Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 18:03
General
-
Target
NEAS.81d6888de9ff514b570558b6ca717ce0.dll
-
Size
120KB
-
MD5
81d6888de9ff514b570558b6ca717ce0
-
SHA1
77ae2f1ff63597924c4737669a5864f9508b8e82
-
SHA256
62dc79bf443f3d610e36ded5830db5230061833969850651162a6a9524025411
-
SHA512
411f32ed00c9686d74897ecb3069daac7db60612c7cb65ad57382bcbfafff4770d35561a4771c296520be939149480cb4ddc754aaa748503281e756d80632e46
-
SSDEEP
3072:PpgN4qeyqNDGA6Sdr7soMYbp9bULfYvmNwt15Wj:Bg+7R7YLfYvbb5Wj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.81d6888de9ff514b570558b6ca717ce0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.81d6888de9ff514b570558b6ca717ce0.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5774d2.exeC:\Users\Admin\AppData\Local\Temp\e5774d2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e5779f3.exeC:\Users\Admin\AppData\Local\Temp\e5779f3.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e578ed2.exeC:\Users\Admin\AppData\Local\Temp\e578ed2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
97KB
MD5a11468269f88b735ef97bcdb3675dca7
SHA1a591631ae309f6438200dba712ce414d9ca89560
SHA2569df1c40cf345746ae92a4eeea7b761d0fa88977d1a7918cb963cf4d9bdaa70d6
SHA512ffba24e02233a86c66dcfd05f204727fb4109f9257ebb401a052605e0896bbdec27952f1edc9610dfc0e238c6cc54c2327a8dac9c628e95dc7ba8661a2b089f6
-
Filesize
257B
MD557c0e8025d022aea04cc616e092b8db5
SHA175f676f73c0618381faf3aa96e5c542147e107d0
SHA256248c6942f175c0fb35d73081049b0448c9266893ebd4268c4993cb8a74ba07a2
SHA51244ef6bf8cbd4bc38b4de364afd2efd6ebd34de675d9ed8e39b18ee1fa99f1e008892996530c3661fdcc5b18671915151247f11591bff46801d7309f95a0b18fe
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB