Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 03:40
General
-
Target
dd5e257eb0a796b74a3ec84cd250dd0694aca08e252fec0a49893903ebef8f15.dll
-
Size
120KB
-
MD5
ac26e789ad86af5c6a48e41673001456
-
SHA1
51f4e8a19b0da8f3c02ac5e7b2ef8987b1920159
-
SHA256
dd5e257eb0a796b74a3ec84cd250dd0694aca08e252fec0a49893903ebef8f15
-
SHA512
aab4f4f44293801ac38ee1ec19f935a82a8aabc9ea6f94b6a19eba4f106fdc7c22fbc12d3a3146b47424adc1156c6dc300e8923f3b13c02733538bbf772d0eb2
-
SSDEEP
3072:AQqkEMw3paTP1BrRYaknDa9iYVbPepJIwo:AWXwwTP52wVynIT
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 31 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd5e257eb0a796b74a3ec84cd250dd0694aca08e252fec0a49893903ebef8f15.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd5e257eb0a796b74a3ec84cd250dd0694aca08e252fec0a49893903ebef8f15.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573180.exeC:\Users\Admin\AppData\Local\Temp\e573180.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5733f1.exeC:\Users\Admin\AppData\Local\Temp\e5733f1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e574cd8.exeC:\Users\Admin\AppData\Local\Temp\e574cd8.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e574cf7.exeC:\Users\Admin\AppData\Local\Temp\e574cf7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573180.exeFilesize
97KB
MD5ae86b27ede346abe5560d6958adfdc99
SHA16750a6cf4e62f3ba02004694471c9dc192494ee3
SHA256c9f3e7bf77e283a87e6ffd2c355c4a6e14346d15850318d4671c89f94bc81dcd
SHA5124c3033d1fc124b3ebbaf29f73b9adbc6076873c6ecaa7c3017653befcff6b9a523e86ba71f462c0cda16b6e3b4049cf20ef22f254b3a4549d8bd0c13d294521f
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5a5fd2c55988028957e7017b660bcdfa7
SHA125ef72731f8dd969b98a02339fab20158e5f78e0
SHA25630becdcf2cfd0ceeed09b9eb376be3c0080ea26502a3d95cee910d1fc72cca15
SHA512d782f6c20272db9541194f99505213cc514e4a7de14917fd2ee8b73fc2d0da843a7e1e5d740e855dc6eb82234f62d66c55d616b1db8e4e15e2f43d3121fe0cc8
-
memory/1580-76-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-73-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/1580-8-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-9-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-55-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1580-21-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/1580-110-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1580-18-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/1580-13-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-91-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-89-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-22-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-30-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-31-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-32-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-33-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-34-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-35-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-36-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-37-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-38-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-87-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-41-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-85-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-83-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-39-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-81-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-6-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-58-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-61-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-79-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-74-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/1580-56-0x0000000000850000-0x000000000190A000-memory.dmpFilesize
16.7MB
-
memory/3264-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3264-159-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3264-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3264-117-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/3264-71-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3264-160-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4232-68-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4232-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4232-113-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4232-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4232-24-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5544-14-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/5544-10-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/5544-11-0x00000000015F0000-0x00000000015F1000-memory.dmpFilesize
4KB
-
memory/5544-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/5544-12-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/5544-49-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/5780-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5780-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5780-67-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/5780-47-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB