Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
22-04-2024 19:13
General
-
Target
17b015a139a4a6c7d8aaa1ce1ee2ee95d1d03bcc05b384e956cc7a8a8dcad1ab.dll
-
Size
120KB
-
MD5
1b9a9cbc455c00cf2129fe9b949d6e5b
-
SHA1
d0387854294f35f68cc66f2a0885cbea1bce41e9
-
SHA256
17b015a139a4a6c7d8aaa1ce1ee2ee95d1d03bcc05b384e956cc7a8a8dcad1ab
-
SHA512
fe87c57b31771f215c21e279fa1f2edd5c40be0e8e8a60bd704633f8e5debcc79aa38552be121e54135daea8ce0073dd0af7f4b658142f3359c07da4eaeb591e
-
SSDEEP
3072:6A/YFNveNL0cMNqiahLWv3aOYg+xnXMipFI5Y:6iYFNgLbMEigo3a8y82
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17b015a139a4a6c7d8aaa1ce1ee2ee95d1d03bcc05b384e956cc7a8a8dcad1ab.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17b015a139a4a6c7d8aaa1ce1ee2ee95d1d03bcc05b384e956cc7a8a8dcad1ab.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761999.exeC:\Users\Admin\AppData\Local\Temp\f761999.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761e79.exeC:\Users\Admin\AppData\Local\Temp\f761e79.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763514.exeC:\Users\Admin\AppData\Local\Temp\f763514.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f761999.exeFilesize
97KB
MD5b32cc7e5882725fd52e32e23969446c8
SHA1b8a032c07aad32d3961c252e88239da6cf4e0e20
SHA2566be8223170c9c3382e26c761dbb80e38a21a25c02f61b59cbb10c6f9187cebff
SHA512a49b7ee6d478ca28bf7978892524abc5d1b6dce3d37db063b4d0564f602db91f4769a113498cde07176decbabca33b88d177681d34cbf1dfb2827cabcaab81a2
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5018bc2ebe98c387ccd238e442c97197d
SHA1aaffab7a7de8d0ed0d39fab1ab653b562ba20598
SHA2566317a0b323b840269a0f02843dd530d323cd15c60ea9c6c42cdcb9a87d40a125
SHA51277ba3b69baaa2b1d0a05283b278b04bfaf37860410714b525606e85703b3b700a1b3572a9cc7f5e44868daa29fb467a0f2db09169c029b3f9d19abdbfbfdbb83
-
memory/1260-18-0x0000000000320000-0x0000000000322000-memory.dmpFilesize
8KB
-
memory/2108-58-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-64-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-85-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-13-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-15-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-16-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-60-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-17-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-20-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-23-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-83-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-61-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-81-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2108-30-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-46-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-151-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-52-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-79-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2108-59-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-57-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2108-56-0x00000000017A0000-0x00000000017A1000-memory.dmpFilesize
4KB
-
memory/2108-111-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2108-105-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-78-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-26-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2108-62-0x0000000000620000-0x00000000016DA000-memory.dmpFilesize
16.7MB
-
memory/2464-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2464-104-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2464-155-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/2464-194-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2464-195-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/2556-94-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2556-96-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2556-97-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2556-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3024-33-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3024-77-0x0000000000140000-0x0000000000142000-memory.dmpFilesize
8KB
-
memory/3024-72-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/3024-11-0x0000000000140000-0x0000000000152000-memory.dmpFilesize
72KB
-
memory/3024-32-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/3024-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3024-49-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/3024-50-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/3024-9-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3024-28-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3024-27-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/3024-10-0x0000000000140000-0x0000000000152000-memory.dmpFilesize
72KB