Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-06-2024 15:04
General
-
Target
982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll
-
Size
120KB
-
MD5
0c60e7a4b91cef14ab81d6afce534b6d
-
SHA1
e3c7138ccee52bff03ecb0693faf76e6b85ff5ba
-
SHA256
982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2
-
SHA512
f50e3b82a020b10d340c97badec56cb6179c10e1694c805f84391060e28fa261034acac56bbd5015c0d9afcd08cbb9a2d8768e3f19184105b7bb36aae97bcf5d
-
SSDEEP
3072:j4BGPzcJ7miopYmzQC87x17ReBYnhmn1eatIsJ:DPzcAisYmcCoxCY6oarJ
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 28 IoCs
-
UPX dump on OEP (original entry point) 34 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\982d4b0f323c39c9b46cf1fa7c444da7815428257e5619490cb8c37a76b1c8f2.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57421a.exeC:\Users\Admin\AppData\Local\Temp\e57421a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5743c0.exeC:\Users\Admin\AppData\Local\Temp\e5743c0.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e57689d.exeC:\Users\Admin\AppData\Local\Temp\e57689d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57421a.exeFilesize
97KB
MD5b0d1c41f3dcefe5bc7050aaced2e01d4
SHA1486e63b0ffd8bae1a2ad8af9ce3211b937428f58
SHA2568eaeb4e01ad4bf5b94d02f483a479f786e340bb93ee12b97a691112c38e417b0
SHA51208a25f30fb55d627b28f15d206b7d6f2aeee71e9dc1af09dbb8a6fd314c5ec2fe7dcb116f0d894cf69eb17e0a83f439abe2a8d696d645fcea3f1271aefc355a4
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5e3fa82f6c65f8e66a6dd4318569f7c16
SHA1788f23325cfee69528795b5bafa6aa65bc9b7ec9
SHA2567d41a977a2e01f4916a5eb6e9c6ccadca941ddae725ef8550e188165ceeefa44
SHA51206f054dae6f2234cb391d59fb41b2053e9fbe78f56b61152ee5bc8d43d3acf07fff198d1de45bb3fdec719ecbfbfa86c540ea52437bd6489ffa2837c31479aaf
-
memory/1048-53-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1048-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1048-111-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1048-109-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/1048-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1048-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1900-98-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1900-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1900-51-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1900-54-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1900-97-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1900-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1900-112-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/2532-39-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-79-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2532-24-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/2532-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2532-6-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-10-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-9-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-36-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-37-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-38-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-20-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-40-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-8-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-12-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-18-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-11-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-32-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2532-19-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-29-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-58-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-59-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-60-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-62-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-63-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-65-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-66-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-69-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-71-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-30-0x0000000000670000-0x0000000000672000-memory.dmpFilesize
8KB
-
memory/2532-74-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/2532-92-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2532-28-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/3648-25-0x0000000004770000-0x0000000004772000-memory.dmpFilesize
8KB
-
memory/3648-31-0x0000000004770000-0x0000000004772000-memory.dmpFilesize
8KB
-
memory/3648-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3648-21-0x0000000004770000-0x0000000004772000-memory.dmpFilesize
8KB
-
memory/3648-22-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB