Analysis
-
max time kernel
126s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
02-11-2023 16:53
General
-
Target
NEAS.fc34a99ffc6fe87f821aca721957a900.dll
-
Size
120KB
-
MD5
fc34a99ffc6fe87f821aca721957a900
-
SHA1
4381dec01f71e137b74a069fb1eb78c51ec748ae
-
SHA256
3423c91b299f12561a21a3a4366454f0b7b152c8d6a22001ea34b606719fe736
-
SHA512
abc97dfe9e0116c1ce1f38bf76f6e2fe0b306e1ebc5e627e79a577265591082675e1a3c47d7f25c33d47b8971e6baa70356746fbe0f6f16e30c62da3e8b016df
-
SSDEEP
3072:l1+G3m8VaaQuTFmC0ZsfWqhEZMmP20U3uTkiUFkLejNmOPQ:l1x39hTUxs1hEZMm1U3uAiUFkLej
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.fc34a99ffc6fe87f821aca721957a900.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.fc34a99ffc6fe87f821aca721957a900.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e581b82.exeC:\Users\Admin\AppData\Local\Temp\e581b82.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e5831d9.exeC:\Users\Admin\AppData\Local\Temp\e5831d9.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e58586c.exeC:\Users\Admin\AppData\Local\Temp\e58586c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
97KB
MD56fa5791c26a632d4a50b6249d4f7e3e7
SHA1ba24d533ba95d3187d9ba8210cd74fc562335c29
SHA256593c2c1fe43cc1de7d9cfa85918053df8eddba2d00f33198213743ec54bac18b
SHA51259b201f868f024c6ebe6857d92ae13796f3266f37881bb7afdd4b0d56933b396020b913590f6b1ececa78d8258dce9f4c3d2d023f6d59c2e44132a13c754dd9e
-
Filesize
257B
MD5985a114ebaf85414ac1b6f44eb7fa34e
SHA19aeb7c7d650cd593351dad6155cdae795467234d
SHA2565f14ffbe8a2cdae8010723771dd48187ff84162c5b80ef22ab60c4268ab46c6d
SHA5120b25b5e114cec25d5b6c897090eaae0f13146a8969b39d13c9ef7ee2bea0c5632b650696208d2a14be782c4bb3c6cd088684d4d9f57f3fe2cf20e8ae6d8b5ee8
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB