| File name: | 603d8e8e70b42104311366128eade5a0fde9333e8b45cbbf3eef1716fd44ffee.exe |
| Full analysis: | https://app.any.run/tasks/a5360209-50d9-48c6-af14-bbd2d05016f9 |
| Verdict: | Malicious activity |
| Threats: | Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions. |
| Analysis date: | January 10, 2025, 19:05:38 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 2 sections |
| MD5: | E7BF9C000DF61730B90ED5CC1DFA810C |
| SHA1: | 34BF0786F55D0BED4CAC1DF0267377D744615D11 |
| SHA256: | 603D8E8E70B42104311366128EADE5A0FDE9333E8B45CBBF3EEF1716FD44FFEE |
| SSDEEP: | 3072:Pvp8KrpG34P+YWPUxKCyg1fqt8lrkppLP9ZJMyy1xYZ:PvpYU+YGN2xuzRZm9fq |
MALICIOUS
SALITY mutex has been found
- 13610f.exe (PID: 5008)
- rundll32.exe (PID: 5628)
- rundll32.exe (PID: 5628)
- 13610f.exe (PID: 5008)
- 13619b.exe (PID: 1344)
- 13619b.exe (PID: 1344)
- 13affa.exe (PID: 5208)
- 13b00a.exe (PID: 3836)
- 13b038.exe (PID: 2676)
- 13affa.exe (PID: 5208)
- 13b2e8.exe (PID: 3640)
- 13b038.exe (PID: 2676)
- 13b2e8.exe (PID: 3640)
- 13b00a.exe (PID: 3836)
- 13b019.exe (PID: 3172)
- 13b029.exe (PID: 244)
- 13b029.exe (PID: 244)
- 13b019.exe (PID: 3172)
Changes Security Center notification settings
- 13610f.exe (PID: 5008)
- 13b2e8.exe (PID: 3640)
- rundll32.exe (PID: 5628)
UAC/LUA settings modification
- 13610f.exe (PID: 5008)
- 13b2e8.exe (PID: 3640)
- rundll32.exe (PID: 5628)
SUSPICIOUS
Executable content was dropped or overwritten
- 13610f.exe (PID: 5008)
- rundll32.exe (PID: 5628)
- 13b2e8.exe (PID: 3640)
INFO
Creates files or folders in the user directory
- 13610f.exe (PID: 5008)
- rundll32.exe (PID: 5628)
- 13b2e8.exe (PID: 3640)
UPX packer has been detected
- 13619b.exe (PID: 1344)
- 13610f.exe (PID: 5008)
- 13affa.exe (PID: 5208)
- 13b00a.exe (PID: 3836)
- 13b029.exe (PID: 244)
- 13b019.exe (PID: 3172)
- 13b038.exe (PID: 2676)
- 13b2e8.exe (PID: 3640)
Checks supported languages
- 13610f.exe (PID: 5008)
- 13b2e8.exe (PID: 3640)
Reads the computer name
- 13610f.exe (PID: 5008)
- 13b2e8.exe (PID: 3640)
Create files in a temporary directory
- 13610f.exe (PID: 5008)
- rundll32.exe (PID: 5628)
- 13b2e8.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .dll | | | Win32 Dynamic Link Library (generic) (43.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (29.8) |
| .exe | | | Generic Win/DOS Executable (13.2) |
| .exe | | | DOS Executable Generic (13.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:11:05 20:30:50+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, DLL |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 121856 |
| InitializedDataSize: | 512 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e9b7 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
126
Monitored processes
9
Malicious processes
9
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5628 | "C:\WINDOWS\SysWOW64\rundll32.exe" C:\Users\admin\Desktop\603d8e8e70b42104311366128eade5a0fde9333e8b45cbbf3eef1716fd44ffee.exe.dll, #1 | C:\Windows\SysWOW64\rundll32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5008 | C:\Users\admin\AppData\Local\Temp\13610f.exe | C:\Users\admin\AppData\Local\Temp\13610f.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1344 | C:\Users\admin\AppData\Local\Temp\13619b.exe | C:\Users\admin\AppData\Local\Temp\13619b.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 5208 | C:\Users\admin\AppData\Local\Temp\13affa.exe | C:\Users\admin\AppData\Local\Temp\13affa.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3836 | C:\Users\admin\AppData\Local\Temp\13b00a.exe | C:\Users\admin\AppData\Local\Temp\13b00a.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3172 | C:\Users\admin\AppData\Local\Temp\13b019.exe | C:\Users\admin\AppData\Local\Temp\13b019.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 244 | C:\Users\admin\AppData\Local\Temp\13b029.exe | C:\Users\admin\AppData\Local\Temp\13b029.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2676 | C:\Users\admin\AppData\Local\Temp\13b038.exe | C:\Users\admin\AppData\Local\Temp\13b038.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3640 | C:\Users\admin\AppData\Local\Temp\13b2e8.exe | C:\Users\admin\AppData\Local\Temp\13b2e8.exe | rundll32.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
751
Read events
656
Write events
87
Delete events
8
Modification events
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiVirusOverride |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | AntiVirusDisableNotify |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | FirewallDisableNotify |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | FirewallOverride |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | UpdatesDisableNotify |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center |
| Operation: | write | Name: | UacDisableNotify |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | AntiVirusOverride |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | AntiVirusDisableNotify |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | FirewallDisableNotify |
Value: 1 | |||
| (PID) Process: | (5008) 13610f.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc |
| Operation: | write | Name: | FirewallOverride |
Value: 1 | |||
Executable files
12
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13610f.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13b00a.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13b038.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13b2e8.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13b029.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13619b.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13affa.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\13b019.exe | executable | |
MD5:359C3B40C0C20DCFA98287339E031FFB | SHA256:E13A58A5488C75D26265F7758EBBFED67BED498E94122EBF52309ACF83E84066 | |||
| 5008 | 13610f.exe | C:\Users\admin\AppData\Local\Temp\windxkdu.exe | executable | |
MD5:B360FA63134A63F9ACFE046D2DFE10D9 | SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E | |||
| 5628 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\winxdnvno.exe | executable | |
MD5:B360FA63134A63F9ACFE046D2DFE10D9 | SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5564 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5564 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5564 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.23.227.208:443 | www.bing.com | Ooredoo Q.S.C. | QA | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5564 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5564 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |