Overview

overview

10

Static

static

3

8e80bb11df...cN.dll

windows7-x64

10

8e80bb11df...cN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e80bb11df53637b07329de511c9dd72527af7993fff4d9aaa5a42dd480e011cN.dll

  • Size

    120KB

  • MD5

    228e12d233cc773fb509ac9a9d58c9a0

  • SHA1

    022875c8a951d5d686d61d58de1f11ad79cc62c9

  • SHA256

    8e80bb11df53637b07329de511c9dd72527af7993fff4d9aaa5a42dd480e011c

  • SHA512

    42dbf2714464dc30de95fe7138f788e1a236613b92727a30f988c9c90319674110016b9a2eb525ea741486bc34b9d279be87befb504108eaa0a36703022691d8

  • SSDEEP

    3072:dCdRMWG/xIvmTtFZXXLFRaoJNAIfoZQwAalNTaqn49k:ORRG/GvO3LSovjalNTzni

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:776
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:780
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:384
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:3008
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:64
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:3156
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3452
                  • C:\Windows\system32\rundll32.exe
                    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e80bb11df53637b07329de511c9dd72527af7993fff4d9aaa5a42dd480e011cN.dll,#1
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1708
                    • C:\Windows\SysWOW64\rundll32.exe
                      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e80bb11df53637b07329de511c9dd72527af7993fff4d9aaa5a42dd480e011cN.dll,#1
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1368
                      • C:\Users\Admin\AppData\Local\Temp\e579933.exe
                        C:\Users\Admin\AppData\Local\Temp\e579933.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:1456
                      • C:\Users\Admin\AppData\Local\Temp\e579a3c.exe
                        C:\Users\Admin\AppData\Local\Temp\e579a3c.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3520
                      • C:\Users\Admin\AppData\Local\Temp\e57b4b9.exe
                        C:\Users\Admin\AppData\Local\Temp\e57b4b9.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5112
                      • C:\Users\Admin\AppData\Local\Temp\e57b4c9.exe
                        C:\Users\Admin\AppData\Local\Temp\e57b4c9.exe
                        4⤵
                        • Modifies firewall policy service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Enumerates connected drives
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        • System policy modification
                        PID:4880
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3564
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3772
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3884
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3944
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4044
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:3696
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:5040
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:1208

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\e579933.exe
                                  Filesize

                                  97KB

                                  MD5

                                  d310d670117b51dd88fa957438faba77

                                  SHA1

                                  32e3f2b78eb31e7b1c0bed1ae6e3392fa00213fa

                                  SHA256

                                  2a5d2886ec8dcacce20372d11104681967f073f5caba68f940e6a538c9fb5adb

                                  SHA512

                                  51e4b55e57fc3e420489273f9414deeeeb23159978b1348fa18a39cb13ca401e5b60445d9c7551158af6c70ba8502d2ebc7b828697058a91028fb85a50ae427d

                                  Download Submit

                                • C:\Windows\SYSTEM.INI
                                  Filesize

                                  257B

                                  MD5

                                  392527e9ad8f13041e884ab188f29059

                                  SHA1

                                  28be9b8d4946bc70ae77f8e851bdf223c0715693

                                  SHA256

                                  f58cbb90045e22d241ab81c6dc445cca296efb35f8ed42a85bd1092265dbdd35

                                  SHA512

                                  ef0035b87d0bd164d3e6f1b30f2e6529e8c46b57ccdda25a4eeb1e8c7de44a54de2b535909f4557b43e8a77eb3808f5943299fd5cf04f4c48e3222b05f7b9ec2

                                  Download Submit

                                • memory/1368-28-0x00000000048C0000-0x00000000048C1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1368-29-0x00000000043A0000-0x00000000043A2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1368-1-0x0000000010000000-0x0000000010020000-memory.dmp

                                  Filesize

                                  128KB

                                  Download

                                • memory/1368-13-0x00000000043A0000-0x00000000043A2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1368-15-0x00000000043A0000-0x00000000043A2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1456-88-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-43-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-31-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1456-12-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-10-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-18-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1456-117-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-33-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-11-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-8-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-27-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-26-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-9-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-35-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-37-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-38-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-39-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-40-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-41-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-4-0x0000000000400000-0x0000000000412000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/1456-44-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-55-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1456-57-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-59-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-60-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-106-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1456-116-0x0000000000400000-0x0000000000412000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/1456-92-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-90-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-30-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1456-89-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-25-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-87-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-85-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-74-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-75-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-78-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-80-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/1456-83-0x00000000008B0000-0x000000000196A000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/3520-63-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3520-93-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/3520-68-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/3520-36-0x0000000000400000-0x0000000000412000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/3520-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/3520-122-0x0000000000400000-0x0000000000412000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/4880-70-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/4880-170-0x0000000000400000-0x0000000000412000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/4880-95-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/4880-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/4880-67-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4880-138-0x0000000000B30000-0x0000000001BEA000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/4880-169-0x0000000000B30000-0x0000000001BEA000-memory.dmp

                                  Filesize

                                  16.7MB

                                  Download

                                • memory/5112-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/5112-69-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/5112-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/5112-150-0x0000000000400000-0x0000000000412000-memory.dmp

                                  Filesize

                                  72KB

                                  Download

                                • memory/5112-94-0x00000000001E0000-0x00000000001E2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download