Overview

overview

10

Static

static

3

NEAS.6220b...20.dll

windows7-x64

10

NEAS.6220b...20.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2023 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.6220be38a1004c55bd70c69ad5e88e20.dll

  • Size

    120KB

  • MD5

    6220be38a1004c55bd70c69ad5e88e20

  • SHA1

    f4d09b0cabc51d99779bd033a599e152d775613d

  • SHA256

    e9e933ad3317b741b2dd01c809f8deccace002cac9919092b5b9c898550f798f

  • SHA512

    dde68e7b594174b5b80524718cd0d3468128abb8925c9066c36cda090136ff25510e469d2e4f2e842d1878b918f88744b1e4e59a8f9555900ae7138cfcfa4b7c

  • SSDEEP

    1536:6dqTlv4+5EP82kTSvWD3Rv4fhXLkb8UCOmQiTp0Vy3V+EyttJ5aZJOor:yqTtzo82kBlv4fh7wjYWbEetJ5IoK

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.6220be38a1004c55bd70c69ad5e88e20.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.6220be38a1004c55bd70c69ad5e88e20.dll,#1
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\f769dd5.exe
        C:\Users\Admin\AppData\Local\Temp\f769dd5.exe
        3⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2312
      • C:\Users\Admin\AppData\Local\Temp\f76a4d7.exe
        C:\Users\Admin\AppData\Local\Temp\f76a4d7.exe
        3⤵
        • Executes dropped EXE
        PID:2592
      • C:\Users\Admin\AppData\Local\Temp\f76b339.exe
        C:\Users\Admin\AppData\Local\Temp\f76b339.exe
        3⤵
        • Executes dropped EXE
        PID:1232
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
      PID:1724
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1272
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1192
        • C:\Windows\system32\taskhost.exe
          "taskhost.exe"
          1⤵
            PID:1136

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\f769dd5.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f769dd5.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f76a4d7.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f76b339.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f769dd5.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f769dd5.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76a4d7.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76a4d7.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76b339.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76b339.exe
            Filesize

            97KB

            MD5

            8ed794ea1edca2d95efee402c77d0e76

            SHA1

            bdde552662d608c2c64a7f6a12bec42ab23ef5ea

            SHA256

            622b1044720ba44abaeaaa7bd375aec24494631f685bf7040c65671c3f2248b4

            SHA512

            448359226886f53edefcc70ea68c8b014c00a8b34872b47b945dc1e78aea05ba213669119a660d5f4bef0ff81275af141d7ab5e70416e853dec9e1be3c027e23

            Download Submit

          • memory/1136-17-0x0000000000410000-0x0000000000412000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1232-102-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1232-105-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1232-151-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1232-78-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2312-60-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-82-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-147-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2312-146-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-110-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2312-26-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-11-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2312-57-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2312-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2312-56-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-86-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-43-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-22-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-19-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-31-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-61-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-62-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-63-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-64-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-16-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-15-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-84-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-13-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-65-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-81-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2312-80-0x00000000006C0000-0x000000000177A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2348-12-0x00000000001B0000-0x00000000001C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2348-10-0x00000000001B0000-0x00000000001C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2348-32-0x0000000000270000-0x0000000000272000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-77-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-2-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2348-0-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2348-74-0x0000000000270000-0x0000000000272000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-33-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-35-0x0000000000270000-0x0000000000272000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2348-37-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2592-98-0x0000000000200000-0x0000000000201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2592-144-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2592-54-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2592-95-0x00000000001F0000-0x00000000001F2000-memory.dmp

            Filesize

            8KB

            Download