Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 20:01
General
-
Target
392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033.dll
-
Size
120KB
-
MD5
1f36085ce2c80a804bfd3cf99b4492a3
-
SHA1
740b3e28317ab6847e76af8b904a46696097d30e
-
SHA256
392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033
-
SHA512
c138bb562c02947701a623ffab767a681de8c9b5162442cb6e9e5888b01427ce2870050db2117614206e883ddde2743a4a10abef982c243a40b1f1e6d41a8179
-
SSDEEP
1536:wHILkvILFVLoYOFehsDQlx+j/t3msFyR2YkkxkpDVa9RSy3OUwb0OJNU7B6l3u:+xInL+FeG0lx+jpkR2xc4Q9PNwbAB6l
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs
-
UPX dump on OEP (original entry point) 36 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\392e90bcb098466f72058fac3413cd559641cbb4a72b9d2dde9867d7c0d12033.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573af6.exeC:\Users\Admin\AppData\Local\Temp\e573af6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e573cda.exeC:\Users\Admin\AppData\Local\Temp\e573cda.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57568c.exeC:\Users\Admin\AppData\Local\Temp\e57568c.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57569c.exeC:\Users\Admin\AppData\Local\Temp\e57569c.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573af6.exeFilesize
97KB
MD56a1ce240e4d8cf642b1c51db59b3a900
SHA149d911b68395bf55d83f8af03d9d2e2841545dfa
SHA25685cfb56e9ec5d79b7369ebea0ae8eada99a51084b40e86412e94aeba1254e7fa
SHA5125a38ac5c17ad6a35777bc859580c5f08bfe3d161c10d455ea34caabb26b5df2c757206ba571f8c4bf0c04686546ae86abc15bc433a9f2d4d99f0ee151293ab99
-
memory/228-20-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/228-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/228-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/228-118-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1160-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1160-50-0x0000000004330000-0x0000000004332000-memory.dmpFilesize
8KB
-
memory/1160-10-0x0000000004330000-0x0000000004332000-memory.dmpFilesize
8KB
-
memory/1160-14-0x0000000004330000-0x0000000004332000-memory.dmpFilesize
8KB
-
memory/1160-13-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/1536-119-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1536-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1536-68-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1536-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1536-46-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1536-124-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2088-70-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2088-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2088-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2088-129-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2088-128-0x0000000000B60000-0x0000000001C1A000-memory.dmpFilesize
16.7MB
-
memory/2088-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4928-54-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-22-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/4928-40-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-37-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-34-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-55-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-57-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-60-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-32-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-31-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-30-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-29-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-21-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-24-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4928-38-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-72-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4928-74-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-76-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-79-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-81-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-83-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-85-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-87-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-89-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-96-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4928-11-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/4928-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB