Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
31-03-2024 19:01
General
-
Target
07de2e74ad0d4f979e5d40276151d19a11db4a463435650ba85056647037dc34.dll
-
Size
120KB
-
MD5
5fccba2c81a1ce9e514d6349171c0419
-
SHA1
2c039af667d1766109af6188685a032f579d9dd1
-
SHA256
07de2e74ad0d4f979e5d40276151d19a11db4a463435650ba85056647037dc34
-
SHA512
95625852823c6b503c707dd459e31ea1411299bd6edadf03a665d4aa0ad5c1c2224e2d1b0852cb8e5081ba79dae5655f5859e39a630d58e8c498910f6e386e3b
-
SSDEEP
1536:UKyms0Sp1N71k2O6QVJ+UwcTGzfyc7bQ/+yUwMJ1ofU0GXycSVzJvQ5PLI3:UKMd1N7F8Jtwzc/bHM/ofmXyTVzJwk3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\07de2e74ad0d4f979e5d40276151d19a11db4a463435650ba85056647037dc34.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\07de2e74ad0d4f979e5d40276151d19a11db4a463435650ba85056647037dc34.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761610.exeC:\Users\Admin\AppData\Local\Temp\f761610.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761bbb.exeC:\Users\Admin\AppData\Local\Temp\f761bbb.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f7631f9.exeC:\Users\Admin\AppData\Local\Temp\f7631f9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5e6f0585b775ae1d2235bd987c54cd167
SHA1846968c6fae945b8ad57be6ec4a4478ed0532b9e
SHA2565cd8cdcb51f9387896c91e7fb57f2ac20926e877394dbe41594b34794250a0de
SHA5120d4b8eec0ce189d0d5ad8d3ba7af159ef87b2fffada1801d670d91ac90b3944c8ca0067e2c197f157784f0b87ab4beddb73a799fb45fd2487a8c99eb3974e928
-
\Users\Admin\AppData\Local\Temp\f761610.exeFilesize
97KB
MD5e007fed18a7a5215290761cbec220a50
SHA133a39d38863e2b8d1dace6291296c7633e946162
SHA2563555ed1005129c9596056617162df43448612cb4898f997b7f807a7f991387a4
SHA512ccf6a99d0c4f3a2fe7da3d296bbd9008f9eacac1ea661f1c6770d759c30d88adc220566b1d346c7104b49403660d9b21c02c21aaed34e1363e994b84eed845b3
-
memory/1060-16-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2076-71-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2076-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2076-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2076-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2076-33-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2076-34-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2076-31-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2076-29-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2076-74-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2500-147-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2500-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2500-99-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2500-101-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2500-189-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2500-190-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-58-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-79-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-30-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-54-0x0000000001650000-0x0000000001652000-memory.dmpFilesize
8KB
-
memory/2972-56-0x0000000001660000-0x0000000001661000-memory.dmpFilesize
4KB
-
memory/2972-57-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-35-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-59-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-60-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-61-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-63-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-26-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-23-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-76-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-21-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-13-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-81-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-83-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-10-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-18-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-15-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-102-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-108-0x0000000001650000-0x0000000001652000-memory.dmpFilesize
8KB
-
memory/2972-141-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2972-14-0x0000000000590000-0x000000000164A000-memory.dmpFilesize
16.7MB
-
memory/2996-145-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2996-94-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2996-93-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2996-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB