Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 23:11
General
-
Target
cb78e296ca257235f5f09ac395aa702add017882a7a97a03aa95f6e2592d595a.dll
-
Size
120KB
-
MD5
ce1e5bd6d3831be62f6b02eaad6d7d00
-
SHA1
3edced7231c432c4a09b273e017d2371088e6591
-
SHA256
cb78e296ca257235f5f09ac395aa702add017882a7a97a03aa95f6e2592d595a
-
SHA512
efc940462c1dc363f8ca43607ecf0b1d664a9fddc1fe2e4fd631ce7b85abdbfdd00299f16da049158339bee155760f875164f64f1a809322fdfca0b871b9528a
-
SSDEEP
1536:JlgVYx/ruJxVKmewG8IQlrLZU4X2h4YNnlBdSFOV8JOHsfxRifiZ+ApOh9dHC0e:JlxjsxV9hLJXo4OlDSMCJ4w+fevpOVC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 23 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb78e296ca257235f5f09ac395aa702add017882a7a97a03aa95f6e2592d595a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb78e296ca257235f5f09ac395aa702add017882a7a97a03aa95f6e2592d595a.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7610b3.exeC:\Users\Admin\AppData\Local\Temp\f7610b3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7616ea.exeC:\Users\Admin\AppData\Local\Temp\f7616ea.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f762c6d.exeC:\Users\Admin\AppData\Local\Temp\f762c6d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58da11187e2066c28e58d650a1f1dbcd5
SHA16751b57075cb4535bd0ac091190417d4c09e9339
SHA256057c43df402634793f5a5255ed3837168b3cfdc189eb61204fced345495cf6cf
SHA5121e7c9f6f2f06bbb592318ab9248bd4705b7d5d45a1e691fe3eabe41d2f31f9236ae9b94be0bbc1675ec82e99ea2a677e386f5984cccd7fb86a8a83ae3153ee49
-
Filesize
1KB
MD5b360fa63134a63f9acfe046d2dfe10d9
SHA1b47a7f2ad61c79e454b55e39b0d7500aca753a17
SHA25603e0c6c4ca8a24f961477887763397045e67862e059f7494014aefc21891d40e
SHA512575673255d389fc6667f46931301925bf4bb3030d7a3f6da3d3e7d878f86bb496ad6706e20191a1daa2e177cacda9b677424327bd9d438c1ad109c4222064102
-
Filesize
257B
MD5b0bc19d6798c51cd115e2856f9e0a42f
SHA13a932e3c90b59803a3456a2895ed6a926637982f
SHA25606424720bce08cd4ae81349bce7cca0e2b82adcc4aa58e66e4b75231d92115cf
SHA512fb39775af3898bd82b20a089300c14559b133774648ed96a448a1d9dc292bb89743f059dfbb5200d7cd81ff3766dc98b33a19f5c2d00a3e10956b2322a8ad391
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB