Malware Analysis Report

2025-08-05 19:38

Sample ID 240228-v3l5rshg96
Target ac73a098fc0087786195da49233085df
SHA256 26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b
Tags
sality backdoor upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b

Threat Level: Known bad

The file ac73a098fc0087786195da49233085df was found to be: Known bad.

Malicious Activity Summary

sality backdoor upx

Sality

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-28 17:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 17:30

Reported

2024-02-28 17:33

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe

"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 120

Network

N/A

Files

memory/2040-0-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 17:30

Reported

2024-02-28 17:33

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"

Signatures

Sality

backdoor sality

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sss2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sss2.exe C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe N/A
File opened for modification C:\Windows\SysWOW64\sss2.exe C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe N/A
File created C:\Windows\SysWOW64\sss2.exe C:\Windows\SysWOW64\sss2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\sss2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe

"C:\Users\Admin\AppData\Local\Temp\ac73a098fc0087786195da49233085df.exe"

C:\Windows\SysWOW64\sss2.exe

"C:\Windows\system32\sss2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\AC73A0~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C del C:\Windows\SysWOW64\sss2.exe > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1556-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Windows\SysWOW64\sss2.exe

MD5 ac73a098fc0087786195da49233085df
SHA1 d3e97fa079bdee8db1b62dd9985328c77de8658f
SHA256 26a3e1ab7bb8e247aa5c111171cd2ef7bc5cef6eac57b8cd1892bb46e3ede61b
SHA512 8aad6af134c72f6166bf983b07994831e9b522d98cc3eff0d70c98ce476cb21d2c6e1d3320251bfcf399eb704eaf603c1342135eb1d01a089674f68b696b2218

memory/1556-1-0x00000000022E0000-0x0000000003313000-memory.dmp

memory/1284-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1556-7-0x0000000000400000-0x000000000041E000-memory.dmp