Analysis
-
max time kernel
175s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 08:21
General
-
Target
NEAS.ecca15057a3be4c5e61a99ac58ad9db0.dll
-
Size
120KB
-
MD5
ecca15057a3be4c5e61a99ac58ad9db0
-
SHA1
798d839952f7418de192501837dee63f28e7a315
-
SHA256
a6fe3ab46eaa6dc8ccbd699a12475445d9cf08b7fa96b3d8e5d466171dda74fc
-
SHA512
30ab16751a90d5c3a36b25e00d41d80bdf6c30976e6b3b289d331fc6f160ea18c5d31236074b0bc218932873d51f4705cf13d09264899cc023f2d0ec47f59eea
-
SSDEEP
1536:7qPSluvlYG6zhTHxZUirwGoVyJ8K9j43nKheLtNTcN+J/HqGQon34/QhAW:808kz1pPOm9aZLzTr9P3vhAW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ecca15057a3be4c5e61a99ac58ad9db0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.ecca15057a3be4c5e61a99ac58ad9db0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e582381.exeC:\Users\Admin\AppData\Local\Temp\e582381.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e583479.exeC:\Users\Admin\AppData\Local\Temp\e583479.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e583f27.exeC:\Users\Admin\AppData\Local\Temp\e583f27.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
97KB
MD5d4ff010163077e08b834a077e57e0e50
SHA14cd7df8ff382f43a4e922e16c8a3e9cae00406b6
SHA256ec072393c71d9f2286b2ac8e070c7a16eacce3efa09543a4135871a7918a199c
SHA5125aa46aa048a3df63bf762bb551247272d0215a4c6dce09fef2a6e30f0582f0ea6ed1273e7a90690695fe100a2e3b11b6394112ae54e75399aeb3ee6e9f55b3b5
-
Filesize
257B
MD548954f3b65598b7d52a1d74f9fe5a659
SHA1a9db1c1d71f881cdd6c751907971a0993f853d3c
SHA2560afdbf6cf215c6ddbe93b07bd6783cf9f39e987c0f0f18ac3fccb93e6aada3c0
SHA51210fcce7d8cdfad5cfcfb0a087fbfba19ba2559c822323bddf5f35f8f32e0b2a29bf32864b2b9a374bd78710570a7f59f47bb70c395b7759f1fa9550efac3aa72
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB