Analysis
-
max time kernel
114s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
24-04-2024 13:51
General
-
Target
1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58.dll
-
Size
120KB
-
MD5
e984711185b1f5371ac02d2ba7e761cc
-
SHA1
3c196bb531edf489de67ce22fc9d7d7d7cb47d23
-
SHA256
1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58
-
SHA512
ab95217fca0aa3bb1d84bc63a9d24a77930894fefd2c1324d574e9c713a6f8e83f3d7d69ec4f098e62702e217a25d94fc13d4552832ef9f23f28b08e28af0ff3
-
SSDEEP
1536:+L4g9SwL/zni6+vnOS/HyanPhCmS3sbwm0GAfjFh:+f9HL/7i6+mOHPnPhbz4Ge
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 31 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573642.exeC:\Users\Admin\AppData\Local\Temp\e573642.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5738e2.exeC:\Users\Admin\AppData\Local\Temp\e5738e2.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57518b.exeC:\Users\Admin\AppData\Local\Temp\e57518b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5751aa.exeC:\Users\Admin\AppData\Local\Temp\e5751aa.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573642.exeFilesize
97KB
MD5f7617bfc52a7e69c05e2fe31ce429986
SHA1a3d07d7e341998106cf4c3ceee22b8d9c55b6822
SHA256e568c9f3b559be7651bf22dfd8182a183fb379199fd03466d9e165f2d0f77167
SHA51277be46a0bd850ba94d4bcca5c63d8b7784e94154383d229c87423b3a499c67a0ec258f0476f3fd130f710fca68c6ce070414ae0b7f069fff230caf0304895fca
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5fff5e10aba709e5d840e16eb6ca48209
SHA1fc3b85a9284dc970fececc251ec47cec319aa6b5
SHA25625b7457979903aac84d7c719bfdafaffb9e0204eb4fa1d77f9cdb7e5a846a9b2
SHA512a113e603990b6e562e8e9f7f610d70689ca0bcb0ce2e2f4d96390a3c4cd1c4785b943911c3e5eb8402f2b319ceaa94112dc164673a9ba8e0ecfd5d14b821c90a
-
memory/1964-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1964-10-0x0000000001190000-0x0000000001192000-memory.dmpFilesize
8KB
-
memory/1964-13-0x0000000001190000-0x0000000001192000-memory.dmpFilesize
8KB
-
memory/1964-11-0x0000000001300000-0x0000000001301000-memory.dmpFilesize
4KB
-
memory/1964-48-0x0000000001190000-0x0000000001192000-memory.dmpFilesize
8KB
-
memory/2244-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2244-68-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2244-123-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2244-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4092-20-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4092-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4092-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4092-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4092-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4108-115-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4108-124-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4108-66-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4108-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4108-125-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4108-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4188-55-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-29-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/4188-41-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-38-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-37-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-54-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-36-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-57-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-58-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-35-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-34-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-33-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-32-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-31-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-70-0x00000000005B0000-0x00000000005B2000-memory.dmpFilesize
8KB
-
memory/4188-30-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-22-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-39-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-72-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-74-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-77-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-79-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-81-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-83-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-85-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-87-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-89-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4188-14-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-21-0x0000000001A80000-0x0000000001A81000-memory.dmpFilesize
4KB
-
memory/4188-9-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-8-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-6-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/4188-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB