Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
30-03-2024 23:58
General
-
Target
e66bc3f14f66331f4a5026ddea4e5ec2b7659bb8dc2a297481e5601c3e3469c2.dll
-
Size
120KB
-
MD5
62e2fe16d0d00991068df89c75f9d3c4
-
SHA1
472b9d4a9506ddb68250b80a3cbd4bf805e012e6
-
SHA256
e66bc3f14f66331f4a5026ddea4e5ec2b7659bb8dc2a297481e5601c3e3469c2
-
SHA512
d448b41fcb8b88722ceba820fd4bc7b798e765f5dab152a4506c7c6d04b1bbc852df3a6d7050a1a8186d17ff071013e5d1fc1c5127b090e3f68be2e9a7a2c700
-
SSDEEP
1536:Yhn9R1VhXm4FD2L8ttmZP/71/xyFIeXS0eyjsqxwgWMtj6bpsRWsuKtDa/BCfLPc:YV1HWXAttml71aI2huSutsR3uKtDaZ+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e66bc3f14f66331f4a5026ddea4e5ec2b7659bb8dc2a297481e5601c3e3469c2.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e66bc3f14f66331f4a5026ddea4e5ec2b7659bb8dc2a297481e5601c3e3469c2.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f764a68.exeC:\Users\Admin\AppData\Local\Temp\f764a68.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7653ac.exeC:\Users\Admin\AppData\Local\Temp\f7653ac.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f766690.exeC:\Users\Admin\AppData\Local\Temp\f766690.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\f764a68.exeFilesize
97KB
MD52b10147a33a013104055722cec0823ae
SHA1d89b6e5ef2fee44d32c4a3f0e8b65652c09e5507
SHA25615f136582dab071793468d0ff1daeb49fbb71518c09fd2ce8a3e75486422432d
SHA51268ee3e2867673d5774ca41048a09d9ced593dc5d569d06eb1ffbaaf818e7c7b349dd8c47847884c504fb8efbabd949e3d5c144078c4e46cbbb06c86ea5ec2e5f
-
memory/1084-17-0x0000000000560000-0x0000000000562000-memory.dmpFilesize
8KB
-
memory/2012-112-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2012-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2012-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2012-111-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2012-143-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2016-10-0x00000000001F0000-0x0000000000202000-memory.dmpFilesize
72KB
-
memory/2016-47-0x0000000000710000-0x0000000000722000-memory.dmpFilesize
72KB
-
memory/2016-12-0x00000000001F0000-0x0000000000202000-memory.dmpFilesize
72KB
-
memory/2016-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2016-80-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/2016-28-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2016-33-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2016-76-0x0000000000710000-0x0000000000722000-memory.dmpFilesize
72KB
-
memory/2016-36-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2016-74-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2016-38-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2016-49-0x0000000000710000-0x0000000000722000-memory.dmpFilesize
72KB
-
memory/2016-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2136-60-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2136-82-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2136-59-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-51-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-62-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/2136-46-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-63-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-64-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-65-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-34-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-25-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-22-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-19-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-81-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-54-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-84-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-88-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-90-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-13-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-136-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2136-99-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-16-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-15-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2136-121-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/2136-113-0x00000000006A0000-0x000000000175A000-memory.dmpFilesize
16.7MB
-
memory/2472-137-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2472-98-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2472-97-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2472-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB