c05b5f06fa74cbc7da7be7f45

            SHA256

            1837cd2ad72be689e9d707e9f6eceea8fe85bc73f41fac12243ab61ab074cf8a

            SHA512

            7080bb16b07caf6110f30eeb1a1e0ad3bf12189fee2afb6cb5a14f8a9211009ce816e3de4507d95cf006a1aef3e85d865552ef1eee6c0a524acdb3828cf5c04d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CQ.bat
            Filesize

            30B

            MD5

            458d6a0f8398f6fa8bda7bb2ba5be353

            SHA1

            eec02a1cf5047cee3d4dee32ef13498c49a61154

            SHA256

            66142298d915314ddb48b417e96b48936e71a190d8f7cd8ae5a053cbe2746ddc

            SHA512

            c4fad6cafa4b17da18f5beceb65f91414c9fa0774c99caeadc87bc44f5faee6425208c78f6f111bec71b2e0cf58922c4bb62a0e3247b2af7699113a76c11c730

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne
            Filesize

            192KB

            MD5

            c1180974dd8a7c6d9f8fcc13096b4f7a

            SHA1

            9d50021334248bf0c752b3ed34deed48325da05c

            SHA256

            5b1ff0cabb2384f4b6385c1acce1d5e3a9d7b8e0403e2224cd1ab9722a599d3d

            SHA512

            c8b938bf172b9d2ccfaea34ff7cfddc9eaab8a9416a07e458bd34dfed2ea18de66d23dbaa9f15c2faf1009e00a8dfca3168ab41f02ef28e97c9197c3ca6943e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\temp.bat
            Filesize

            72B

            MD5

            593ce3f439bb49aa3ef95af11b146c18

            SHA1

            1475674af547f66b3de40d5afde11fcb558a53eb

            SHA256

            886e68d9e6edb3b9ed472e9990fb9b0822c3be5e4cf6066af986edfac465546b

            SHA512

            76378b3017f75e0dbbf03a8bedf12b5b80c2d5da7a108ab7024acbbb7deac44ed16e054b53e86f9c8aef210f3a9cb3d1d39e43a698281b92149501c39d863349

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            3bd0de57f13309312f98ee40f7e336f2

            SHA1

            d9860d5cff2465804798968025d1bebf67ac933d

            SHA256

            01ef70dc4aa69f8eed5afd0476fdf75f7e5b01cf43cc0c34adcd282af1a8be2b

            SHA512

            a5550b69ca6f481b57a2eea68c270e82bf2ed8ef3666f7620966d012cc1c09fc83786061b3f511d3cf8a5b9b47210e54e4764bdb86d2e2fa245ad2022763e9cf

            Download Submit

          • F:\dfxi.exe
            Filesize

            100KB

            MD5

            350d486cf20b44ac9f5b69c3891fbdc0

            SHA1

            deb21c41944f4bd5fd6ef8980553a4a51df5fb77

            SHA256

            812c7bcce21b51799de3f2a00aba7af8938f858444b2f7dcffdc0b78844022cc

            SHA512

            5276099cece73b02c592ce12614b0a832ef196828db7e88776ad0565df89c38a7ecb68126b4cb9e9f6e1a1fcff50c8478b34b7e00d17298d4e70aaacff2b045f

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_N4\Md5.fne
            Filesize

            28KB

            MD5

            992322b55f2684fe4c83b8e94dd54adb

            SHA1

            0990c5d0da44f3dfa45208c8d7d6ca27614dc165

            SHA256

            d3204ab23cfb93ec59c26624b46c436da7545bb91cbca0d9801b8e3ac0df3ead

            SHA512

            471ae13171f3f15f53126b04ada3157b4d194cec2d6b14502b1ea17962b163360f7e6a60187c1d15795c61955a64b19c1c68fcc5af6c7ee80ba3be6af1dcbf5b

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne
            Filesize

            332KB

            MD5

            3102c454a9543e58fe3ad5f783f5a690

            SHA1

            dc98fe9c47b1b4123ebe5e0132c0ba2d391570e9

            SHA256

            039670ca85824d4850e737a308aa8e628c83551a21711d549b17068fbdb2d9d9

            SHA512

            5b3218804054f0a3c24f3705c4902f333db0fc7b39aa81c2b71fefa0bc7d2a2ded14a13ab01ef3627889ff167ee7f565401ad0e5b5c9697d40f14f67228b9807

            Download Submit

          • \Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr
            Filesize

            1.0MB

            MD5

            4b30dbe1a79b2b7572ff637cb3765ced

            SHA1

            b08eba0e9bdb62d426db8d2b3d451152a56f79a1

            SHA256

            4208bdf90e97398a452d459d89562bda361bc6e911a385c4e31481a776f69e6d

            SHA512

            40e99c4a9d160a734a1675d75209dd88c7389c95cf0d0b6101f7e9edb2f3ebfe85e7170f0f4bae8a2e9533048bd5ecd414797b02ef257aecd90431f0c29ccfce

            Download Submit

          • memory/332-175-0x00000000029A0000-0x0000000003A2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/332-151-0x0000000000480000-0x00000000004E3000-memory.dmp

            Filesize

            396KB

            Download

          • memory/332-170-0x00000000029A0000-0x0000000003A2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/332-172-0x00000000029A0000-0x0000000003A2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/332-138-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

            Download

          • memory/332-204-0x00000000003A0000-0x00000000003A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/332-173-0x00000000029A0000-0x0000000003A2E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1040-61-0x0000000002010000-0x0000000002012000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1968-166-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-25-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-165-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

            Download

          • memory/1968-159-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1968-112-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1968-137-0x0000000005530000-0x00000000055A4000-memory.dmp

            Filesize

            464KB

            Download

          • memory/1968-136-0x0000000005530000-0x00000000055A4000-memory.dmp

            Filesize

            464KB

            Download

          • memory/1968-34-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-24-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-8-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-77-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1968-0-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

            Download

          • memory/1968-23-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-20-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-26-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-29-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-19-0x0000000001EB0000-0x0000000002F3E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1968-74-0x0000000000380000-0x0000000000382000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1968-75-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2364-127-0x0000000000020000-0x0000000000022000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2364-83-0x0000000000030000-0x0000000000031000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2364-128-0x0000000000020000-0x0000000000022000-memory.dmp

            Filesize

            8KB

            Download