Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
16/11/2023, 08:25
General
-
Target
NEAS.78b3cbd6d4fd9505931154d1e6a92020.dll
-
Size
120KB
-
MD5
78b3cbd6d4fd9505931154d1e6a92020
-
SHA1
3a7444c439f882bce24f4687e6dd58aa15b5e6d8
-
SHA256
83d256111924fb7bfc814ea52bf873bfc0b1137d9040bbb7965d6d7c8a8adcaf
-
SHA512
05466875d61adf0454bbe9fa0743f28c59994db8a18cc20b30f02886fed099c1f0888fbfdc6cc3dba18c33ffdb510225b212cb85f680b15f23d06a9269c14990
-
SSDEEP
3072:rsVsSezgtBAhTHhIKHdM+brrf6bKYE1IlFTfq:rm8maTHhIK99brT6uYuI
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.78b3cbd6d4fd9505931154d1e6a92020.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.78b3cbd6d4fd9505931154d1e6a92020.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768fc1.exeC:\Users\Admin\AppData\Local\Temp\f768fc1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f769702.exeC:\Users\Admin\AppData\Local\Temp\f769702.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76aa24.exeC:\Users\Admin\AppData\Local\Temp\f76aa24.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
97KB
MD5eef5b64f58c818964b0e0e9a31a38beb
SHA15e1a6a6681d6482a7bd2dc9ced3675191ffb135e
SHA256fcc3f368e2887a433a4ad4b8148baebe4dedb4f5fadee78108313bad829fdd74
SHA5128f7726aed9b60ebc5f84b8acd9df70e5c8e2f8f4dc2572d44eb329651c8ec15bf2257d49610929cbb2f90e7b6025e9f8670a72cca5679739bcf6ac8084901122
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
128KB