Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20-05-2024 20:10
General
-
Target
0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll
-
Size
120KB
-
MD5
e22aa94b66415e28ab49b2f6c74a84a0
-
SHA1
0aa66de62267175fd2420de595ec57126a244120
-
SHA256
0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299
-
SHA512
e05385d82a243e3ad850613e72a9c6f307000186b2946ff95b12e70a9763294db6a89671b98bfd9badb4ae75295ce09fa18115782545c117dad52027475c8228
-
SSDEEP
1536:doCVj26w8QBel86/YxjMCkpdupT3+M3qSMzJARCn0lE4nKJCWqYUvOiaQx4NigQK:doUQU++YxjGwZuJARuK/nKJYYUd74rb
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0119edc4123b1b68c8c4a0c04e5468e95377ad200c594160a2c6abd3814c0299.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5752b4.exeC:\Users\Admin\AppData\Local\Temp\e5752b4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575469.exeC:\Users\Admin\AppData\Local\Temp\e575469.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e577995.exeC:\Users\Admin\AppData\Local\Temp\e577995.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5752b4.exeFilesize
97KB
MD50868f90eca2af1776005dc0e60ab3f51
SHA13eb3f0a291e8b905db63087429aa31f7b381732b
SHA256d012e4abb20435587cb4c63883b705b7533eeca7911d03583c673d63e3c740e7
SHA5126d4a90884e24fb7c2af1cca18baac556633d7c4425e7276439f714bd113a4edd9a9376d4bfb245f83ae887da716d497fe80160a453cfeeb9092db5bf61f8de69
-
C:\Windows\SYSTEM.INIFilesize
256B
MD59ecb7820e05fe7f10a2f1bb83c5bdc86
SHA19020b8cd06bf3d3430aa9ced71dd3b5bda30a1aa
SHA25654050cb562ffbc093687c1636c491e20f78e60cd72bc4d372337f30f1315dde9
SHA512f3ad61104265d5f757ba326c9f75e42c5774b4f94eed3ccc1e5950c1c8b242e18d2ec7e033f6e02eca8fdf1f68b78f7d1b7c9a91f9abbb671729a0cc7e8ff5f9
-
memory/1488-43-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-76-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-14-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-11-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-15-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-29-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-32-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-33-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/1488-12-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-19-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1488-31-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/1488-9-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-10-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-95-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1488-85-0x00000000004B0000-0x00000000004B2000-memory.dmpFilesize
8KB
-
memory/1488-77-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-63-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-6-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-37-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-38-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-39-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-41-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-40-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-74-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-30-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-72-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-71-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-70-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-69-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-66-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-65-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-60-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/1488-61-0x00000000007A0000-0x000000000185A000-memory.dmpFilesize
16.7MB
-
memory/2052-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2052-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2052-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2052-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2052-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2812-111-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2812-147-0x0000000000B40000-0x0000000001BFA000-memory.dmpFilesize
16.7MB
-
memory/2812-55-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2812-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2812-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2812-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2812-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4516-16-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/4516-20-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/4516-27-0x00000000015B0000-0x00000000015B2000-memory.dmpFilesize
8KB
-
memory/4516-28-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4516-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB