Analysis
-
max time kernel
120s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26/03/2024, 18:38
General
-
Target
2c1cbc2299e9eba9fc52bbec2e1f315751c348d50d6af75b374b37960d0a9949.dll
-
Size
120KB
-
MD5
60f2625393e1a4a7329843c1f1204043
-
SHA1
5a2ae65052953fbb9e455434fdb5b743d8a887b1
-
SHA256
2c1cbc2299e9eba9fc52bbec2e1f315751c348d50d6af75b374b37960d0a9949
-
SHA512
df498d6608416e932d5d1b1b40e7a42b92b8769240b168847bd99ba46ef62de57e480fb41e331620ce28fd73cacbb2714a4cb5eeb9d172197fbf493db2ee1427
-
SSDEEP
3072:A0nzNx81yRFC9b5TuBAj4iLeMDVWI7Jpo5Kei:A0nznXRobwBAj9qMvnoIp
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 18 IoCs
-
UPX dump on OEP (original entry point) 19 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c1cbc2299e9eba9fc52bbec2e1f315751c348d50d6af75b374b37960d0a9949.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c1cbc2299e9eba9fc52bbec2e1f315751c348d50d6af75b374b37960d0a9949.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76cce0.exeC:\Users\Admin\AppData\Local\Temp\f76cce0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57fc7c903f6bc99dd3cfae2d4f1aadfaa
SHA17e618042b3f3cc6feba8a4dac52e1d64e344421e
SHA25616899bc2b3fdbc34a099b766236d6330c5818331c16d00f0501658503fe5ce6d
SHA512e4fb36538cd0a2ee1798975320fa907cee538991a25dc73ad61e841731d8b950628995b97a8ce05b77eb815f80045de1429cebfcd63f4b30ccc421822a429fc9
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
72KB