Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 22:45
General
-
Target
7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc.dll
-
Size
120KB
-
MD5
fcbcf77150ca5112fce1b817a4a1b3db
-
SHA1
59afc16ed04e2a0227396e612af85108d67459e2
-
SHA256
7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc
-
SHA512
a982501966ff468566cbeee167902619dc9932f53d1c1a8c75359280cddbc48420bc3713e6595cfff2cbd9566ef17f1a91ce6b7f27222bf7e818ab8dde76a41c
-
SSDEEP
1536:mA2Q+04VpKsW/WgZg0E91pmVZ5+jEZSpjxyEKWRiNJLq1o8Kz1Oh:d2QsVpKjugZC7mB+Djxy8YJLqitzw
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5763fa.exeC:\Users\Admin\AppData\Local\Temp\e5763fa.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e576736.exeC:\Users\Admin\AppData\Local\Temp\e576736.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577d7d.exeC:\Users\Admin\AppData\Local\Temp\e577d7d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5763fa.exeFilesize
97KB
MD53092b9c954315681ab20f856cf2d5169
SHA191e526ca4c868f94b1bfa6bc9c112a27eaf64513
SHA2564e40f2d2f3cf82aec8d199930ad3a7e6a6acba17e4980663ea88079f3e996f13
SHA51223ed51f2a0af5bd70d398113acbf2c80f21e67076ee5326fc08a82371051021ac0a125aeba655f928f9c1e06a84334113e4019f5243d4dd578bb5f82e473b049
-
C:\Windows\SYSTEM.INIFilesize
257B
MD58d5ab504645988442cbc0a5c29c18c83
SHA189b889df5f1685acaa116dd0fe0b5bfdc0caf63e
SHA2563056629db634ddf17c206bcf675e3c8590f2d2c0f0db8dc10b074ae7a327ea44
SHA5126838b6f7085d2d7b3c92b0dcecb25eee99c55c6dfcb826a2089567679110c2c5debe95e18d663b0f0173152518b0586744eb67f06f7a0551d5916803a60b1478
-
memory/1748-60-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-30-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-8-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1748-92-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1748-20-0x0000000001B00000-0x0000000001B01000-memory.dmpFilesize
4KB
-
memory/1748-70-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-22-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/1748-14-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-23-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-82-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/1748-9-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-46-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-56-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-31-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-32-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-34-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-35-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-36-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-37-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-67-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-6-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-29-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-48-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-65-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-63-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/1748-59-0x00000000007F0000-0x00000000018AA000-memory.dmpFilesize
16.7MB
-
memory/2644-10-0x00000000005C0000-0x00000000005C2000-memory.dmpFilesize
8KB
-
memory/2644-13-0x00000000005C0000-0x00000000005C2000-memory.dmpFilesize
8KB
-
memory/2644-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2644-12-0x0000000000C40000-0x0000000000C41000-memory.dmpFilesize
4KB
-
memory/2644-43-0x00000000005C0000-0x00000000005C2000-memory.dmpFilesize
8KB
-
memory/3524-54-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3524-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3524-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3524-127-0x0000000000BB0000-0x0000000001C6A000-memory.dmpFilesize
16.7MB
-
memory/3524-45-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3524-126-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3524-94-0x0000000000BB0000-0x0000000001C6A000-memory.dmpFilesize
16.7MB
-
memory/5056-50-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5056-91-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-88-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5056-21-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5056-51-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB