Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 20:08
General
-
Target
2e482382dcb8e830054af69085c1e5839f63fb560de909e6d5131a7b828615d4.dll
-
Size
120KB
-
MD5
cd50c58583c7d8be2f94159079993360
-
SHA1
2c3d98f9f5fad191a9aacd1226714f091ced6417
-
SHA256
2e482382dcb8e830054af69085c1e5839f63fb560de909e6d5131a7b828615d4
-
SHA512
a717658fe1c9b979f0b0a536d826b34ceefb711a085b1f9843444ac74082680bb67da4d5beeadaca78eb9513cbcf5d60a43e4204013e9ba383e0ad557d1acce4
-
SSDEEP
3072:0Kvdy8ncMrYoeZxGfQP3lULRULiM6lHh:02s8NMoeXGfQP3eLiKl
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 34 IoCs
-
UPX dump on OEP (original entry point) 38 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e482382dcb8e830054af69085c1e5839f63fb560de909e6d5131a7b828615d4.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e482382dcb8e830054af69085c1e5839f63fb560de909e6d5131a7b828615d4.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e573f99.exeC:\Users\Admin\AppData\Local\Temp\e573f99.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5740e1.exeC:\Users\Admin\AppData\Local\Temp\e5740e1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e575b4f.exeC:\Users\Admin\AppData\Local\Temp\e575b4f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573f99.exeFilesize
97KB
MD5e57a953c244637f89bebaf70e5855fe3
SHA1455f809ae5ab3c6ee597ca858c39e51304b159a2
SHA2560d89fafccdd24d4a6248036323efbe2bb7d8718544dfa78b7986d224bf4f88b4
SHA512f09fe8b666958fa4f6d0c4b49eaa1e4a7a2ebde7ad1a2ec85a0c23355e28d03df5e789cabb263396732fe870afa745d5c3e856b82931375c96ff18781047e9a8
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ce2f86688b5191d798a82a3ac2f0d998
SHA1657b7d8b954798304225a5bd45b3e3765e07e922
SHA25602196976813800f731e2364fe0c4c8503bd98db3b7e0e0e5645ba2f232bee0b3
SHA5129766ae481e8bdbb9b9e2ff3c0d38b3b14e5f58e77f9b27dd0b4305a721ff58ba338cfd7388f36f0eac04dabb3e4f7f0d9e69b2022b4a0f6fbb9aa6d9f0b9b1d0
-
memory/1168-74-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-86-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-43-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-10-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-11-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1168-28-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-15-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-29-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/1168-13-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-12-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-32-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/1168-90-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-95-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/1168-19-0x0000000001C00000-0x0000000001C01000-memory.dmpFilesize
4KB
-
memory/1168-8-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-87-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-52-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-14-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-30-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-36-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-37-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-38-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-39-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-40-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-42-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-9-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-79-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-6-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-54-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-56-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-78-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-75-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1168-71-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-69-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-65-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/1168-66-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3580-17-0x0000000004260000-0x0000000004261000-memory.dmpFilesize
4KB
-
memory/3580-20-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3580-31-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/3580-4-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3580-16-0x00000000041D0000-0x00000000041D2000-memory.dmpFilesize
8KB
-
memory/4472-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4472-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4472-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4472-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4472-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4972-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4972-50-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4972-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4972-128-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4972-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4972-156-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB