Overview

overview

10

Static

static

3

e555164691...bc.exe

windows7-x64

10

e555164691...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-12-2024 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e555164691b6b316c0e2f0c9295e6689fc706dca2f91a22cfd300eb9fa889bbc.exe

  • Size

    288KB

  • MD5

    2b49c7724c44a38cbb034222c06b4065

  • SHA1

    7610e59ecb6f05878352e36ac77605116568209f

  • SHA256

    e555164691b6b316c0e2f0c9295e6689fc706dca2f91a22cfd300eb9fa889bbc

  • SHA512

    f3cbde7b43caf5ac61983e752165b0674abf64aaa591a6184ac88aff43ff69bb39172eeec8f4dca8b0dc45ff209dc7447e29f55915c5af1f929f3e38ada8f62d

  • SSDEEP

    6144:UefmGwhmyO9ik96bDMe2mqVzNudSNbzag148eYj/axQ:UTGeE96P499hBW04oj/a+

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1056
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1084
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1176
          • C:\Users\Admin\AppData\Local\Temp\e555164691b6b316c0e2f0c9295e6689fc706dca2f91a22cfd300eb9fa889bbc.exe
            "C:\Users\Admin\AppData\Local\Temp\e555164691b6b316c0e2f0c9295e6689fc706dca2f91a22cfd300eb9fa889bbc.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2496
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://qqgame.qq.com
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
                4⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2584
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1760

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            46f51d0f076620fa4a40d8c6880514fa

            SHA1

            8595bc3fcb947ca84cd46bef6e74df4addfe22ae

            SHA256

            6eef0ad136006f24b002f9774dc804a0b94b559f11a62a166ee64f09b7cfee4c

            SHA512

            d4e357f9423b2deb365ab87f9056b8135acdf302ada2b64526b6bd96cd49bd77764193811476d093b8c2ae7b9849cda353a765ac4fb385a7a69f61a2095a1079

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            9e804c3149656be48a364d816feabb9b

            SHA1

            c8ca6e8b76bf1b8d23fa4dbd48fda531593582d1

            SHA256

            621d1ecc6ff28dacce2893dff25e8fc288d2996ab83bdb4f44fd35f6286dc2a0

            SHA512

            105e182dfd7f3b7c313a93402e36e536049cc0fbe6baedfc3c431e62858a19bc41a3d378b3762b4c1b64a9a5cfe48e37a5b9ac420e6c0d4fac37ef34b17dca16

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            e7bc59582c48f0c56e958491cc2dcf59

            SHA1

            9574cc8f2d1449827c62c02332fc85a7480cfbd6

            SHA256

            6e8c23621e95783ebbb0f043997899ca033e988337c7a9ba58dca53f2c85577e

            SHA512

            ebd90dce296f2a89d57cce366b423423d117834720f94914f358e730c79ea7d5fe7b29c0908172f2d8f15f785077ca5993b5ebb98695798bcfe394e7afc1a78b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            2bbed030dba7bfcc9c3acb222a5a7d27

            SHA1

            3e4a5013bc07e49399a4e345228d066401cb0d8a

            SHA256

            2dbad31bf1606b65f971bf79233b1b9b5639029c7860c90810972bfb0feedbd5

            SHA512

            a44ca167be924b48a5a541c2ef438db62776bc9d7d20799fcf3f0a4fd30b4c5721b83700d9dc6359c03bd7c477c00789aece5fadbeda77642578000ca13669f1

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            0fc15ffb1067b86e4a1b4e709d84d02e

            SHA1

            9875258b875baeeacae800f1ffac757188ec4e1c

            SHA256

            8225a1ef1e79a4b3efdab606f4d64830117ae596fac491655be9a72443b9cd46

            SHA512

            4841c6c574f92dd5728852b2543deede51a0764d33b211d21ce225aadf540f6aa6855175e4f56b33a41d06fb1350d4dee3fe42a2749ad45518159cb7e5148231

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            ee2b449fc99bbdb2b19d1e85d14d47ff

            SHA1

            9fc68d0e0827fa96c12e2d9403b86ebde8416477

            SHA256

            e898a0012799bb788a3186c1cf9bcb37590bc260e22c0309f24457cf48956628

            SHA512

            3926abf1da92320d7f05af8af61dbc2ff496435f5119a49e3fcb57efae3a3f492bfed1d94ac6ac7f41837f2edc75d1f18b1f61732bbf158662ab2241605820d8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            011ad22e21829fd55e186959b60ed2b3

            SHA1

            8c4a63237dcb8c44e3a38e40a39565d7f01876fc

            SHA256

            1def8284e269983aaf73645ae63bb6a00db68c4b90012d9098ab1bc0c34f8458

            SHA512

            449361ce247fa10f885ba82fc8da02c130831ac81fa28cac7032d61dc78a9610663d781a775624cfe720bb15ea06129f67be009c2e191ddb9253dab47baeca19

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            6d6dd62710b1dea6000e6b14961460ca

            SHA1

            b79a83514ea4dbaffdf077f6ede405eda5b40741

            SHA256

            9cf6ff6b1d31b6cd5ec898c6efbd6d1120eaf398376128ac0b9cf75384969737

            SHA512

            216dd0c47300ecbcbe4462d0669cba3c3d056e4259179d394fce9e4f7bdd90f0f24b4f58a2dd6aabe337e137d8fbb5e2a28ebf6c7cae2371d02fc9eddda63e8d

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            446251b0c2b9d4cdef30dc35467ba90f

            SHA1

            a34ae4a04d8c8f87155e622d9198887f3b621e10

            SHA256

            87d72f923e41e2a82b4572d61b5bf0724150559036dcb1923712ae6d570219f8

            SHA512

            4e5bb7502e88775a51325dbe1ef7dad28707dc4f6bb2ebb28ed93a4f6579cac67e1c7ab45c04669476d2f3e4cbce18d6c983a4ee8a3c1134454bcac959180752

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            3cc9013b98c1f1f41aee443dd6ba3cea

            SHA1

            4b2c5526e2620ebe4950369ce4601a11d11715c4

            SHA256

            2ee6a6f6e4211f95f280f9ec82566f5613da366749085837d7398adb87a034a7

            SHA512

            9032e21ccdf7807d3b33bcec94713f4b0f55bfa50011f8aec36d67a44b43302c2fa4f4def1a52b6818d0abd2144e4bde740853ffb158666daaffe7d63a2c4bc8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            7e3b3bcbad75b1228652a77ffb1a87aa

            SHA1

            5cf502a1df66653e7bb8f30da0d85856e3b8e8e3

            SHA256

            1b4c43258a269991bec8e95d5dde9ef5c234c5db7e5a7fe505540bc9bfacb433

            SHA512

            c5aa5bfebac39eea5e1f7beb463c53d762564efc80e4b83ca849d90d5db4af9e040e85fc7e7ce3673adcbe5497a9467940dc3c7eac11767695093062da7b432a

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            eedb9e75409089f8f464436383223f91

            SHA1

            5f33f48b0ae202c37b6a89a19ccf756caaa93433

            SHA256

            da392b30665adf6861a62396a5a8559277101bd83a3073a5e6d4012811207be1

            SHA512

            8c5692b95b16940f2a4b7ed45286ef31ac6b58eacf306c55f6f809e4c8ca809e7bb138ec2a5cef0e4aea6bc751dfe08266ec1f12eb65f342ee89cc28416f8d53

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            f27b1e128922a8e64c3df1c61ca8e3f2

            SHA1

            76a6ddd991f24e0272e2a4765b69c31c57111ad7

            SHA256

            8c2130cfc6eef33784bc9af2ad7ec9b960e934e7ca4cc867314c24c11bd390d5

            SHA512

            44b6396f6954fef00d239082df7a314b73dbce2bb161e0f618e31d2b9b228ed1e4fa38723eaeeefdcc9839ba91a5448b5b0adefd2d6603a64d8438d699255da8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            e6bc50ce5ebf9ccd69f73d8058b67734

            SHA1

            56ed8a23db87a7fd01d8ac57239a49378f7e5941

            SHA256

            b43a1b0eeffde5c3c7bf243c8da7328f445b5fb285da8dfb3c5c21a34e9d41b1

            SHA512

            5d481b0043744b25d60c7c9bcac4ad41c33134375788df8906bf639d7caf9e536c2b9b52558970bd0d0b5ad9873600a668a12ff162407abe21475dc22a81ee83

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            6fbdfbfded0873b0f382588468d82cf7

            SHA1

            71eff2efd03b01a4418bf1c6e34d81e4232d0465

            SHA256

            fdf69b6bd33b69c2eb7c3d6d6695012e781206e842a63c3f55bec706f9f8f4e6

            SHA512

            728118eafac1884e6d2e3b9133867621928cc5c7457789f56ea243178705b77eb6b8deda154fe987a2c01b92a10bbb747d82824cfc0e47b12ed7f6842b43e934

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            dbbe2f80eb34ccf4dbb41873038efb32

            SHA1

            d8b17cb9417c9107b339a28b4e7cbc9e64d85a88

            SHA256

            d27057f9458e5d631984fa26bff3c5205e27914b725f0c842c8fc3a99f98ddd6

            SHA512

            b6261fe44566ebacde3c31af8353652d938fc024ac91de44eec9c377f7139de833e3f276953f5816b3e699ca163d8782977e154f317cb7d2f0d1f4355d51a03e

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            a0b7f4e6ff812903d90e5624fb3f86db

            SHA1

            c7229ec4fe9f0c96b8b30d57291f843760350077

            SHA256

            cf79c88e8c36f4e5eb592e2467dcf421832d9703ebe835f3c8e3b4e856d55a5d

            SHA512

            f816e0363398210c17e8451211e8e2d36f39f837963f8ce06004286c8a8d28b00baca146468ef8095ba847446a1f22f1387dce648acd9a042f9cb2447f77548b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            155e0de3764d843b7ddbabef34ac74b5

            SHA1

            1e8233ef48aa8adcc21fab7d0b47a222f582c324

            SHA256

            03194fe97605045ffaa68127855371dd728e923b12f8955de6669b523bc3c08b

            SHA512

            ff3269459e5fc35dc90a8df40b1d4c67e31a85331b0f7c0fb36613d624f6458d3e107883f399338b7e561791c1ee6f4d4e0391ac9f20ba80cc94c5d4ead7fd75

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            ec4a2b1240ce393e406e38de85503c1c

            SHA1

            8944d190e14d0153e2532a8b3ab0ee3285f2027d

            SHA256

            8c4cbd91fc80a9ee0ac61b74f0a59f07f55411ad1e1bd7f99a3b57dac210a9db

            SHA512

            c030f68888bc26c4f4fb9b60c91c950f5c9d19fb9179bcb63b7f5c2f3db7afaf3361f7809473ad628ec572e4ecdb3a5262e6e299922ef9c60c5f7b63c63d27f6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CabD28B.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarD36B.tmp
            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            Download Submit

          • memory/1056-12-0x00000000001D0000-0x00000000001D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2496-7-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-33-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2496-42-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2496-61-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-60-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2496-40-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-37-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-38-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-36-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-35-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-34-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-8-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-32-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2496-41-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-11-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-0-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

            Download

          • memory/2496-31-0x0000000000450000-0x0000000000451000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-22-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2496-10-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-23-0x0000000000450000-0x0000000000451000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-5-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-9-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-6-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-3-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-4-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2496-1-0x0000000001E50000-0x0000000002F0A000-memory.dmp

            Filesize

            16.7MB

            Download