Overview

overview

10

Static

static

3

aeca71a100...96.dll

windows7-x64

10

aeca71a100...96.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aeca71a10078316edb5388060c90b3e17e77abd5e903beb6033f1cc0bfb84396.dll

  • Size

    120KB

  • MD5

    f82fc4d5bd9121b1968626ad93170e9f

  • SHA1

    735922319758e5edd836e10cd5e8b27c703f5d47

  • SHA256

    aeca71a10078316edb5388060c90b3e17e77abd5e903beb6033f1cc0bfb84396

  • SHA512

    6f6fc9a6c602ca2a7c521b0c3b84919f37ce95a3a8f2ac58f4f5111cafff9b1bfd48f20e8f8838ac2c795b791ad062c76a90249aff0bd3de4c5be85c065d5711

  • SSDEEP

    3072:DrLhOcs/XPkLLgZzYjkdlAZXk/BTZhxm5:DrLQcsfPm6HAZX4NLxm5

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 27 IoCs
  • UPX dump on OEP (original entry point) 30 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 11 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1256
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\aeca71a10078316edb5388060c90b3e17e77abd5e903beb6033f1cc0bfb84396.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\aeca71a10078316edb5388060c90b3e17e77abd5e903beb6033f1cc0bfb84396.dll,#1
              3⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2368
              • C:\Users\Admin\AppData\Local\Temp\f762146.exe
                C:\Users\Admin\AppData\Local\Temp\f762146.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2864
              • C:\Users\Admin\AppData\Local\Temp\f7626d2.exe
                C:\Users\Admin\AppData\Local\Temp\f7626d2.exe
                4⤵
                • Executes dropped EXE
                PID:2528
              • C:\Users\Admin\AppData\Local\Temp\f763d4e.exe
                C:\Users\Admin\AppData\Local\Temp\f763d4e.exe
                4⤵
                • Executes dropped EXE
                PID:2444
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1600

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\f762146.exe
            Filesize

            97KB

            MD5

            4fb052a8bd0fd48ea0e46487925846ab

            SHA1

            4ceb211328b88215792e6fc2e2bb5bccafe2b616

            SHA256

            d2d7d835e41e537e4f771c0a78446651e45afd8282bfcf85906ad3a65249b027

            SHA512

            2a4e0fb199bdc3a7f42c0bfaa67b5655e310f83dbcca87963cf154512476013dbcd322bd2d4b39242f7a048eb08da76e11ba6f5ea9c56212b3432a77d0946afc

            Download Submit
          • memory/1108-16-0x00000000001D0000-0x00000000001D2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2368-77-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-71-0x00000000001B0000-0x00000000001B2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2368-10-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-45-0x0000000000300000-0x0000000000312000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-76-0x0000000000300000-0x0000000000312000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-4-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-47-0x0000000000300000-0x0000000000312000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-73-0x0000000000300000-0x0000000000312000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2368-30-0x00000000001C0000-0x00000000001C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2368-1-0x0000000010000000-0x0000000010020000-memory.dmp
            Filesize

            128KB

            Download
          • memory/2368-28-0x00000000001B0000-0x00000000001B2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2368-36-0x00000000001C0000-0x00000000001C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2368-33-0x00000000001B0000-0x00000000001B2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2444-79-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2528-50-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2864-29-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-12-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-26-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-35-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-57-0x0000000003F60000-0x0000000003F62000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2864-23-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-20-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-58-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-59-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-60-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-61-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-62-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-17-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-15-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-14-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-49-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-78-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-11-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2864-80-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-81-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-83-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-85-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-87-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-89-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-91-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-95-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-99-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-101-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-103-0x00000000005B0000-0x000000000166A000-memory.dmp
            Filesize

            16.7MB

            Download
          • memory/2864-110-0x0000000003F60000-0x0000000003F62000-memory.dmp
            Filesize

            8KB

            Download