Analysis
-
max time kernel
94s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-03-2024 21:50
General
-
Target
a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll
-
Size
120KB
-
MD5
eec03e1997f379a4768ef7099d0e75d5
-
SHA1
06ecdb2a2a9f52fd69ac64d3d66115e158bf873b
-
SHA256
a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49
-
SHA512
08c21cfea32d78be99a5340627c11cd27fdd5a95ab9296f111272b35740f5e949528913931df4ce4efd2fc03f7f867930d3178928aa1d3d038fc1d88a71bf88b
-
SSDEEP
3072:nEdVHx0zCVf1A+xJ3O5rLXCJdmPzWO+M:nYwChxIEuz9
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
-
UPX dump on OEP (original entry point) 36 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574391.exeC:\Users\Admin\AppData\Local\Temp\e574391.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574631.exeC:\Users\Admin\AppData\Local\Temp\e574631.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575f27.exeC:\Users\Admin\AppData\Local\Temp\e575f27.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575f46.exeC:\Users\Admin\AppData\Local\Temp\e575f46.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574391.exeFilesize
97KB
MD556b0dfc4786e7907e6a0e85e1bf5d5e6
SHA18bcaca893406d53ab2054dc60a0533c92615bec0
SHA2561e960b4b457a7c00d09768761a921b3b47ca8cba55d27dab2271c25cc9dc35e6
SHA5123319d07181b4a988b0f89141e6904dda545f0be0e8115edd7beca06cd5c69e468d47ac6bf41bb46733147296c611721c5858e4d57529f46a30dddbf348c729c7
-
memory/1092-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1092-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1092-115-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1092-67-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1092-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1712-123-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1712-74-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1712-71-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1712-54-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4056-27-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-61-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-30-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4056-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4056-31-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-15-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-32-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-33-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-34-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-35-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-36-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-37-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-38-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-39-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-41-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-26-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/4056-6-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-8-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-55-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-56-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-58-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-113-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4056-92-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-10-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-72-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/4056-90-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-88-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-9-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-86-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-75-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-77-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-80-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-82-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4056-84-0x0000000000790000-0x000000000184A000-memory.dmpFilesize
16.7MB
-
memory/4304-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4304-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4304-114-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4304-28-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4824-11-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/4824-13-0x0000000004930000-0x0000000004931000-memory.dmpFilesize
4KB
-
memory/4824-52-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/4824-14-0x0000000004800000-0x0000000004802000-memory.dmpFilesize
8KB
-
memory/4824-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB