Analysis
-
max time kernel
27s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 18:25
General
-
Target
0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320.dll
-
Size
120KB
-
MD5
96a281d0811589bbfd15fffb6b24779c
-
SHA1
2632489eb13cd8ba4e55b850ffa6cec6275ad2c5
-
SHA256
0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320
-
SHA512
9380488aad0c507bc0197470674a5618b4a0d14f7dd2e214ab0162a7d22c56c300fab74ab3d840c49405eaf18bd65f416078c1bb1a22feb6ea513f769b3f9ed7
-
SSDEEP
1536:kj8cBPBdFbMA0V8CVQ7H6qmEaskkSkwTBR3K4mR6ouqb2ouOLmelowvrD:Y0ViaqEscDTLLLouqCoaQz
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs
-
UPX dump on OEP (original entry point) 37 IoCs
-
Executes dropped EXE 3 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0726bb3e17a3767a59c0cf84543f95189fbe46b3b3c209f0a126d82aebe13320.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e5749ca.exeC:\Users\Admin\AppData\Local\Temp\e5749ca.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574c0d.exeC:\Users\Admin\AppData\Local\Temp\e574c0d.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576580.exeC:\Users\Admin\AppData\Local\Temp\e576580.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e5749ca.exeFilesize
97KB
MD5b5c37da37abe66eb03c6c946d13078d0
SHA1fc7592c5b105b7c057237c5f74298b4416beee51
SHA256581b137c4f2507eb33579b2f1a526a8c70bed083cb950424d36a8a6b4d2700c0
SHA512b5ffcd9a3fc9851e666907707bfffa7770b479b5ea31060a7e0c25dada8b7248151679274ff7c1f851b120a0c10f92a13362012e5dda7ddaa2cf434420c395b0
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5b3c97e06a1fb80fb2123106d6c8318d5
SHA1c4a038e8b0ae1fc7d585e5a18207323a3a8c714e
SHA256b0eeb329fc87ee48bf2c255559fbf78cf8d636e2cab7389226583a33ebf6a390
SHA512aaf3109dbbecb4454d81cc09fe09d8080a0332f4f6f1c2aeba2ad91b068a438d0a416378a43203fa7b10075b2ce53c8962dd5774efb60d5b905b52557f6e13f9
-
memory/472-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/472-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/472-150-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/472-109-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/472-61-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/472-65-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/472-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1244-43-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-56-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1244-9-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-35-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1244-20-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-32-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1244-12-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-10-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-18-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-11-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-6-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-29-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-37-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-38-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-39-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-40-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-41-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-90-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/1244-44-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-103-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1244-53-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-55-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-24-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/1244-28-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-86-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-19-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-83-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-8-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-81-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-66-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-68-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-71-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-73-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-75-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-77-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/1244-79-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/2800-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2800-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2800-64-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2800-107-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2800-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4232-27-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/4232-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4232-30-0x0000000003F10000-0x0000000003F11000-memory.dmpFilesize
4KB
-
memory/4232-31-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB
-
memory/4232-21-0x0000000003E80000-0x0000000003E82000-memory.dmpFilesize
8KB