Analysis
-
max time kernel
136s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
22-10-2023 13:13
General
-
Target
NEAS.3fbd7d4a57a164798b4857d39330d940_JC.dll
-
Size
120KB
-
MD5
3fbd7d4a57a164798b4857d39330d940
-
SHA1
6f93225454af95ea94f33f197e101e93073753dd
-
SHA256
29ac6dc66bd7d3ff4f449a80662bb2547c793b67277ae69e6f51289ef3d6476d
-
SHA512
1939c359e443ba2bc372da354e6e4371552507e184c629504d728be95b404706d50e6322dd02f2cad32bd0aafb0f96128b73d761fac377c3c1de38fda5311aba
-
SSDEEP
3072:kjkQQ4OKihJ0im5wj1WkoJwtiVEkRqDT:kjNpXimuj1WkzwFAX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.3fbd7d4a57a164798b4857d39330d940_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.3fbd7d4a57a164798b4857d39330d940_JC.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57db8b.exeC:\Users\Admin\AppData\Local\Temp\e57db8b.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e57e0ea.exeC:\Users\Admin\AppData\Local\Temp\e57e0ea.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e57fc90.exeC:\Users\Admin\AppData\Local\Temp\e57fc90.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
97KB
MD5793d8ea692e2cad142347768649a6ffc
SHA11298079032fdf2798957ff02f4ce997bde6ba551
SHA2560d1176608469c57f906195f093c645df08dac2a56b36a38a24fc767c710e65e7
SHA512094d1fcc4a890ecfeaf418be3f6e00b5a3b3e9d3ddf136eadb23af61be9e599d7a79bdb786839db37908bbcc028438f95dea243607324c4ba04b4c43dde1b18a
-
Filesize
257B
MD59f5e1d5db0f153196ccb8494af7d773c
SHA1e613566fec785a84edf96f33be7c535cecd7a7f5
SHA256b2999ac694835fb4382ef7e43738342149b9817682646a1a50528611bba7e82f
SHA5125c57a1d0535e74d2b666a082507be5de559dcc4b80b8e6a756fd50947f55adf0c6e80060e0374665f2a84adfcb161ebbac0f3eecda585e2cb11a7e48663b82e9
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB