Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-03-2024 22:45
General
-
Target
7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc.dll
-
Size
120KB
-
MD5
fcbcf77150ca5112fce1b817a4a1b3db
-
SHA1
59afc16ed04e2a0227396e612af85108d67459e2
-
SHA256
7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc
-
SHA512
a982501966ff468566cbeee167902619dc9932f53d1c1a8c75359280cddbc48420bc3713e6595cfff2cbd9566ef17f1a91ce6b7f27222bf7e818ab8dde76a41c
-
SSDEEP
1536:mA2Q+04VpKsW/WgZg0E91pmVZ5+jEZSpjxyEKWRiNJLq1o8Kz1Oh:d2QsVpKjugZC7mB+Djxy8YJLqitzw
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fc76858ae2b46459ea227cc37f165618e5f76824feae14eaae2b81d0d15e8cc.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761258.exeC:\Users\Admin\AppData\Local\Temp\f761258.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7617c5.exeC:\Users\Admin\AppData\Local\Temp\f7617c5.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762e32.exeC:\Users\Admin\AppData\Local\Temp\f762e32.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD534199ce81c36603fba0a5a5b2fb1c397
SHA1d704767766eec0a2eb887cae4a5ad0c4e0b296e2
SHA256e2c8db94b8eb8583d88c3ea696eec71eb5edbe30b227fc584f92434ff08d929b
SHA512e545d4cde55efb749d78015ec2d7aa6fd2334f0c49093de57fa5eb08047791d5a4f3484222fcd0c4243bed564d230cab647fbad24ffb86cc547243b06adeabd4
-
\Users\Admin\AppData\Local\Temp\f761258.exeFilesize
97KB
MD53092b9c954315681ab20f856cf2d5169
SHA191e526ca4c868f94b1bfa6bc9c112a27eaf64513
SHA2564e40f2d2f3cf82aec8d199930ad3a7e6a6acba17e4980663ea88079f3e996f13
SHA51223ed51f2a0af5bd70d398113acbf2c80f21e67076ee5326fc08a82371051021ac0a125aeba655f928f9c1e06a84334113e4019f5243d4dd578bb5f82e473b049
-
memory/1060-16-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1244-61-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-106-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-62-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-14-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-64-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1244-17-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-19-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-21-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-24-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-142-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-27-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-31-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-80-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-104-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-103-0x0000000002F80000-0x0000000002F82000-memory.dmpFilesize
8KB
-
memory/1244-85-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-83-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-57-0x0000000002F80000-0x0000000002F82000-memory.dmpFilesize
8KB
-
memory/1244-56-0x0000000004230000-0x0000000004231000-memory.dmpFilesize
4KB
-
memory/1244-58-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-59-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-60-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1244-12-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-15-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-33-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1244-81-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/1744-35-0x0000000000700000-0x0000000000702000-memory.dmpFilesize
8KB
-
memory/1744-8-0x0000000000650000-0x0000000000662000-memory.dmpFilesize
72KB
-
memory/1744-72-0x0000000000700000-0x0000000000702000-memory.dmpFilesize
8KB
-
memory/1744-75-0x0000000000880000-0x0000000000892000-memory.dmpFilesize
72KB
-
memory/1744-77-0x0000000000880000-0x0000000000892000-memory.dmpFilesize
72KB
-
memory/1744-10-0x0000000000650000-0x0000000000662000-memory.dmpFilesize
72KB
-
memory/1744-32-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/1744-30-0x0000000000700000-0x0000000000702000-memory.dmpFilesize
8KB
-
memory/1744-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1744-37-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/1744-78-0x0000000000650000-0x0000000000652000-memory.dmpFilesize
8KB
-
memory/2428-98-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2428-94-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2428-95-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2428-147-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2428-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2660-102-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2660-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2660-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2660-152-0x0000000000A00000-0x0000000001ABA000-memory.dmpFilesize
16.7MB
-
memory/2660-191-0x0000000000A00000-0x0000000001ABA000-memory.dmpFilesize
16.7MB
-
memory/2660-192-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB