Overview

overview

10

Static

static

3

cf78454669...aN.exe

windows7-x64

10

cf78454669...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2025, 21:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf78454669b3801ab7b423bd6b2d3160d1e5a709ef032e1fdf5dc10e1e81f95aN.exe

  • Size

    1.3MB

  • MD5

    501b42ac4fb3b7a991fb1089c6fcccd0

  • SHA1

    2fcaeb545ee9ea8dd0a9e6be8e8b993bb5c62f80

  • SHA256

    cf78454669b3801ab7b423bd6b2d3160d1e5a709ef032e1fdf5dc10e1e81f95a

  • SHA512

    be734b95c78d21dc7ccbd35d5e4ff4db9aefc6ac354b83281ad9741dff47631b5894d3da8db1fae06b06d9024c266433be81550f72844bbc3687b329bf6e9755

  • SSDEEP

    12288:+TVUjD5NtsnF5e9euP+btSjlSoRUJDJ795+B7a2SoEWKtsm45S:+TutKFQhmbtSjIo+0BW1oE1tT45S

Score
10/10
salitybackdoordefense_evasiondiscoverytrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    defense_evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    defense_evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    defense_evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:792
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:796
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:64
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2560
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2584
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2800
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3544
                  • C:\Users\Admin\AppData\Local\Temp\cf78454669b3801ab7b423bd6b2d3160d1e5a709ef032e1fdf5dc10e1e81f95aN.exe
                    "C:\Users\Admin\AppData\Local\Temp\cf78454669b3801ab7b423bd6b2d3160d1e5a709ef032e1fdf5dc10e1e81f95aN.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Disables RegEdit via registry modification
                    • Loads dropped DLL
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:776
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3664
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3852
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3944
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4004
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4084
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:3048

                            Network

                            • flag-us
                              DNS
                              g.bing.com
                              Remote address:
                              8.8.8.8:53
                              Request
                              g.bing.com
                              IN A
                              Response
                              g.bing.com
                              IN CNAME
                              g-bing-com.ax-0001.ax-msedge.net
                              g-bing-com.ax-0001.ax-msedge.net
                              IN CNAME
                              ax-0001.ax-msedge.net
                              ax-0001.ax-msedge.net
                              IN A
                              150.171.28.10
                              ax-0001.ax-msedge.net
                              IN A
                              150.171.27.10
                            • flag-us
                              GET
                              https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
                              Remote address:
                              150.171.28.10:443
                              Request
                              GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
                              host: g.bing.com
                              accept-encoding: gzip, deflate
                              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                              Response
                              HTTP/2.0 204
                              cache-control: no-cache, must-revalidate
                              pragma: no-cache
                              expires: Fri, 01 Jan 1990 00:00:00 GMT
                              set-cookie: MUID=3146F881D7E1670F3807ED07D6C66623; domain=.bing.com; expires=Thu, 26-Feb-2026 21:06:54 GMT; path=/; SameSite=None; Secure; Priority=High;
                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                              access-control-allow-origin: *
                              x-cache: CONFIG_NOCACHE
                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              x-msedge-ref: Ref A: 1968FEF4386F483EA751E2C872F25E4A Ref B: LON04EDGE0614 Ref C: 2025-02-01T21:06:54Z
                              date: Sat, 01 Feb 2025 21:06:54 GMT
                            • flag-us
                              GET
                              https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
                              Remote address:
                              150.171.28.10:443
                              Request
                              GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
                              host: g.bing.com
                              accept-encoding: gzip, deflate
                              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                              cookie: MUID=3146F881D7E1670F3807ED07D6C66623
                              Response
                              HTTP/2.0 204
                              cache-control: no-cache, must-revalidate
                              pragma: no-cache
                              expires: Fri, 01 Jan 1990 00:00:00 GMT
                              set-cookie: MSPTC=Sgo1gHgD1H9YxzKCnUe6365A01qO1_2HMiECe07b6ww; domain=.bing.com; expires=Thu, 26-Feb-2026 21:06:54 GMT; path=/; Partitioned; secure; SameSite=None
                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                              access-control-allow-origin: *
                              x-cache: CONFIG_NOCACHE
                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              x-msedge-ref: Ref A: D680F1C1758847E2AD2DEB1D218B492C Ref B: LON04EDGE0614 Ref C: 2025-02-01T21:06:54Z
                              date: Sat, 01 Feb 2025 21:06:54 GMT
                            • flag-us
                              GET
                              https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
                              Remote address:
                              150.171.28.10:443
                              Request
                              GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid= HTTP/2.0
                              host: g.bing.com
                              accept-encoding: gzip, deflate
                              user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                              cookie: MUID=3146F881D7E1670F3807ED07D6C66623; MSPTC=Sgo1gHgD1H9YxzKCnUe6365A01qO1_2HMiECe07b6ww
                              Response
                              HTTP/2.0 204
                              cache-control: no-cache, must-revalidate
                              pragma: no-cache
                              expires: Fri, 01 Jan 1990 00:00:00 GMT
                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                              access-control-allow-origin: *
                              x-cache: CONFIG_NOCACHE
                              accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              x-msedge-ref: Ref A: AE5AD87EDB0A461388E5A7F80421E5A7 Ref B: LON04EDGE0614 Ref C: 2025-02-01T21:06:55Z
                              date: Sat, 01 Feb 2025 21:06:54 GMT
                            • flag-us
                              DNS
                              8.8.8.8.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              8.8.8.8.in-addr.arpa
                              IN PTR
                              Response
                              8.8.8.8.in-addr.arpa
                              IN PTR
                              dnsgoogle
                            • flag-us
                              DNS
                              134.130.81.91.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              134.130.81.91.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              3.31.126.40.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              3.31.126.40.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              167.173.78.104.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              167.173.78.104.in-addr.arpa
                              IN PTR
                              Response
                              167.173.78.104.in-addr.arpa
                              IN PTR
                              a104-78-173-167deploystaticakamaitechnologiescom
                            • flag-us
                              DNS
                              57.169.31.20.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              57.169.31.20.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              197.87.175.4.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              197.87.175.4.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              241.42.69.40.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              241.42.69.40.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              85.49.80.91.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              85.49.80.91.in-addr.arpa
                              IN PTR
                              Response
                            • flag-us
                              DNS
                              48.229.111.52.in-addr.arpa
                              Remote address:
                              8.8.8.8:53
                              Request
                              48.229.111.52.in-addr.arpa
                              IN PTR
                              Response
                            • 150.171.28.10:443
                              https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=
                              tls, http2
                              2.0kB
                               9.4kB
                               22
                              19

                              HTTP Request

                              GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=

                              HTTP Response

                              204

                              HTTP Request

                              GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=

                              HTTP Response

                              204

                              HTTP Request

                              GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=e5e8f81327654a018c11cf75b20d2103&localId=w:29A35C3D-9BC5-AEFB-2396-56CCD722C64D&deviceId=6755477840987139&anid=

                              HTTP Response

                              204
                            • 8.8.8.8:53
                              g.bing.com
                              dns
                              56 B
                               148 B
                               1
                              1

                              DNS Request

                              g.bing.com

                              DNS Response

                              150.171.28.10
                              150.171.27.10

                            • 8.8.8.8:53
                              8.8.8.8.in-addr.arpa
                              dns
                              66 B
                               90 B
                               1
                              1

                              DNS Request

                              8.8.8.8.in-addr.arpa

                            • 8.8.8.8:53
                              134.130.81.91.in-addr.arpa
                              dns
                              72 B
                               147 B
                               1
                              1

                              DNS Request

                              134.130.81.91.in-addr.arpa

                            • 8.8.8.8:53
                              3.31.126.40.in-addr.arpa
                              dns
                              70 B
                               156 B
                               1
                              1

                              DNS Request

                              3.31.126.40.in-addr.arpa

                            • 8.8.8.8:53
                              167.173.78.104.in-addr.arpa
                              dns
                              73 B
                               139 B
                               1
                              1

                              DNS Request

                              167.173.78.104.in-addr.arpa

                            • 8.8.8.8:53
                              57.169.31.20.in-addr.arpa
                              dns
                              71 B
                               157 B
                               1
                              1

                              DNS Request

                              57.169.31.20.in-addr.arpa

                            • 8.8.8.8:53
                              197.87.175.4.in-addr.arpa
                              dns
                              71 B
                               157 B
                               1
                              1

                              DNS Request

                              197.87.175.4.in-addr.arpa

                            • 8.8.8.8:53
                              241.42.69.40.in-addr.arpa
                              dns
                              71 B
                               145 B
                               1
                              1

                              DNS Request

                              241.42.69.40.in-addr.arpa

                            • 8.8.8.8:53
                              85.49.80.91.in-addr.arpa
                              dns
                              70 B
                               145 B
                               1
                              1

                              DNS Request

                              85.49.80.91.in-addr.arpa

                            • 8.8.8.8:53
                              48.229.111.52.in-addr.arpa
                              dns
                              72 B
                               158 B
                               1
                              1

                              DNS Request

                              48.229.111.52.in-addr.arpa

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\nsz788C.tmp\System.dll
                              Filesize

                              22KB

                              MD5

                              b361682fa5e6a1906e754cfa08aa8d90

                              SHA1

                              c6701aee0c866565de1b7c1f81fd88da56b395d3

                              SHA256

                              b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

                              SHA512

                              2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

                              Download Submit

                            • memory/776-3-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-6-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-9-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-4-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-7-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-0-0x0000000000400000-0x000000000046C000-memory.dmp

                              Filesize

                              432KB

                              Download

                            • memory/776-10-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-8-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-1-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-5-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-28-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-11-0x00000000023F0000-0x000000000347E000-memory.dmp

                              Filesize

                              16.6MB

                              Download

                            • memory/776-29-0x0000000000400000-0x000000000046C000-memory.dmp

                              Filesize

                              432KB

                              Download

                            We care about your privacy.

                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.