Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 21:56
General
-
Target
66b4a416258d5716044c9cb47a9a09a7e1c3e25257aad9c0dc2f72087c8249e3.dll
-
Size
120KB
-
MD5
4265fc963c2a1f7e892a063cbdd73ea9
-
SHA1
51dd7a401878763dbe987f529ec42df767d3e300
-
SHA256
66b4a416258d5716044c9cb47a9a09a7e1c3e25257aad9c0dc2f72087c8249e3
-
SHA512
0790dbc1aea409b8874b0a0996e59a46c8549347cf89286270d5c8a40c76e2b51d6ea3b422a920b65327a29f3c89460f566c42e0eeb34d12ded746b242ab2a19
-
SSDEEP
3072:nX249HjoixzE5yjWFYPpoWFSPeXnwf4i:/9H06E5e8ZWFdwwi
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 27 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66b4a416258d5716044c9cb47a9a09a7e1c3e25257aad9c0dc2f72087c8249e3.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66b4a416258d5716044c9cb47a9a09a7e1c3e25257aad9c0dc2f72087c8249e3.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e58174c.exeC:\Users\Admin\AppData\Local\Temp\e58174c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e581d37.exeC:\Users\Admin\AppData\Local\Temp\e581d37.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5825a4.exeC:\Users\Admin\AppData\Local\Temp\e5825a4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e58271b.exeC:\Users\Admin\AppData\Local\Temp\e58271b.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f0,0x7ff980c42e98,0x7ff980c42ea4,0x7ff980c42eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3224 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3484 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5452 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e58174c.exeFilesize
97KB
MD523d8a11c655fe12a8df3ecfbcdfa3359
SHA1f3d85e099d59dfa61db7a0f9c8560cd961821d08
SHA2567bb6711a0f910c4f3aa7924aaf33bca03b248082741c0b4ac379cc44fe9555ae
SHA512980f93e81dfca1ef82bc685139974684c841d918f10b580c251fd1864579c7b30240f6c1136cb3eb558fc37b77f013fd2e8afbc8dcf999c82e5cfb2995c612a3
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5991d92b67ac659b7bcdf414749df5a94
SHA1889cdd7b2bfe7b88bb382bcfec4f4b31885f9a2c
SHA256a0795176d21bf4f7306f0f992714e7041959a1551833b90ecf793d3c9ebf7b8b
SHA512538f51bb75b4aa2b1d37b134c3fa42d4cc6dab85f9ad9f618a72738267a6411d56a987ccfb26a8d7d5a3e9b5eec802c662acfe48eb40bb49cf4f896f24913c82
-
memory/1216-51-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-74-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-54-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-52-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-10-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-18-0x0000000003BF0000-0x0000000003BF1000-memory.dmpFilesize
4KB
-
memory/1216-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1216-103-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1216-86-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-25-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1216-19-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-21-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1216-30-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-31-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-32-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-34-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-84-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/1216-83-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-81-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-50-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-79-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-76-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-55-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-56-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1216-72-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/1812-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1812-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1812-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1812-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1812-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4004-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4004-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4004-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4004-23-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4004-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4328-139-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4328-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4328-41-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4328-109-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4328-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4328-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4652-11-0x0000000000F40000-0x0000000000F42000-memory.dmpFilesize
8KB
-
memory/4652-13-0x0000000003DD0000-0x0000000003DD1000-memory.dmpFilesize
4KB
-
memory/4652-45-0x0000000000F40000-0x0000000000F42000-memory.dmpFilesize
8KB
-
memory/4652-14-0x0000000000F40000-0x0000000000F42000-memory.dmpFilesize
8KB
-
memory/4652-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB