Overview

overview

10

Static

static

3

2025-02-01...er.exe

windows7-x64

10

2025-02-01...er.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2025 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-01_fe61638e689836d59ab380f80c603d7d_avoslocker_hijackloader_luca-stealer.exe

  • Size

    1.2MB

  • MD5

    fe61638e689836d59ab380f80c603d7d

  • SHA1

    8babe0bd685a639572e820b24a20cb2b047c8dd5

  • SHA256

    f20e5a0c0c57f149405c928698a0df25419d14ae4f22fe6fb8b14c5cd2abdbab

  • SHA512

    3f14ad266d3d668f3d118e08e9071802377dbd66fd4c6b8b865521b38ea8f8e7a668c5a98f76b801874dd2e6ef48f7391324c4cc72086465abbe99b3c357f9aa

  • SSDEEP

    24576:f39kAORJa1/6YXgwYcbrW+5/85RkVeWXgGH:1TIIrXgCm+5UfkVZXg4

Score
10/10
salitybackdoordefense_evasiondiscoverytrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    defense_evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    defense_evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Windows security modification 2 TTPs 7 IoCs
    defense_evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1212
          • C:\Users\Admin\AppData\Local\Temp\2025-02-01_fe61638e689836d59ab380f80c603d7d_avoslocker_hijackloader_luca-stealer.exe
            "C:\Users\Admin\AppData\Local\Temp\2025-02-01_fe61638e689836d59ab380f80c603d7d_avoslocker_hijackloader_luca-stealer.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1892
            • C:\Program Files\Java\jre7\bin\javaws.exe
              "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2256
              • C:\Program Files\Java\jre7\bin\jp2launcher.exe
                "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:2664
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1604

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-6e6ccde2
            Filesize

            12KB

            MD5

            f9e48186bd918afaf08544e709341184

            SHA1

            978f291344ab0d51dddcb661dbf05034073f15aa

            SHA256

            32ec1dd00faab8c0fbd489644fef40f70a509fbdb578e1b9854876f380572ca4

            SHA512

            f735a4d6dd3620a51c2e1454c2a105c83b76bf26b5f9f1df3ce79308b56c6a9789ed49e527eedbb1723714fffaac247b374f2f188dcdf53249fd65214e8dbb68

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
            Filesize

            685B

            MD5

            c36daf3348b8f19571f11e9b1c113dcc

            SHA1

            fdc130f6afbd66d1cd1e4a71d63f3a23c3341aad

            SHA256

            8f25bd88141fb1320f8652d95720aa6b43e40c89810cba01ef1f802a2fef6cbc

            SHA512

            3f665bc33885cbe26c4de44660c7b9ce031d5f3ee954293928f75184075fe924ce5d346fe9d7fc5d33a7879b9bc265099dff4e3b71e27b93a9629ca643fd5809

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\jar_cache3073267874630455452.tmp
            Filesize

            12KB

            MD5

            f47403fc5f6534d1eb5e6a4088c86d84

            SHA1

            ed2116d28be10439a9f35145a21535ecfba196f5

            SHA256

            ec77ef8b1cbf32edf02950406ca4fcb7edcef00bf498b1a714d734363881b97a

            SHA512

            937af202eedc100d0cd146554cbd2a98c580210ece2f0e92a1f7d6d1dfc49cd9f0e47867e707fb6e57725ae62210d38af2df25062ac838e3ac42b3b4c37ec90d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\jusched.log
            Filesize

            3KB

            MD5

            7b75869331a2bca770be76de3a8c20e0

            SHA1

            19016345b241357cd851655c28c3764d61b99685

            SHA256

            116e9e9864df2d5bc426a6b246037de9e15911d547e390b6c28cf1bb05f21790

            SHA512

            6848e636676578362ca5a10ab97bacdc633a6c9ee598dfe762f86cf0c941708e218c1df0eef410a98e51c662772b879fcab1537b918f5ba3fe4f503b379faec2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\jusched.log
            Filesize

            8KB

            MD5

            e90ffa3b58486aa9182336b0719c3c38

            SHA1

            6d2a188142f14856306b12d8b8a7594250607051

            SHA256

            b9be6013fb46d3dc418867faeee5a32463a704164e1850a8c4aff2dd98fb482b

            SHA512

            9e33387e212eb22b0ae0a817f3b6bfc1d8504f0f778c524cd4b8049a8f624135998b214845a649d39ef7a39ebb8cb4caf611fee379229726b7bec68e2e4ca855

            Download Submit

          • memory/1108-27-0x0000000000190000-0x0000000000192000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1892-36-0x00000000002C0000-0x00000000002C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1892-10-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-6-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-12-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-8-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-41-0x00000000002C0000-0x00000000002C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1892-39-0x00000000002D0000-0x00000000002D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1892-37-0x00000000002D0000-0x00000000002D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1892-0-0x0000000000DE0000-0x0000000000F1C000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1892-11-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-19-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-4-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-13-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-7-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-5-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-9-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-72-0x00000000002C0000-0x00000000002C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1892-75-0x0000000002320000-0x00000000033AE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1892-74-0x0000000000DE0000-0x0000000000F1C000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2664-78-0x00000000026F0000-0x0000000002960000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/2664-119-0x0000000000430000-0x0000000000431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-123-0x0000000000430000-0x0000000000431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-79-0x0000000000490000-0x000000000049A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2664-80-0x0000000000490000-0x000000000049A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2664-208-0x00000000026F0000-0x0000000002960000-memory.dmp

            Filesize

            2.4MB

            Download