Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
17-05-2024 22:24
General
-
Target
6061b7413537dd71ab938e963bae0ef5f30809e8dc4026bc40fdcd4eaba1fddf.dll
-
Size
120KB
-
MD5
4f634d8ea8c3dc986b8b293af2133c0a
-
SHA1
66a684c5d8ee7212b0059a3f0b474da0a44b7616
-
SHA256
6061b7413537dd71ab938e963bae0ef5f30809e8dc4026bc40fdcd4eaba1fddf
-
SHA512
5fa1c48205866e8a23c088fd3f0038c4b76cbac7f7d79fa1ca013fcddccd20c4159e977e6e300dbc103383fccb85a97d6396bd0d02c9df1722f1066b31992802
-
SSDEEP
3072:mK3cxMsduMGkZor/1YHf1Ug7UB/Gl5RL:mKNiHerd8QYR
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 34 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6061b7413537dd71ab938e963bae0ef5f30809e8dc4026bc40fdcd4eaba1fddf.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6061b7413537dd71ab938e963bae0ef5f30809e8dc4026bc40fdcd4eaba1fddf.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573604.exeC:\Users\Admin\AppData\Local\Temp\e573604.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57375c.exeC:\Users\Admin\AppData\Local\Temp\e57375c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5751d9.exeC:\Users\Admin\AppData\Local\Temp\e5751d9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573604.exeFilesize
97KB
MD503965e39da19b33853081bcbde400b5b
SHA15dc883a6baac089c0310df2a6c777af57d0be48b
SHA256cee79a924c6ec1694e382f4a1bc2372ab0bdca973a39c8f2e855bc8dc56b709d
SHA512ab35756acb5bc253bb90c6db2e485e84e4f03ec1d4beefedf661bb8295c4c7f6f4e18de407bce09a6c43e9e2f719e123c6fb83b1c782471743b64c6a5269f2e3
-
C:\Windows\SYSTEM.INIFilesize
257B
MD51c6a56d6f7ae821172b2584ee7dc4b2e
SHA100f0d4368810cf2145118c8d5bef5c9a295f377f
SHA256fc33f44372fba31193c5ad2c74162a6e02ad08b1ec7cb2395c1664b01edefe31
SHA5120dccfe7634d843ff44177c51d92a9e2a58ef12d2c62fa3ebe3016d48138a452b3aa99589c37dbf0363801859978576a178e341d53edcef759cacfc6582cb25d0
-
memory/1900-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1900-21-0x0000000003DC0000-0x0000000003DC2000-memory.dmpFilesize
8KB
-
memory/1900-16-0x0000000003E50000-0x0000000003E51000-memory.dmpFilesize
4KB
-
memory/1900-15-0x0000000003DC0000-0x0000000003DC2000-memory.dmpFilesize
8KB
-
memory/1900-31-0x0000000000810000-0x0000000000824000-memory.dmpFilesize
80KB
-
memory/1900-47-0x0000000003DC0000-0x0000000003DC2000-memory.dmpFilesize
8KB
-
memory/1900-51-0x0000000000810000-0x0000000000824000-memory.dmpFilesize
80KB
-
memory/3680-63-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/3680-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3680-62-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/3680-65-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/3680-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4336-42-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-80-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-12-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-10-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-18-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/4336-20-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-19-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-8-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-36-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-37-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-38-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-39-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-40-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-30-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-43-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4336-13-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-24-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/4336-53-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-55-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-56-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-9-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-11-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-6-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4336-14-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-87-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-66-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-67-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-71-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-73-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-75-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-76-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-79-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-32-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/4336-82-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-81-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4336-93-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/5024-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5024-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5024-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5024-116-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/5024-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5024-134-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/5024-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB