Analysis
-
max time kernel
17s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
06-12-2023 20:56
General
-
Target
83b3bbff75e56d0f909b8cf46fed4890.dll
-
Size
564KB
-
MD5
83b3bbff75e56d0f909b8cf46fed4890
-
SHA1
31228d8d619decb64105e65ffae576f0ccddeb9c
-
SHA256
a1735e573eaa6b88ae074d9e59d3b1bbf856eda4737056f8d2b98a948061fd9c
-
SHA512
e841878f2f07ce9652f878b6a58f0037d251629c6f4b692445303660e103a8e03856b2a1249ad726ba9b2940edbe8e04a84949ea78dede6b6f45adf60d09fe16
-
SSDEEP
12288:tehnaNPpSVZmNxRCwnwm3W3OHIIf5m9RhWFVU:teh0PpS6NxNnwYeOHXAhWTU
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83b3bbff75e56d0f909b8cf46fed4890.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83b3bbff75e56d0f909b8cf46fed4890.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2284⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
342KB
MD5f360924e921f9895931556d0883bbe77
SHA16e82da26a0867b71851a17638bdb165855356419
SHA256174cdcfbf0f40304f5fb495b8e8f3a312615ac01ad4194a8b0b72d7a3e010511
SHA5127ffd0db2800a3f6a1d2ee544062f4c3f595e9452ebf29232de6c1979a3979f84a549cfa3136524fd322d18f96b8fa1ecd55470c655dc266289b24f777eb5fcf7
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
338KB
MD56aacc70a71e2b0fb1d17b985337c7c3f
SHA1ec2ce80d2d4595a3eb8efc1bdce5dd4834a7e6af
SHA2564be9e3288a04cd5153322da567d705f33d87deed111c74a1260d24d77754172b
SHA5126114429860088cc62d1e65fac6c8994ecc9fa284dc0fa98b31780e0e19de589d3e26f9659e9a9f5e16c0705aa4aa46b83e573010cea2fcb88380412946cc5eba
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
C:\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
memory/1172-23-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1652-4-0x00000000001A0000-0x00000000001D4000-memory.dmpFilesize
208KB
-
memory/1652-318-0x0000000077C90000-0x0000000077C91000-memory.dmpFilesize
4KB
-
memory/1652-314-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1652-313-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1652-6253-0x0000000010000000-0x000000001008B000-memory.dmpFilesize
556KB
-
memory/1652-10-0x00000000001A0000-0x00000000001D4000-memory.dmpFilesize
208KB
-
memory/1652-2-0x0000000010000000-0x000000001008B000-memory.dmpFilesize
556KB
-
memory/1732-36-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-12-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-14-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-16-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-25-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-32-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-49-0x00000000007B0000-0x00000000007E4000-memory.dmpFilesize
208KB
-
memory/1732-52-0x00000000007B0000-0x00000000007E4000-memory.dmpFilesize
208KB
-
memory/1732-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-18-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1732-27-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/1732-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1732-20-0x00000000026A0000-0x000000000372E000-memory.dmpFilesize
16.6MB
-
memory/2188-95-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2188-114-0x0000000077C90000-0x0000000077C91000-memory.dmpFilesize
4KB
-
memory/2668-89-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-83-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-81-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2668-85-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2668-76-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-66-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-79-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2668-362-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2668-68-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2716-55-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2716-340-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2716-355-0x0000000077C8F000-0x0000000077C90000-memory.dmpFilesize
4KB
-
memory/2716-357-0x0000000077C70000-0x0000000077DF0000-memory.dmpFilesize
1.5MB
-
memory/2716-62-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2716-539-0x0000000077C70000-0x0000000077DF0000-memory.dmpFilesize
1.5MB
-
memory/2716-64-0x0000000077C8F000-0x0000000077C90000-memory.dmpFilesize
4KB
-
memory/2716-93-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2716-63-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB