Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
16-10-2023 18:16
General
-
Target
NEAS.2f8f1a7d2d83e031e1b653a62a202e40.dll
-
Size
120KB
-
MD5
2f8f1a7d2d83e031e1b653a62a202e40
-
SHA1
8855940cb1da20081eb0b27c16e29d90eda88e22
-
SHA256
6bfba7218643035346ae2a325fb285991834ad23fae33848dcdf0155b50b855c
-
SHA512
cdaa186964ba1d10854526bd908d7ada91cb2826951c7551bffd8ccc660371e423386142712dcfd120dca5ec757b61ea7f15e9960bd47b48ee66e52ee97cc751
-
SSDEEP
3072:qCtZJqnslK4xUT6/zTONON3Rvo4MB7SDVI+qlcG1d:7au/zT7Nhvo4MtSDVI+GH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2f8f1a7d2d83e031e1b653a62a202e40.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2f8f1a7d2d83e031e1b653a62a202e40.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e576e89.exeC:\Users\Admin\AppData\Local\Temp\e576e89.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e5774f1.exeC:\Users\Admin\AppData\Local\Temp\e5774f1.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e5785d9.exeC:\Users\Admin\AppData\Local\Temp\e5785d9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
97KB
MD5ce9b93548dd566470f82b741c87d2220
SHA1e21792535f4a9cd9e87677352649f53b6f88790e
SHA2563e542d9c025dd9e325fb88ddcda6b90bf96bf18d1b6f48af069558159e32c1be
SHA51253bfe96e16c029bd54859f8935e9788cabf103220cb71ee5c1ca22245bf481fca2dc62cab93bc7368e6c43d228799a613d5627c5b9ffb173a31923ae7f0d9ebf
-
Filesize
257B
MD57ab86b8ebeb93ce3b77f021a59392bf0
SHA121f214ff2eb9f0c2c50979490b6aa9c012772849
SHA256cb32f4fd3303d8305f29c72bccf58a57534900638ab9b48a645f6e3fd097d615
SHA512a49a8739346e05ce3eeb9172e140a7bb32e8a61ae6ea3aaa8e66b1f3470efb68309129bcf0112036733977c00d544a558d2e51803f4c224655d326fd042dba1c
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB