Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31-03-2024 23:18
General
-
Target
7fe8ef289ddbd7e28a821d348d599f34eb4fb63063002cdf3824d85790d3a43a.dll
-
Size
120KB
-
MD5
5ddc08d470587bb019ff32160f4ff91e
-
SHA1
3e7c865db11a4be94366f3610ee9941700c98143
-
SHA256
7fe8ef289ddbd7e28a821d348d599f34eb4fb63063002cdf3824d85790d3a43a
-
SHA512
f8e8f5582f56ee9af4d50e9e4ceb58067136453e52df66334393f9c411347a05aacc5596ed36cd656cac492d13b888db58f58d91b691bb8a33cd690b9e9fe8c5
-
SSDEEP
3072:3a84VMQBV7fJvoN1m5XcwUaWAUDi+/q6UifSNze2T:3FazV7f2N1uXJUaWAGiJu6pXT
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 32 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 32 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fe8ef289ddbd7e28a821d348d599f34eb4fb63063002cdf3824d85790d3a43a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fe8ef289ddbd7e28a821d348d599f34eb4fb63063002cdf3824d85790d3a43a.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5746cd.exeC:\Users\Admin\AppData\Local\Temp\e5746cd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5748ff.exeC:\Users\Admin\AppData\Local\Temp\e5748ff.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576234.exeC:\Users\Admin\AppData\Local\Temp\e576234.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576244.exeC:\Users\Admin\AppData\Local\Temp\e576244.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5746cd.exeFilesize
97KB
MD56acf5910191a42884f552af40af8a295
SHA1607a36af1a95524d26f65316b8f00f41c5de4611
SHA2569dee3b7c8d94e225d51d1df48627693e7b195a243f688f7ba546168a8b7a2b67
SHA512ecac43cab36dd0534fa295501317050c346488e5b40d6f17a52bca3ad645ca0515c8c1e7fdc02987d8cd61dc2c31acfc4e33b6bb4c0ff3d98dc6eceff60e7eee
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5555c06aa9a0936bd819a1ca552a8ba96
SHA13b109601a6900caa2920890998e501c5aa7d4f2b
SHA2568402508f11f4cb7deecad5957fc2aa099929a7ad2833ebaaeb3a09156ac3bf8a
SHA512d62ff3c32f539d2191fd4896b0d3030c5432e2d5ee5281768795abef515c94d6e0ebb29782e03c99fa457bf21270f1616089cb538a1361a7f6ea2dc999872bb9
-
memory/516-115-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/516-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/516-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/516-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/516-28-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/972-13-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/972-14-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/972-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/972-51-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/972-11-0x0000000001490000-0x0000000001492000-memory.dmpFilesize
8KB
-
memory/2740-55-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-66-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-18-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-31-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-29-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-32-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-33-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-34-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-35-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-36-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-37-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-38-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-39-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-41-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-30-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2740-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2740-54-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-19-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/2740-57-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-60-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-12-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-10-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-7-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-26-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2740-9-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2740-93-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-91-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-89-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-74-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2740-87-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-76-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-78-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-81-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-83-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2740-85-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3324-75-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3324-72-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3324-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3324-120-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3324-161-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/3324-162-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4312-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4312-67-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4312-68-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4312-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4312-160-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB