Analysis
-
max time kernel
127s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
04/11/2023, 14:30
General
-
Target
NEAS.645da147f59a5e503ae8522358afe7b0.dll
-
Size
120KB
-
MD5
645da147f59a5e503ae8522358afe7b0
-
SHA1
a4d6da358c5285ea052e0cc6814afb1de6c6a48a
-
SHA256
037f0188662c0c48c70c69243393446fd89ad3f3a8d4a7a696467709290e3ec7
-
SHA512
73b1f0dd5dfbd48740a026ccf5c99ca1eb82745b37a45a6a3a20174be88a7ff8cf0955722ecb08739293ac79f3c24f7bfa5402c3affa64716386093da977b35c
-
SSDEEP
1536:RYBmlO4qF5ZiHCLPGOlFrhIlwlERsluK7gL+2i8YXYOFIxJbIbu2baJE1h:RYBmI4qF5cOj71Ik5lxU+2MebWFV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.645da147f59a5e503ae8522358afe7b0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.645da147f59a5e503ae8522358afe7b0.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e579e34.exeC:\Users\Admin\AppData\Local\Temp\e579e34.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\e57a160.exeC:\Users\Admin\AppData\Local\Temp\e57a160.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\e57ccc6.exeC:\Users\Admin\AppData\Local\Temp\e57ccc6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
97KB
MD500ca852d09b1bd2e1dc09ad99cc38495
SHA1d3ef59f31b7eb4b30ff8a32b56ecedccd19d12ce
SHA2568c822c8fc2403ec774f8113b1a4b0c35357d66a3f9ff546991cb0b75a05144ff
SHA512ebf45e1937159870aa87cd14c40cff7fa743030741c63a67359e8d99b403599e4a0bff837e4c6037531af2f9c8b2c6a9c430a895b8624c79f75d15ab5aa02680
-
Filesize
257B
MD5fcb18703b0236a84ba4a7dfb3f79a83a
SHA1adbf3fd0ede4c142b481424878dff6f4010a9229
SHA25697e6cae9638727c24731e66e2460e88fe0cb6bb44a3e8c18a020fa057f897fda
SHA5121a349ff444964420e332b052af216f3ca711569da23b3f8b74cf34956fd11496362105e8de44896308653bd6bae59bbf1cfee75a492a38165a2b1e8a1924bf5b
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB