| File name: | Desktop.zip |
| Full analysis: | https://app.any.run/tasks/21003971-aa0c-4e5f-a210-9ad4076625a9 |
| Verdict: | Malicious activity |
| Threats: | Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. |
| Analysis date: | March 24, 2025, 13:24:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | CCF57D5C453DB2B82AC9E6683CEEE827 |
| SHA1: | D7175945B43B3CDB405C6F94D24AD099247D1AC1 |
| SHA256: | 0F723057F188B278B2AAA185B821E816E15D50D3C669CB99778EEB4A7F24B63A |
| SSDEEP: | 6144:nBko9+TUkNi28q8HcgyqO765A4V5bomzZ9sC2i7QmQgHXf4VTPaIYp:Bko9+TUDyDgy776bVXsC2i7QPQU6 |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 5212)
SALITY mutex has been found
- Sality.AU' in file setup.exe (PID: 1852)
- FileCoAuth.exe (PID: 7992)
- Sality.AU' in file setup.exe (PID: 4380)
Disables task manager
- Sality.AU' in file setup.exe (PID: 1852)
Changes firewall settings
- Sality.AU' in file setup.exe (PID: 1852)
UAC/LUA settings modification
- Sality.AU' in file setup.exe (PID: 1852)
Changes Security Center notification settings
- Sality.AU' in file setup.exe (PID: 1852)
Disables Windows firewall
- Sality.AU' in file setup.exe (PID: 1852)
Application was injected by another process
- FileCoAuth.exe (PID: 7992)
Runs injected code in another process
- Sality.AU' in file setup.exe (PID: 1852)
SUSPICIOUS
Starts a Microsoft application from unusual location
- Sality.AU' in file setup.exe (PID: 8152)
- Sality.AU' in file setup.exe (PID: 1852)
- Sality.AU' in file setup.exe (PID: 4380)
The process creates files with name similar to system file names
- WinRAR.exe (PID: 5212)
Process drops legitimate windows executable
- WinRAR.exe (PID: 5212)
Reads security settings of Internet Explorer
- ShellExperienceHost.exe (PID: 5552)
Read disk information to detect sandboxing environments
- hkcmd.exe (PID: 5436)
INFO
The sample compiled with english language support
- WinRAR.exe (PID: 5212)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5212)
Manual execution by a user
- Sality.AU' in file setup.exe (PID: 1852)
- Sality.AU' in file setup.exe (PID: 8152)
- Sality.AU' in file setup.exe (PID: 4380)
- hkcmd.exe (PID: 2268)
- hkcmd.exe (PID: 5436)
Checks supported languages
- ShellExperienceHost.exe (PID: 5552)
- Sality.AU' in file setup.exe (PID: 1852)
- hkcmd.exe (PID: 2268)
- hkcmd.exe (PID: 5436)
Reads the computer name
- ShellExperienceHost.exe (PID: 5552)
- Sality.AU' in file setup.exe (PID: 1852)
- hkcmd.exe (PID: 2268)
UPX packer has been detected
- Sality.AU' in file setup.exe (PID: 4380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:03:24 13:15:08 |
| ZipCRC: | 0xdd4529d2 |
| ZipCompressedSize: | 50973 |
| ZipUncompressedSize: | 118784 |
| ZipFileName: | hccutils.dll |
Total processes
155
Monitored processes
12
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1852 | "C:\Users\admin\Desktop\Sality.AU' in file setup.exe" | C:\Users\admin\Desktop\Sality.AU' in file setup.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setup Bootstrap for Visual Basic Setup Toolkit Exit code: 1 Version: 6.00.8169 Modules
| |||||||||||||||
| 2268 | "C:\Users\admin\Desktop\hkcmd.exe" | C:\Users\admin\Desktop\hkcmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Intel Corporation Integrity Level: MEDIUM Description: hkcmd Module Exit code: 0 Version: 3.0.0.4020 Modules
| |||||||||||||||
| 4380 | "C:\Users\admin\Desktop\Sality.AU' in file setup.exe" | C:\Users\admin\Desktop\Sality.AU' in file setup.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setup Bootstrap for Visual Basic Setup Toolkit Exit code: 1 Version: 6.00.8169 Modules
| |||||||||||||||
| 5084 | C:\WINDOWS\system32\OpenWith.exe -Embedding | C:\Windows\System32\OpenWith.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5212 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Desktop.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 5436 | "C:\Users\admin\Desktop\hkcmd.exe" | C:\Users\admin\Desktop\hkcmd.exe | explorer.exe | ||||||||||||
User: admin Company: Intel Corporation Integrity Level: HIGH Description: hkcmd Module Exit code: 0 Version: 3.0.0.4020 Modules
| |||||||||||||||
| 5552 | "C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Shell Experience Host Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7216 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7264 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7500 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
46 806
Read events
46 740
Write events
65
Delete events
1
Modification events
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Desktop.zip | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
| (PID) Process: | (5212) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
3
Suspicious files
3
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1852 | Sality.AU' in file setup.exe | C:\Windows\system.ini | binary | |
MD5:22B1DDB7852611751E93476E4D77EE5B | SHA256:D6C0D19592EB1F7336FB7B44CA88C10EA701F6F9C664843FE6F740D3E69C9856 | |||
| 5212 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa5212.1443\Sality.AU' in file 'setup.exe' | executable | |
MD5:FDC45D4E334BEF9FE31D72B47006921D | SHA256:FEADDC233C8BA06B816EF9F7189E333EE0D6CD3490AA2B3C08331B358421A015 | |||
| 5212 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa5212.1443\hccutils.dll | executable | |
MD5:129A8BC118B57FA1F4145E9B14E4A50C | SHA256:F0803CDF24DB29A6F795C91CDF8BC4D11E5017B8CDF7D818158DF67582E524BA | |||
| 5212 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa5212.1443\hkcmd.exe | executable | |
MD5:472181A5772ACD07E7C236F49DA8D4D3 | SHA256:97B9B58EAD8F3D4560C3CE31B3CEC9131EE11247B095CBCC16007DDE3ACDB8D4 | |||
| 7992 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-24.1325.7992.1.odl | binary | |
MD5:C19E8F05055AD93A83BA2550789F88AC | SHA256:82FB7266E68AD8B33068A627623F6E725496C230805E4A43509E4AB0CAF69635 | |||
| 7992 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-24.1325.7992.1.aodl | binary | |
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3 | SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94 | |||
| 1852 | Sality.AU' in file setup.exe | C:\Windows\ST6UNST.000 | text | |
MD5:9940604D92C6460226F33C3EFF667846 | SHA256:A60E84F4CE6F1FC0742D797571F89FB9D329603BDC0C4021E20ABF1E4729F5C6 | |||
| 4380 | Sality.AU' in file setup.exe | C:\Windows\ST6UNST.001 | text | |
MD5:9940604D92C6460226F33C3EFF667846 | SHA256:A60E84F4CE6F1FC0742D797571F89FB9D329603BDC0C4021E20ABF1E4729F5C6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
25
DNS requests
17
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
8052 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
8052 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6036 | backgroundTaskHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.160.14:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
6404 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6036 | backgroundTaskHost.exe | 20.223.35.26:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6036 | backgroundTaskHost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |