Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 01:28
General
-
Target
bcf3a1358c8a9a7ff917fe27cdac4dc6eb7ef4d4102166498396089ddd5c2664.dll
-
Size
120KB
-
MD5
158a4ffdc52453ed8b625c64f1db23f6
-
SHA1
f4bc2b1f9aff0c35111a86c61f6dbde4f80f733a
-
SHA256
bcf3a1358c8a9a7ff917fe27cdac4dc6eb7ef4d4102166498396089ddd5c2664
-
SHA512
aa7d8b73a041257e40f3a9460ae1e12724a9bce5b64145382c41d39c4819e970fbb243fa958241dd2f3a5b7e592178c7309d5dc2488005fc77f90b3c9712aa1e
-
SSDEEP
3072:i/KlPRxHXU9ldr9BMFlOy1OkIOl76QOrnc/Uw:JPRlkJ9sIkdrOrc/9
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bcf3a1358c8a9a7ff917fe27cdac4dc6eb7ef4d4102166498396089ddd5c2664.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bcf3a1358c8a9a7ff917fe27cdac4dc6eb7ef4d4102166498396089ddd5c2664.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e575bdb.exeC:\Users\Admin\AppData\Local\Temp\e575bdb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e575cc6.exeC:\Users\Admin\AppData\Local\Temp\e575cc6.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e5777b0.exeC:\Users\Admin\AppData\Local\Temp\e5777b0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5777d0.exeC:\Users\Admin\AppData\Local\Temp\e5777d0.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575bdb.exeFilesize
97KB
MD58201e81b75ed5af7928109e9d7a161ed
SHA12ea6c6c7acf903faf1171357dbb88b612274f7fd
SHA2564dcb55767d5a801e8a4a1d4468d1420c2b0c7d9a04515c21236af703947e55c1
SHA51263aa4d97f6ab05a5dcec6ff55e70aeacab01feb930c0d6dac905757bbd6f4e5215c0fb72d0ca5c377e9d9c9fb4cf3929fc7b91dc1b55cfb2d7f55fb57d6ee701
-
C:\Windows\SYSTEM.INIFilesize
257B
MD58f8f43f2be9d0755aa1a67f399516554
SHA1b5ce7bd0bb96101b9026638515d22976c05267ce
SHA256b56d7ca62cab2651a0d59c951e18ade2e01872cf2e60f7f8b3f02eda35b4b672
SHA5124bbed54430fa2317c2bc3fcaa680e1e53b225ed1bed3af527f5533dac9f1001349632b776159a059554b62996dcaf7b48bfe17a54a3c686aebfbadfab9deaefc
-
memory/2432-59-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-81-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-57-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-26-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2432-117-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2432-25-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-12-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-98-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-30-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/2432-29-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-32-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-10-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-11-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-97-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-16-0x0000000001A80000-0x0000000001A81000-memory.dmpFilesize
4KB
-
memory/2432-96-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-93-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-8-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-37-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-36-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-38-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-39-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-40-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-60-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-43-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-91-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-85-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/2432-28-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/2432-27-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-42-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-83-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-9-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-79-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-76-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/2432-75-0x00000000007C0000-0x000000000187A000-memory.dmpFilesize
16.7MB
-
memory/3108-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3108-56-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3108-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3108-68-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3108-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3296-13-0x0000000003C40000-0x0000000003C42000-memory.dmpFilesize
8KB
-
memory/3296-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3296-14-0x0000000004260000-0x0000000004261000-memory.dmpFilesize
4KB
-
memory/3296-17-0x0000000003C40000-0x0000000003C42000-memory.dmpFilesize
8KB
-
memory/3296-31-0x0000000003C40000-0x0000000003C42000-memory.dmpFilesize
8KB
-
memory/3504-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3504-69-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/3504-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3504-151-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3504-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3504-146-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/3504-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4372-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4372-121-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4372-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4372-63-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4372-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB