Overview

overview

10

Static

static

3

f9d76688b4...6N.exe

windows7-x64

10

f9d76688b4...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9d76688b45a05c9210393cfd48a4c65981591177b64c7b921e267551c1e7b66N.exe

  • Size

    128KB

  • MD5

    7aa1a3c26b81c67bcd15e6453d7e9ed0

  • SHA1

    facec43ee5eccac060fdd434c7f1530621eb2f7e

  • SHA256

    f9d76688b45a05c9210393cfd48a4c65981591177b64c7b921e267551c1e7b66

  • SHA512

    d6e025886b43d5d203aa51d19bd20fc127d43bc7c35018639c9eaed47daeb26f360e6f51b8778b2c8ddd23754dcaea4a67b8cfc0c0152c81599281c0eaa1e8b4

  • SSDEEP

    1536:1Jf83W8W60IL26Ap8iJ9+pvI8B8FuuKk1p0AxQjKP3xNL+vljZuIkBbmFZ3Oz+Ua:1JCD548iJK+cDm0KNxkllFFxOFdc

Score
10/10
salitybackdoordiscoveryevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 5 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 35 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1100
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1152
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1184
          • C:\Users\Admin\AppData\Local\Temp\f9d76688b45a05c9210393cfd48a4c65981591177b64c7b921e267551c1e7b66N.exe
            "C:\Users\Admin\AppData\Local\Temp\f9d76688b45a05c9210393cfd48a4c65981591177b64c7b921e267551c1e7b66N.exe"
            2⤵
            • Modifies WinLogon for persistence
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2800
            • C:\Windows\system\Fun.exe
              C:\Windows\system\Fun.exe
              3⤵
              • Modifies WinLogon for persistence
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Deletes itself
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in System32 directory
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1872
              • C:\Windows\SVIQ.EXE
                C:\Windows\SVIQ.EXE
                4⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:888
            • C:\Windows\dc.exe
              C:\Windows\dc.exe
              3⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:2912
              • C:\Windows\system\Fun.exe
                C:\Windows\system\Fun.exe
                4⤵
                  PID:2172
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:784

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            4
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            7
            T1112

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SVIQ.EXE
              Filesize

              128KB

              MD5

              7aa1a3c26b81c67bcd15e6453d7e9ed0

              SHA1

              facec43ee5eccac060fdd434c7f1530621eb2f7e

              SHA256

              f9d76688b45a05c9210393cfd48a4c65981591177b64c7b921e267551c1e7b66

              SHA512

              d6e025886b43d5d203aa51d19bd20fc127d43bc7c35018639c9eaed47daeb26f360e6f51b8778b2c8ddd23754dcaea4a67b8cfc0c0152c81599281c0eaa1e8b4

              Download Submit

            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              2b2f27d81ed2cd984476b77024773fd7

              SHA1

              adc5fddb41c6d7a61f26da100c890ebafaca6d6e

              SHA256

              90d858709aa114111e826017092da13ca21e7627ddaf28c3f824a7e42c8e7237

              SHA512

              3dee76f58c59ac2ca613ea449e185b62a6e02ed4f0f130b97069c60b0926e65e058646a8c8efea152b9b9ea19364b72fd7814dba031c648ce6ae623bf18daa88

              Download Submit

            • C:\Windows\wininit.ini
              Filesize

              41B

              MD5

              e839977c0d22c9aa497b0b1d90d8a372

              SHA1

              b5048e501399138796b38f3d3666e1a88c397e83

              SHA256

              478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

              SHA512

              4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

              Download Submit

            • memory/888-281-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1100-32-0x0000000001F90000-0x0000000001F92000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1872-216-0x0000000004E40000-0x0000000005ECE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1872-153-0x0000000004E40000-0x0000000005ECE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1872-176-0x0000000000530000-0x0000000000531000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1872-158-0x0000000004E40000-0x0000000005ECE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1872-157-0x0000000004E40000-0x0000000005ECE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1872-159-0x0000000004E40000-0x0000000005ECE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1872-87-0x0000000000390000-0x00000000003B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1872-88-0x0000000000390000-0x00000000003B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1872-57-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-56-0x0000000005C80000-0x0000000005CA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-128-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-30-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-5-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-31-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-41-0x0000000002630000-0x0000000002631000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2800-0-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-44-0x0000000002560000-0x0000000002562000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2800-45-0x0000000002560000-0x0000000002562000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2800-43-0x0000000002630000-0x0000000002631000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2800-133-0x0000000005C80000-0x0000000005CA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-7-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-131-0x0000000005C80000-0x0000000005CA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-40-0x0000000002560000-0x0000000002562000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2800-54-0x0000000005C80000-0x0000000005CA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-135-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-134-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-138-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-149-0x0000000002560000-0x0000000002562000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2800-152-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2800-3-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-6-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-8-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-10-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-9-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-4-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2800-12-0x00000000026A0000-0x000000000372E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2912-132-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download