Overview

overview

10

Static

static

3

NEAS.fb37b...30.dll

windows7-x64

10

NEAS.fb37b...30.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    76s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2023, 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.fb37b6bb771d8698f682064eba2f4930.dll

  • Size

    120KB

  • MD5

    fb37b6bb771d8698f682064eba2f4930

  • SHA1

    47822368969059a3ef7157914f164b4af055557e

  • SHA256

    716a6b2012d5e7237c8a6fd353cbfe8555e94701c763b91bd823ec683fd08b32

  • SHA512

    1cc1d8f30dd1c3cf0cbc9d373356852bc1c8c6b5f22624d4bb4ac9c2af0d480f10c3fa65e789a98cec89380f5361a7d219361d7fc4b9180773e424931c58c746

  • SSDEEP

    1536:POzqnhwyDaR1ptBy4RvWpvY9pE6rXEAF86vYA57XTlvKo0VsyTmEIPcj9k:Ps4hwHcSvWVAp5UAFx5tdisyTm3Pcj

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 2 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:388
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3960
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
        1⤵
          PID:4780
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
          1⤵
            PID:5372
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
            1⤵
              PID:4040
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:5088
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:4124
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:4048
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:3888
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3672
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                        1⤵
                          PID:3436
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.fb37b6bb771d8698f682064eba2f4930.dll,#1
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4004
                          • C:\Windows\SysWOW64\rundll32.exe
                            rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.fb37b6bb771d8698f682064eba2f4930.dll,#1
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5512
                            • C:\Users\Admin\AppData\Local\Temp\e58c157.exe
                              C:\Users\Admin\AppData\Local\Temp\e58c157.exe
                              3⤵
                              • Modifies firewall policy service
                              • UAC bypass
                              • Windows security bypass
                              • Executes dropped EXE
                              • Windows security modification
                              • Checks whether UAC is enabled
                              • Drops file in Windows directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:4664
                            • C:\Users\Admin\AppData\Local\Temp\e58fc0e.exe
                              C:\Users\Admin\AppData\Local\Temp\e58fc0e.exe
                              3⤵
                              • Executes dropped EXE
                              PID:1852
                        • C:\Windows\Explorer.EXE
                          C:\Windows\Explorer.EXE
                          1⤵
                            PID:3236
                          • C:\Windows\system32\taskhostw.exe
                            taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                            1⤵
                              PID:2460
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                              1⤵
                                PID:2380
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                1⤵
                                  PID:2344
                                • C:\Windows\system32\fontdrvhost.exe
                                  "fontdrvhost.exe"
                                  1⤵
                                    PID:796
                                  • C:\Windows\system32\fontdrvhost.exe
                                    "fontdrvhost.exe"
                                    1⤵
                                      PID:788
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:4536

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\e58c157.exe
                                        Filesize

                                        97KB

                                        MD5

                                        2b7e805abacc5046c7c2aef26b0a34ac

                                        SHA1

                                        8b521ced6596edf7c09c81f40248b5f0524bfed0

                                        SHA256

                                        b0dcb3f6d64810d6e577fa69dd8fe514de7422b8a30dd439fe83dbb1a78786c7

                                        SHA512

                                        03c65d0fe0d3ecadcdc545707d2378291ceb447944d5ebee0257a4edc49753cd64dc9c8e3e937aae88ad55e40c4431a7b1d094188f42a094c6fdbeb5337d033a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\e58c157.exe
                                        Filesize

                                        97KB

                                        MD5

                                        2b7e805abacc5046c7c2aef26b0a34ac

                                        SHA1

                                        8b521ced6596edf7c09c81f40248b5f0524bfed0

                                        SHA256

                                        b0dcb3f6d64810d6e577fa69dd8fe514de7422b8a30dd439fe83dbb1a78786c7

                                        SHA512

                                        03c65d0fe0d3ecadcdc545707d2378291ceb447944d5ebee0257a4edc49753cd64dc9c8e3e937aae88ad55e40c4431a7b1d094188f42a094c6fdbeb5337d033a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\e58fc0e.exe
                                        Filesize

                                        97KB

                                        MD5

                                        2b7e805abacc5046c7c2aef26b0a34ac

                                        SHA1

                                        8b521ced6596edf7c09c81f40248b5f0524bfed0

                                        SHA256

                                        b0dcb3f6d64810d6e577fa69dd8fe514de7422b8a30dd439fe83dbb1a78786c7

                                        SHA512

                                        03c65d0fe0d3ecadcdc545707d2378291ceb447944d5ebee0257a4edc49753cd64dc9c8e3e937aae88ad55e40c4431a7b1d094188f42a094c6fdbeb5337d033a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\e58fc0e.exe
                                        Filesize

                                        97KB

                                        MD5

                                        2b7e805abacc5046c7c2aef26b0a34ac

                                        SHA1

                                        8b521ced6596edf7c09c81f40248b5f0524bfed0

                                        SHA256

                                        b0dcb3f6d64810d6e577fa69dd8fe514de7422b8a30dd439fe83dbb1a78786c7

                                        SHA512

                                        03c65d0fe0d3ecadcdc545707d2378291ceb447944d5ebee0257a4edc49753cd64dc9c8e3e937aae88ad55e40c4431a7b1d094188f42a094c6fdbeb5337d033a

                                        Download Submit

                                      • memory/4664-23-0x0000000003520000-0x0000000003522000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4664-21-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4664-9-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-10-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-11-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-13-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-8-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-40-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-14-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-35-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-37-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-36-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-24-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-6-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-25-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-4-0x0000000000400000-0x0000000000412000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/4664-31-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-33-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/4664-34-0x0000000000790000-0x000000000184A000-memory.dmp

                                        Filesize

                                        16.7MB

                                        Download

                                      • memory/5512-15-0x00000000006B0000-0x00000000006B2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/5512-18-0x00000000006B0000-0x00000000006B2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/5512-0-0x0000000010000000-0x0000000010020000-memory.dmp

                                        Filesize

                                        128KB

                                        Download

                                      • memory/5512-39-0x00000000006B0000-0x00000000006B2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/5512-17-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download