Overview

overview

10

Static

static

3

702879f5c9...57.dll

windows7-x64

10

702879f5c9...57.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    702879f5c9ebf4b99e8f354232b59110643c158b8a433ac392ac153bf1f6c957.dll

  • Size

    120KB

  • MD5

    1d5e4aa98af73d4d9f549c0c861aae3f

  • SHA1

    379de07bfeac87f6082483f65c2baacd5642aef8

  • SHA256

    702879f5c9ebf4b99e8f354232b59110643c158b8a433ac392ac153bf1f6c957

  • SHA512

    b39a5619212087578d23067e6f06410af0d8eac629334c5d205a01c07e9bc838b454562bc8ea520dee1101eeb8495b417122a82298864aa9380d0659f5a74179

  • SSDEEP

    3072:d+b1SKboRixf5r8eJlbVonmuaaQRnQNS:sADU6SpVomTfQ

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 29 IoCs
  • UPX dump on OEP (original entry point) 34 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:764
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:772
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:1020
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2568
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2580
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2688
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3544
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\702879f5c9ebf4b99e8f354232b59110643c158b8a433ac392ac153bf1f6c957.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3520
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\702879f5c9ebf4b99e8f354232b59110643c158b8a433ac392ac153bf1f6c957.dll,#1
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2696
                      • C:\Users\Admin\AppData\Local\Temp\e575592.exe
                        C:\Users\Admin\AppData\Local\Temp\e575592.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:940
                      • C:\Users\Admin\AppData\Local\Temp\e57569c.exe
                        C:\Users\Admin\AppData\Local\Temp\e57569c.exe
                        4⤵
                        • Executes dropped EXE
                        PID:456
                      • C:\Users\Admin\AppData\Local\Temp\e577e09.exe
                        C:\Users\Admin\AppData\Local\Temp\e577e09.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:1908
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3692
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3868
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:4024
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:4088
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3196
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4144
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              1⤵
                                PID:4600
                              • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                                "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                                1⤵
                                  PID:3512
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:4944
                                  • C:\Windows\System32\RuntimeBroker.exe
                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                    1⤵
                                      PID:5104
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:1052

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v13

                                      Initial Access

                                      Execution

                                      Persistence

                                      Create or Modify System Process

                                      1
                                      T1543

                                      Windows Service

                                      1
                                      T1543.003

                                      Privilege Escalation

                                      Create or Modify System Process

                                      1
                                      T1543

                                      Windows Service

                                      1
                                      T1543.003

                                      Abuse Elevation Control Mechanism

                                      1
                                      T1548

                                      Bypass User Account Control

                                      1
                                      T1548.002

                                      Defense Evasion

                                      Modify Registry

                                      5
                                      T1112

                                      Abuse Elevation Control Mechanism

                                      1
                                      T1548

                                      Bypass User Account Control

                                      1
                                      T1548.002

                                      Impair Defenses

                                      3
                                      T1562

                                      Disable or Modify Tools

                                      3
                                      T1562.001

                                      Credential Access

                                      Discovery

                                      System Information Discovery

                                      2
                                      T1082

                                      Query Registry

                                      1
                                      T1012

                                      Peripheral Device Discovery

                                      1
                                      T1120

                                      Lateral Movement

                                      Collection

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Resource Development

                                      Reconnaissance

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\e575592.exe
                                        Filesize

                                        97KB

                                        MD5

                                        acfd867c45493fdf3caa934e2d1fc65d

                                        SHA1

                                        e75bfce8a154765768dfe32c1e7c190749304cd2

                                        SHA256

                                        58385fc43fa5325e81686c7b9ff232a6bcf7e8842846bf38cdb7dcd6330f1888

                                        SHA512

                                        8df8bed009e8707cb005293a784f0cd0aeb2b474f0e4ae3be614460c00850ea518c98dc3c3d1f2a001e7fc0fb8304fa157014b7943cc47188c21064f7fa2f7f5

                                        Download Submit
                                      • C:\Windows\SYSTEM.INI
                                        Filesize

                                        257B

                                        MD5

                                        47bc113843b1ec97e5532eb95bf90cad

                                        SHA1

                                        b65b9ceb497ecee22d7729658490a6bb6a6da848

                                        SHA256

                                        903c7bc650b0340c48721cb5f651b5b430b007a88f921168ae3f94685f9d9761

                                        SHA512

                                        60ed0231ae1baed048a96932c47d3df9a5b56828315add845c08df2acaa46c9e83504024f4a3c1eac296650c59f9f7082786af24728857de447a33e81beb132b

                                        Download Submit
                                      • memory/456-34-0x0000000000400000-0x0000000000412000-memory.dmp
                                        Filesize

                                        72KB

                                        Download
                                      • memory/456-57-0x00000000001E0000-0x00000000001E2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/456-52-0x00000000001F0000-0x00000000001F1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/456-55-0x00000000001E0000-0x00000000001E2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/940-42-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-66-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-26-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-33-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-11-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-5-0x0000000000400000-0x0000000000412000-memory.dmp
                                        Filesize

                                        72KB

                                        Download
                                      • memory/940-77-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-82-0x0000000001CB0000-0x0000000001CB2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/940-94-0x0000000000400000-0x0000000000412000-memory.dmp
                                        Filesize

                                        72KB

                                        Download
                                      • memory/940-29-0x0000000001CB0000-0x0000000001CB2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/940-28-0x0000000001CB0000-0x0000000001CB2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/940-27-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-10-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-74-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-35-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-36-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-37-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-39-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-38-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-40-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-24-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-73-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-72-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-69-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-25-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-6-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-15-0x0000000001CC0000-0x0000000001CC1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/940-65-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-9-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-59-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-60-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-62-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/940-64-0x00000000008F0000-0x00000000019AA000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/1908-114-0x0000000000B60000-0x0000000001C1A000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/1908-56-0x00000000001E0000-0x00000000001E2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/1908-54-0x00000000001F0000-0x00000000001F1000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/1908-50-0x0000000000400000-0x0000000000412000-memory.dmp
                                        Filesize

                                        72KB

                                        Download
                                      • memory/1908-148-0x0000000000400000-0x0000000000412000-memory.dmp
                                        Filesize

                                        72KB

                                        Download
                                      • memory/1908-147-0x0000000000B60000-0x0000000001C1A000-memory.dmp
                                        Filesize

                                        16.7MB

                                        Download
                                      • memory/1908-58-0x00000000001E0000-0x00000000001E2000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/2696-30-0x0000000003A20000-0x0000000003A22000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/2696-12-0x0000000003A20000-0x0000000003A22000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/2696-0-0x0000000010000000-0x0000000010020000-memory.dmp
                                        Filesize

                                        128KB

                                        Download
                                      • memory/2696-16-0x0000000003A20000-0x0000000003A22000-memory.dmp
                                        Filesize

                                        8KB

                                        Download
                                      • memory/2696-13-0x0000000003A30000-0x0000000003A31000-memory.dmp
                                        Filesize

                                        4KB

                                        Download
                                      • memory/2696-47-0x0000000003A20000-0x0000000003A22000-memory.dmp
                                        Filesize

                                        8KB

                                        Download