Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29-03-2024 04:48
General
-
Target
eeeed5074031c2b8158dcaaa40ce74ac033465f88e0253472e1b4c53faf0ccb8.dll
-
Size
120KB
-
MD5
13d6c220d44ebab27e6ae4113e24e32f
-
SHA1
532c5f52d83493dc6f25c1f42cdd7d9653927c2e
-
SHA256
eeeed5074031c2b8158dcaaa40ce74ac033465f88e0253472e1b4c53faf0ccb8
-
SHA512
98517c41a7914c6526799403c629f4a8f094fcb30fb07a1a113400b7bf6af1f8cedbdadfe5311c0d23f3658343e6e6a088c32f7540316c0f62b5de14e5218067
-
SSDEEP
3072:M/34QSJvMGI6QQG93SI9QHSg15imxg8uNa:M/3fivy6QtBd6SQgmi8J
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 31 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eeeed5074031c2b8158dcaaa40ce74ac033465f88e0253472e1b4c53faf0ccb8.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eeeed5074031c2b8158dcaaa40ce74ac033465f88e0253472e1b4c53faf0ccb8.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5750a0.exeC:\Users\Admin\AppData\Local\Temp\e5750a0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575311.exeC:\Users\Admin\AppData\Local\Temp\e575311.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576c37.exeC:\Users\Admin\AppData\Local\Temp\e576c37.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5750a0.exeFilesize
97KB
MD54a09b32e13275a02d0ae4659909bb332
SHA1e965585d7956e603deccfabb1e788c72cbeba9e2
SHA2560fc28005d6dc5b4343d8cd3180543284dbc0ab142197fdfcdb24ca90cee550b8
SHA5120ccc48c950902ffff776dd709a6d0d6818e45e6cfb5e0e4bb15fbbb1b4fd889aedfd0fe806d4805fa57d74a6f0b7066d4c38e62eecde640df5b1ea7423064854
-
C:\Windows\SYSTEM.INIFilesize
256B
MD5d7c4ce75752d25738f1d85a07668b890
SHA11aec93313d7493d9ab8618dacdad8840e48a3826
SHA256f41229a82eb5e3fb56f665c83e4f098d33b890bba4a6758d532c30b88f0ed65e
SHA51261ab7860f533d4f58c42d2ac82bfc1df02362fd8b3098504c0605b2d489379f5af78f13055cad6e089b850fb2f085d3c63f9acf4ea455c95e1787ffa77ecab7a
-
memory/968-72-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-66-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-82-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-41-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-50-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-21-0x0000000001B00000-0x0000000001B01000-memory.dmpFilesize
4KB
-
memory/968-11-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-80-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/968-20-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-29-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/968-30-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-78-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-31-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-32-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-51-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-34-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-37-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-38-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-39-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-84-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-53-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-56-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-76-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-74-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-71-0x0000000001AF0000-0x0000000001AF2000-memory.dmpFilesize
8KB
-
memory/968-68-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/968-103-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2076-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2076-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2076-110-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/2076-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2076-149-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/2076-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3896-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3896-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3896-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3896-22-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3896-106-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4824-14-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB
-
memory/4824-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4824-10-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB
-
memory/4824-13-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/4824-47-0x0000000004630000-0x0000000004632000-memory.dmpFilesize
8KB