| File name: | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b |
| Full analysis: | https://app.any.run/tasks/a8fa2c78-4a71-4d12-b495-03dea1ce407d |
| Verdict: | Malicious activity |
| Threats: | Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. |
| Analysis date: | December 13, 2024, 20:24:57 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | AAC12149429E9C1770D6E4961C07533E |
| SHA1: | A6318976AEB0164108F9AC1C93593A3A0F90682F |
| SHA256: | 44E287FE6A9916ED3D0F984A21EA33E3AB554F970A7D2FD32D82C286399D3C7B |
| SSDEEP: | 98304:2qGHFYB4mMNHfK3zbWP1QLQ4yQSeXvbDYz7QMPbMyTb2Z/nqoGQyARJdM:p6eKFBAS |
MALICIOUS
SALITY mutex has been found
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdate.exe (PID: 4428)
SUSPICIOUS
Starts a Microsoft application from unusual location
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdate.exe (PID: 4428)
- MicrosoftEdgeUpdateSetup.exe (PID: 2432)
Process drops legitimate windows executable
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdate.exe (PID: 2100)
- MicrosoftEdgeUpdateSetup.exe (PID: 2432)
Executable content was dropped or overwritten
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdateSetup.exe (PID: 2432)
Reads security settings of Internet Explorer
- MicrosoftEdgeUpdate.exe (PID: 4428)
- MicrosoftEdgeUpdate.exe (PID: 2100)
Disables SEHOP
- MicrosoftEdgeUpdate.exe (PID: 2100)
INFO
Checks supported languages
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdate.exe (PID: 4428)
- MicrosoftEdgeUpdateSetup.exe (PID: 2432)
- MicrosoftEdgeUpdate.exe (PID: 2100)
Reads the computer name
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdate.exe (PID: 4428)
- MicrosoftEdgeUpdate.exe (PID: 2100)
Create files in a temporary directory
- MicrosoftEdgeUpdate.exe (PID: 4428)
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
The sample compiled with english language support
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
- MicrosoftEdgeUpdateSetup.exe (PID: 2432)
- MicrosoftEdgeUpdate.exe (PID: 2100)
Creates files in the program directory
- MicrosoftEdgeUpdateSetup.exe (PID: 2432)
- MicrosoftEdgeUpdate.exe (PID: 4428)
Process checks computer location settings
- MicrosoftEdgeUpdate.exe (PID: 4428)
- MicrosoftEdgeUpdate.exe (PID: 2100)
Reads Environment values
- MicrosoftEdgeUpdate.exe (PID: 2100)
Checks proxy server information
- MicrosoftEdgeUpdate.exe (PID: 2100)
- wermgr.exe (PID: 5568)
- wermgr.exe (PID: 1752)
UPX packer has been detected
- 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe (PID: 5592)
Reads the software policy settings
- MicrosoftEdgeUpdate.exe (PID: 2100)
- wermgr.exe (PID: 5568)
Reads the machine GUID from the registry
- MicrosoftEdgeUpdate.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:08:11 05:11:52+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.26 |
| CodeSize: | 105472 |
| InitializedDataSize: | 1661952 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x740b |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.151.27 |
| ProductVersionNumber: | 1.3.151.27 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft Edge Update Setup |
| FileVersion: | 1.3.151.27 |
| InternalName: | Microsoft Edge Update Setup |
| LegalCopyright: | Copyright Microsoft Corporation |
| OriginalFileName: | MicrosoftEdgeUpdateSetup.exe |
| ProductName: | Microsoft Edge Update |
| ProductVersion: | 1.3.151.27 |
| UpstreamVersion: | 1.3.99.0 |
| LanguageId: | en |
Total processes
125
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5592 | "C:\Users\admin\Desktop\44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe" | C:\Users\admin\Desktop\44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Setup Exit code: 2147747592 Version: 1.3.151.27 Modules
| |||||||||||||||
| 4428 | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\MicrosoftEdgeUpdate.exe /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true" | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\MicrosoftEdgeUpdate.exe | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 2147747592 Version: 1.3.151.27 Modules
| |||||||||||||||
| 2432 | "C:\Users\admin\AppData\Local\Temp\EU6005.tmp\MicrosoftEdgeUpdateSetup.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true" /installelevated /nomitag | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\MicrosoftEdgeUpdateSetup.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Update Setup Exit code: 2147747592 Version: 1.3.151.27 Modules
| |||||||||||||||
| 2100 | "C:\Program Files (x86)\Microsoft\Temp\EU6881.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true" /installelevated | C:\Program Files (x86)\Microsoft\Temp\EU6881.tmp\MicrosoftEdgeUpdate.exe | MicrosoftEdgeUpdateSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 2147747592 Modules
| |||||||||||||||
| 5568 | "C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "2100" "996" "728" "1000" "0" "0" "0" "0" "0" "0" "0" "0" | C:\Windows\SysWOW64\wermgr.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1752 | "C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "4428" "1580" "1412" "1584" "0" "0" "0" "0" "0" "0" "0" "0" | C:\Windows\SysWOW64\wermgr.exe | MicrosoftEdgeUpdate.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 646
Read events
15 563
Write events
1 081
Delete events
2
Modification events
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | GlobalUserOffline |
Value: 0 | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a1_0 |
Value: 114302587 | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a2_0 |
Value: 9674 | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a3_0 |
Value: 17001001 | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a4_0 |
Value: 0 | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a1_1 |
Value: | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a2_1 |
Value: | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a3_1 |
Value: | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a4_1 |
Value: | |||
| (PID) Process: | (5592) 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Tvidl |
| Operation: | write | Name: | a1_2 |
Value: 971390224 | |||
Executable files
303
Suspicious files
1
Text files
9
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\windomq.exe | executable | |
MD5:B360FA63134A63F9ACFE046D2DFE10D9 | SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\EdgeUpdate.dat | hiv | |
MD5:369BBC37CFF290ADB8963DC5E518B9B8 | SHA256:3D7EC761BEF1B1AF418B909F1C81CE577C769722957713FDAFBC8131B0A0C7D3 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\MicrosoftEdgeComRegisterShellARM64.exe | executable | |
MD5:E7DDB7D2103FD518652ECA1328F21510 | SHA256:8666D49F5AF22615EACBB8B389098C2E7276E6040C937ABA970A1DD46FEFA7D5 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\psuser.dll | executable | |
MD5:AA64DF6BDFDE4269ED60B1549CAF78AE | SHA256:31B3C910AEAC22075AF48FFEFF27BB93B25184E36E1AABAEB00E0587DA1FC44E | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\psuser_arm64.dll | executable | |
MD5:829055188A942FFA8EE24AF5FB8DFB2B | SHA256:D6E416D1E3F09D310EB216C214E2DEF4CD9E3AFEC1F394696630560148F4AB42 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\msedgeupdateres_am.dll | executable | |
MD5:A6C941F474E1C7266AB500CC932AD294 | SHA256:5AD20F36DB95FABBB0F8C62B94BBD532DB8083E0F380191180613BD2579A5481 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\msedgeupdateres_bg.dll | executable | |
MD5:B5C174C65533A224015E940453EBF7BD | SHA256:F9B9730B97F160B22BB9E5F96C2FE623E4CD1EC8D58B36C05E62B92B6EED29E6 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\psmachine_64.dll | executable | |
MD5:71B8A5DFFA519469747C15989F575512 | SHA256:2D2CF4EF96AE3EA8EDA099E8D50E3BFC4BD638D2629BD6B1CAE1C92CA9AA5632 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\msedgeupdate.dll | executable | |
MD5:93D198ACFF9BB99FD6DD2F0B972A4172 | SHA256:A88A49608B123E5241C4EBE8D69DFDA70C0B3D87640C4D4A565C99B8EC00AA12 | |||
| 5592 | 44e287fe6a9916ed3d0f984a21ea33e3ab554f970a7d2fd32d82c286399d3c7b.exe | C:\Users\admin\AppData\Local\Temp\EU6005.tmp\psmachine.dll | executable | |
MD5:B02FD944867F935648B4C63AC3AF340C | SHA256:2055EC023310DC7863871DF39D4F69C6C02B8EFB5B756401F73F5F398E414AD4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
9
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.151.27?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appVersion_edgeupdate=1.3.151.27&appUpdateCheckIsUpdateDisabled_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osPlatform=win&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=taggedmi&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.151.27 | unknown | — | — | — |
— | — | GET | 304 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.151.27?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_webview=5&appConsentState_webview=0&appDayOfInstall_webview=0&appInstallTimeDiffSec_webview=0&appLastLaunchTime_webview=0&appUpdateCheckIsUpdateDisabled_webview=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osPlatform=win&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=taggedmi&requestIsMachine=true&requestOmahaShellVersion=1.3.147.37&requestOmahaVersion=1.3.151.27 | unknown | — | — | — |
440 | svchost.exe | GET | 200 | 184.24.77.37:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
440 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
440 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 92.123.104.35:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
440 | svchost.exe | 184.24.77.37:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2100 | MicrosoftEdgeUpdate.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
440 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
440 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |