Overview

overview

10

Static

static

3

00002475ff...5f.exe

windows7-x64

10

00002475ff...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2025 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe

  • Size

    464KB

  • MD5

    59b5e5a7547053f923963a56a8b7bdbf

  • SHA1

    4c3ce8f1d16639b82b3556c3f3665d83949415d2

  • SHA256

    00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f

  • SHA512

    f43c79e0335b418f0ca88ede9ccd9fcf3f25737cb34e3c56be6fd17ccde9da805f240063d1030079f68d3f8d2f302fc213055453803004f55fa7a0dc14a7d4f4

  • SSDEEP

    6144:5afsiuvAQ+tTm6cyERSiytj71cwE4jKS6vlxQqyRqpYNLA:uCvAQ+q6ctRt636wfjOHm1c

Score
10/10
salitybackdoordefense_evasiondiscoverypersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    defense_evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    defense_evasiontrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1212
          • C:\Users\Admin\AppData\Local\Temp\00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe
            "C:\Users\Admin\AppData\Local\Temp\00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2348
            • C:\Program Files (x86)\win\msn.exe
              "C:\Program Files (x86)\win\msn.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Deletes itself
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2548
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:792

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            54056a44671edb195aaf091aa5572caa

            SHA1

            b8407afae6a55ce71cc0f94bc6fbe634e8849164

            SHA256

            deb2aec1001e0138eeb8d5dbaa6f2e0c32896314b279e5f275352b168313f56b

            SHA512

            cd819c934c9638ed2610a2085a4537cf5da20a26babc579ebb1da82fbfa2a1aadc2ab560d89fec998f36624296b046b4ddfe85b91e43553a1a7de5724eb869c1

            Download Submit

          • C:\dgnan.exe
            Filesize

            100KB

            MD5

            fa7a846494e0e0ab3b5c8d91554c6e75

            SHA1

            dc8d63292849dbf130d115fdf400db921a98f075

            SHA256

            78b959cc26e816bf8c52748cdbc31196ddff6a5271c4c83ea52288fbbf221969

            SHA512

            1dbfd75f838d876cad9421ab451e3df21721693537995db3b1e89add2c9707e860735deecef1e73b3ef80bea528d4499b29083e8610e0f74c0da77df3b4542cb

            Download Submit

          • \Program Files (x86)\win\msn.exe
            Filesize

            464KB

            MD5

            59b5e5a7547053f923963a56a8b7bdbf

            SHA1

            4c3ce8f1d16639b82b3556c3f3665d83949415d2

            SHA256

            00002475ff8f62ef167ae0ca564bc206e1dcb1549fc14fae5c35fb65b66fd35f

            SHA512

            f43c79e0335b418f0ca88ede9ccd9fcf3f25737cb34e3c56be6fd17ccde9da805f240063d1030079f68d3f8d2f302fc213055453803004f55fa7a0dc14a7d4f4

            Download Submit

          • memory/1108-12-0x0000000001F10000-0x0000000001F12000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-32-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-24-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-8-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-34-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-10-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-38-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-23-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-37-0x0000000000400000-0x00000000004E4000-memory.dmp

            Filesize

            912KB

            Download

          • memory/2348-22-0x00000000007B0000-0x00000000007B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-20-0x00000000007B0000-0x00000000007B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-19-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-6-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-25-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-26-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-27-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-29-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-28-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-31-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-0-0x0000000000400000-0x00000000004E4000-memory.dmp

            Filesize

            912KB

            Download

          • memory/2348-33-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-9-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-4-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-7-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-39-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-40-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-52-0x00000000007E0000-0x00000000007E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-51-0x00000000021D0000-0x00000000021D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-53-0x00000000007E0000-0x00000000007E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-5-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-77-0x0000000006C60000-0x0000000006D44000-memory.dmp

            Filesize

            912KB

            Download

          • memory/2348-88-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-11-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-3-0x0000000002430000-0x00000000034BE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2348-74-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-86-0x0000000000400000-0x00000000004E4000-memory.dmp

            Filesize

            912KB

            Download

          • memory/2548-115-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2548-116-0x00000000003F0000-0x00000000003F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2548-99-0x0000000000400000-0x00000000004E4000-memory.dmp

            Filesize

            912KB

            Download

          • memory/2548-127-0x0000000002180000-0x000000000320E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2548-100-0x0000000002180000-0x000000000320E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2548-226-0x0000000000400000-0x00000000004E4000-memory.dmp

            Filesize

            912KB

            Download