Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
-
submitted
28-03-2024 17:12
General
-
Target
035cfcf0b17ae7fd0e83f40b5086ebdcb93e54f0b9cdc0a14cc8cba16851a64e.dll
-
Size
120KB
-
MD5
fe874efb6df7b1c2e86b2d3b40ea9559
-
SHA1
b7767631bd1d0b7fa8635b1b3723ea7fc7966d41
-
SHA256
035cfcf0b17ae7fd0e83f40b5086ebdcb93e54f0b9cdc0a14cc8cba16851a64e
-
SHA512
799915b2b11b5397d1614a43e170e0a3f7d493adead0a7cc83c018486c5fe5ce1d8c3959eba0751e56f7554a61e8eee1fb7747fc7164b932e1987b67ebcafd96
-
SSDEEP
1536:CiZZYOE2Q0WVBx1pBrzkZ06/4mWFF6EpnNVpEQkHSQz+3YHfPJcTTz:CiIOEp3/kZ06AmWFF68NVpVqi3afiT
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\035cfcf0b17ae7fd0e83f40b5086ebdcb93e54f0b9cdc0a14cc8cba16851a64e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\035cfcf0b17ae7fd0e83f40b5086ebdcb93e54f0b9cdc0a14cc8cba16851a64e.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57662c.exeC:\Users\Admin\AppData\Local\Temp\e57662c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e576a91.exeC:\Users\Admin\AppData\Local\Temp\e576a91.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e578a10.exeC:\Users\Admin\AppData\Local\Temp\e578a10.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e578afa.exeC:\Users\Admin\AppData\Local\Temp\e578afa.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.129 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.92 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffe26ac5fd8,0x7ffe26ac5fe4,0x7ffe26ac5ff02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2532 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3272 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3500 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5216 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5280 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3456 --field-trial-handle=2536,i,8161505972217706694,705854963991409854,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57662c.exeFilesize
97KB
MD59155964c47d877dd7b27aa93ee9ced66
SHA1ecc5091d9b48e78a221970e6c90d768e79de1418
SHA25627dc32f66bb2c30e49de94a25327de2fa919ebaf2e63c8a7736f6c32f8f94179
SHA512aedd7e8f9cb10aafdb36534bb85f68b4ab40cdc6b0b78c2a429c3befdedf49a562bc5dfd7125ca171c0c334f7f3b73ae48c4c66e0c4b7fc009e2b7f1a9f71bb1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d284bb6a39ae5336f8133d38caaaf106
SHA1e08179906754122fde2ca6fdc76b849269a67ba0
SHA2560f2df4f3859c780e15ed5399012a9810da6698325891a1e81987d682f602c393
SHA5129c4c4798d2ea3e2974cc6a362eff4d09cd5635758a9e09583e3838dc3b9c9dfc4e98c2d81bc4f3d1fbe3160e70c7f36b3855c9564edd6ddab78728cfb04ad52d
-
memory/364-95-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/364-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/364-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/364-21-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/364-92-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/376-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/376-62-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/376-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/376-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2116-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2116-47-0x0000000001000000-0x0000000001002000-memory.dmpFilesize
8KB
-
memory/2116-12-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/2116-10-0x0000000001000000-0x0000000001002000-memory.dmpFilesize
8KB
-
memory/2116-14-0x0000000001000000-0x0000000001002000-memory.dmpFilesize
8KB
-
memory/3100-99-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3100-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3100-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3100-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3100-46-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3100-96-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3100-98-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3100-136-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3100-137-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3172-43-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-38-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-37-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-35-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-33-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-64-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-32-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-31-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-69-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-70-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-71-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-85-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3172-72-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-25-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-91-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3172-24-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-9-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-23-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/3172-11-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-20-0x0000000003BF0000-0x0000000003BF1000-memory.dmpFilesize
4KB
-
memory/3172-8-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-6-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/3172-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB