Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
04-11-2023 12:06
General
-
Target
NEAS.f1d3022082240f48b73e3e3d3b134720.dll
-
Size
120KB
-
MD5
f1d3022082240f48b73e3e3d3b134720
-
SHA1
dd144baccd8c78242d0ac594c99c3f64a25fcff0
-
SHA256
b3aaa4d82297fbd56e015c01bff60a9f8706fda2fe08bceeb462f13588ade4ef
-
SHA512
7e86f459386d087cfd72c1d86777f4bf533176c9e8248e8c1b0847b4bb3424f293e00c67fe2050be640cbd555eeafcb103227c458fcbf5b13fa9e8a3495ff043
-
SSDEEP
1536:IaWnc/C+Z66j4k/Dj54fLihewNPMH7yVYS5Md9HTZhYtke6IrZTPHtpP77eFzGM2:I+8k5gihe5GyS5INix6IJ11AaMby
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f1d3022082240f48b73e3e3d3b134720.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.f1d3022082240f48b73e3e3d3b134720.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57bf0a.exeC:\Users\Admin\AppData\Local\Temp\e57bf0a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e57c2a4.exeC:\Users\Admin\AppData\Local\Temp\e57c2a4.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e57cbeb.exeC:\Users\Admin\AppData\Local\Temp\e57cbeb.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e57e937.exeC:\Users\Admin\AppData\Local\Temp\e57e937.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
97KB
MD567cfdb2cac3c2662691d3c9bf002f127
SHA1018d4cf4b6c4667019e3e2a6d9516291fc502f7f
SHA25620f7c2733f484ac181c3603d3bbeb2dd0ab80ae45ac02f2968abfbc2065d7fce
SHA512302ae3a708744fabcb07cf66aff1955db2e26e1a9a2b6f439e2ef4e5cd9c0545b7ffc442a90afcab7271af7301a91fd3366e46fcbdceec23c7665b6cad0c25f2
-
Filesize
257B
MD589795601a8ed45ba9a6078407684fa12
SHA10b4c85efc3b970674fbf0bf1dc4b47ca0a0abdcc
SHA25619c0742ab29ee3949ff693574ed74881e34b92ae3d164e6ae883c0753d086127
SHA512941b7982fb103b01a39d4d273bcb447ae6595e7c7164c39b44ddf473f7790ad29fb7c07637bf7defba2e596979efd04f159c32647099d54cf71796ac5c6408ea
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB