| File name: | 4b44768232b7c52ba3915a8551ec24fddf2d6f19c37f63b8980d0d53e92447f9.exe |
| Full analysis: | https://app.any.run/tasks/043b24ca-6cca-4cb4-85a3-544fc6ed9bd4 |
| Verdict: | Malicious activity |
| Threats: | Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. |
| Analysis date: | March 24, 2025, 09:39:54 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 2 sections |
| MD5: | 669F47227FED9D74205FE9E77403D31A |
| SHA1: | 79E87BADAB1ABA6B49579DA0E240AAECE45DB45E |
| SHA256: | 4B44768232B7C52BA3915A8551EC24FDDF2D6F19C37F63B8980D0D53E92447F9 |
| SSDEEP: | 3072:bJmq48fTzwcUzyTP6vGYsps59ASTbYGOLAAFU:bJJHbKEcGYs6vASTkGOLAT |
MALICIOUS
Changes Security Center notification settings
- 10cbed.exe (PID: 7420)
- 10e929.exe (PID: 7968)
SALITY has been detected
- 10cbed.exe (PID: 7420)
- 10e929.exe (PID: 7968)
UAC/LUA settings modification
- 10cbed.exe (PID: 7420)
- 10e929.exe (PID: 7968)
SALITY mutex has been found
- 10cbed.exe (PID: 7420)
- 10ccb8.exe (PID: 7516)
- rundll32.exe (PID: 7396)
- 10e929.exe (PID: 7968)
- 10e939.exe (PID: 7980)
- FileCoAuth.exe (PID: 5968)
Runs injected code in another process
- 10e929.exe (PID: 7968)
Application was injected by another process
- FileCoAuth.exe (PID: 5968)
SUSPICIOUS
Executable content was dropped or overwritten
- rundll32.exe (PID: 7396)
- 10cbed.exe (PID: 7420)
- 10e929.exe (PID: 7968)
INFO
Reads the computer name
- 10cbed.exe (PID: 7420)
- ShellExperienceHost.exe (PID: 8176)
- 10e929.exe (PID: 7968)
Creates files or folders in the user directory
- 10cbed.exe (PID: 7420)
- 10e929.exe (PID: 7968)
- BackgroundTransferHost.exe (PID: 7664)
Checks supported languages
- 10cbed.exe (PID: 7420)
- ShellExperienceHost.exe (PID: 8176)
- 10e929.exe (PID: 7968)
Create files in a temporary directory
- 10cbed.exe (PID: 7420)
- rundll32.exe (PID: 7396)
- 10e929.exe (PID: 7968)
Process checks computer location settings
- ShellExperienceHost.exe (PID: 8176)
Reads security settings of Internet Explorer
- BackgroundTransferHost.exe (PID: 7664)
Reads the software policy settings
- BackgroundTransferHost.exe (PID: 7664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .dll | | | Win32 Dynamic Link Library (generic) (43.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (29.8) |
| .exe | | | Generic Win/DOS Executable (13.2) |
| .exe | | | DOS Executable Generic (13.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:11:05 20:30:50+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, DLL |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 121856 |
| InitializedDataSize: | 512 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e9b7 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
147
Monitored processes
13
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 900 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4228 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5968 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 6080 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7264 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7396 | "C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\Desktop\4b44768232b7c52ba3915a8551ec24fddf2d6f19c37f63b8980d0d53e92447f9.exe.dll, #1 | C:\Windows\SysWOW64\rundll32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7420 | C:\Users\admin\AppData\Local\Temp\10cbed.exe | C:\Users\admin\AppData\Local\Temp\10cbed.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7516 | C:\Users\admin\AppData\Local\Temp\10ccb8.exe | C:\Users\admin\AppData\Local\Temp\10ccb8.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7664 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7852 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 670
Read events
16 444
Write events
156
Delete events
70
Modification events
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiVirusOverride |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiVirusDisableNotify |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | FirewallDisableNotify |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | FirewallOverride |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | UpdatesDisableNotify |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | UacDisableNotify |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | AntiVirusOverride |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | AntiVirusDisableNotify |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | FirewallDisableNotify |
Value: 1 | |||
| (PID) Process: | (7420) 10cbed.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | FirewallOverride |
Value: 1 | |||
Executable files
6
Suspicious files
6
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7664 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\52f24a7e-41f0-4c60-a495-59389259a7a2.down_data | — | |
MD5:— | SHA256:— | |||
| 7420 | 10cbed.exe | C:\Users\admin\AppData\Local\Temp\wintcbd.exe | executable | |
MD5:B360FA63134A63F9ACFE046D2DFE10D9 | SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E | |||
| 7396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\10e939.exe | executable | |
MD5:865A5FFD1EBA75DC5352FF4C3D6BF950 | SHA256:55A27E7385B2CF2F426965DD8DF72040C114982371B279F9E7BD90DD811F4ECA | |||
| 7396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\10cbed.exe | executable | |
MD5:865A5FFD1EBA75DC5352FF4C3D6BF950 | SHA256:55A27E7385B2CF2F426965DD8DF72040C114982371B279F9E7BD90DD811F4ECA | |||
| 7968 | 10e929.exe | C:\Users\admin\AppData\Local\Temp\bmrpj.exe | executable | |
MD5:B360FA63134A63F9ACFE046D2DFE10D9 | SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E | |||
| 5968 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-03-24.0940.5968.1.odl | binary | |
MD5:510AB67DD3E1051A5DAC2A2738F94FC7 | SHA256:0FDA64AE44D02BC29F2BCCC84D543A398DD51BD0774381F32358F3F80DD295F1 | |||
| 7664 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\52f24a7e-41f0-4c60-a495-59389259a7a2.644c52f2-7b51-4778-aeda-5e3a767264ac.down_meta | binary | |
MD5:4C9FC6FB95FD0AD1F637063533DF4D2F | SHA256:40D5157777EB947A1C5993FEEBFBBDFFAA1CE3BD86B2B01C66B394E40F92706C | |||
| 7664 | BackgroundTransferHost.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\66e1bace-7e18-4b79-bf6c-4233ab1e8661.644c52f2-7b51-4778-aeda-5e3a767264ac.down_meta | binary | |
MD5:4C9FC6FB95FD0AD1F637063533DF4D2F | SHA256:40D5157777EB947A1C5993FEEBFBBDFFAA1CE3BD86B2B01C66B394E40F92706C | |||
| 7396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\10e929.exe | executable | |
MD5:865A5FFD1EBA75DC5352FF4C3D6BF950 | SHA256:55A27E7385B2CF2F426965DD8DF72040C114982371B279F9E7BD90DD811F4ECA | |||
| 7396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\10ccb8.exe | executable | |
MD5:865A5FFD1EBA75DC5352FF4C3D6BF950 | SHA256:55A27E7385B2CF2F426965DD8DF72040C114982371B279F9E7BD90DD811F4ECA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
23
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 2.16.164.99:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
300 | RUXIMICS.exe | GET | 200 | 2.16.164.99:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 304 | 52.149.20.212:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | POST | 200 | 40.126.31.3:443 | https://login.live.com/RST2.srf | unknown | xml | 1.35 Kb | whitelisted |
— | — | POST | 400 | 20.190.159.73:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.159.2:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.31.130:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.103.156.88:443 | https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T094010Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=182ffdb780cd49eeb2450e0bb1309d47&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967299&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1357829&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2 | unknown | binary | 2.96 Kb | whitelisted |
— | — | POST | 400 | 20.190.159.75:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.159.68:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
300 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3216 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 2.16.164.99:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
300 | RUXIMICS.exe | 2.16.164.99:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6544 | svchost.exe | 20.190.160.131:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7340 | backgroundTaskHost.exe | 20.223.35.26:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |