Analysis Overview
SHA256
26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b
Threat Level: Known bad
The file ac73a098fc0087786195da49233085df was found to be: Known bad.
Malicious Activity Summary
Sality
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-28 17:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 17:30
Reported
2024-02-28 17:33
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2040 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2040 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2040 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe
"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 120
Network
Files
memory/2040-0-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 17:30
Reported
2024-02-28 17:33
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Sality
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sss2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sss2.exe | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sss2.exe | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | N/A |
| File created | C:\Windows\SysWOW64\sss2.exe | C:\Windows\SysWOW64\sss2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\sss2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe
"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"
C:\Windows\SysWOW64\sss2.exe
"C:\Windows\system32\sss2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\AC73A0~1.EXE > nul
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\sss2.exe > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/1556-0-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Windows\SysWOW64\sss2.exe
| MD5 | ac73a098fc0087786195da49233085df |
| SHA1 | d3e97fa079bdee8db1b62dd9985328c77de8658f |
| SHA256 | 26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b |
| SHA512 | 8aad6af134c72f6166bf983b07994831e9b522d98cc3eff0d70c98ce476cb21d2c6e1d3320251bfcf399eb704eaf603c1342135eb1d01a089674f68b696b2218 |
memory/1556-1-0x00000000022E0000-0x0000000003313000-memory.dmp
memory/1284-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1556-7-0x0000000000400000-0x000000000041E000-memory.dmp