Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
23-04-2024 04:22
General
-
Target
d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5.dll
-
Size
120KB
-
MD5
c50a76afc0a61ae93d077a45dad04605
-
SHA1
e5127eddb59d758fddb919ddf8d0bd916baf3d4b
-
SHA256
d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5
-
SHA512
84479c6faf26e08dcb2ae15730fad3579e5c9578601262a990ff95d8c4223221327de010c07c63ab1b9f0af5bfa5a85a49f61bd0fe71e40a1992fdd2ab9c448e
-
SSDEEP
1536:9nEH/Uv9R3f9sx0CrJIXWn4xjp6uAwxYnnXrC4T7Md0lvOGy8k+MW4W8J52:VOUlR3ax0syX76lweXx7Bbk+8W8j
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d58d9d24bb1599fc38c1065724b13fcd0402b1d8dca6ac1d2423ea54be6136d5.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760696.exeC:\Users\Admin\AppData\Local\Temp\f760696.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f760bd3.exeC:\Users\Admin\AppData\Local\Temp\f760bd3.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f76226f.exeC:\Users\Admin\AppData\Local\Temp\f76226f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f760696.exeFilesize
97KB
MD50e675e780b4fbea52100a50359abbf6f
SHA11b1b04ff3a8e39804bc71abcb5408639e4b99c17
SHA2564401cc67ef5556e5c94dc1fd93ba1b89722d6886ea4989bfe8773473ee2bbe1f
SHA5129d24aad2b43907c5601523b18a9bc8ba2bb26c76c744afee501912691011628f0ede9adf5bdc92a14ad26e6ab3efe92e51da02bc2d1e875097a1a2ade7315e04
-
C:\Windows\SYSTEM.INIFilesize
257B
MD57dcaacaa6fbda055757d9ead64064df8
SHA1c79fdf88d5ba84c3bc2b0945dbe0c4e40975b0f4
SHA256881d87ac20b026e357c7094724bbf0018753e984743e4eb0d199656a54e5cde6
SHA512cd95e06446eac754fbcc7065f5a8ba338bb97799bf78080513ae8e0584445a42a5c79e0dd5b48ca9980754eb03a76bc1dcc0c3dd26edbb0fcda806e0a03a9853
-
memory/840-58-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-103-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/840-16-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-19-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-78-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-14-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-22-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-25-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-149-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-59-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-120-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/840-15-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-77-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-11-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-38-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-84-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-51-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-28-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-54-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/840-56-0x00000000004A0000-0x00000000004A2000-memory.dmpFilesize
8KB
-
memory/840-57-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-82-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-60-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-80-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-61-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/840-63-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/1248-17-0x00000000000F0000-0x00000000000F2000-memory.dmpFilesize
8KB
-
memory/1692-29-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1692-27-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1692-75-0x0000000000310000-0x0000000000322000-memory.dmpFilesize
72KB
-
memory/1692-72-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1692-7-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1692-36-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1692-12-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1692-9-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1692-37-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1720-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1720-102-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1720-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1720-153-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/1720-192-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1720-193-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/2748-95-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2748-94-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2748-93-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2748-48-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2748-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB