Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-04-2024 13:51
General
-
Target
1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58.dll
-
Size
120KB
-
MD5
e984711185b1f5371ac02d2ba7e761cc
-
SHA1
3c196bb531edf489de67ce22fc9d7d7d7cb47d23
-
SHA256
1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58
-
SHA512
ab95217fca0aa3bb1d84bc63a9d24a77930894fefd2c1324d574e9c713a6f8e83f3d7d69ec4f098e62702e217a25d94fc13d4552832ef9f23f28b08e28af0ff3
-
SSDEEP
1536:+L4g9SwL/zni6+vnOS/HyanPhCmS3sbwm0GAfjFh:+f9HL/7i6+mOHPnPhbz4Ge
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f87a1456c2b2a23e09575a5daad6258bad348b82df60886aa855fd32175fb58.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7622fb.exeC:\Users\Admin\AppData\Local\Temp\f7622fb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f763840.exeC:\Users\Admin\AppData\Local\Temp\f763840.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f76407a.exeC:\Users\Admin\AppData\Local\Temp\f76407a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f7622fb.exeFilesize
97KB
MD5f7617bfc52a7e69c05e2fe31ce429986
SHA1a3d07d7e341998106cf4c3ceee22b8d9c55b6822
SHA256e568c9f3b559be7651bf22dfd8182a183fb379199fd03466d9e165f2d0f77167
SHA51277be46a0bd850ba94d4bcca5c63d8b7784e94154383d229c87423b3a499c67a0ec258f0476f3fd130f710fca68c6ce070414ae0b7f069fff230caf0304895fca
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5772b2e793560bcf24cd839bed7f3bf0a
SHA115ac88bd8f746fc1c3e8385f1f9a33f662700520
SHA25681c90c00e539db15f4cb25707e58fbd7e82740aadbe965070552d6c45012cf71
SHA512dc9a14d2ecc8b9f19583b66243cdff19b60b463d6ee49c64d0a22883dd0a956e37004f725b7f6b1ca74fecc16fd53c5eae010676a40b5efb2be4cb22bb021435
-
memory/1032-58-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/1032-84-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-18-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-60-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/1032-12-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-134-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-59-0x0000000000520000-0x0000000000522000-memory.dmpFilesize
8KB
-
memory/1032-20-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-104-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-21-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-19-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-29-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-31-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-34-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-33-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-36-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-86-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-13-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1032-15-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-82-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-80-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-79-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-78-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-55-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-62-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-16-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1032-61-0x0000000000640000-0x00000000016FA000-memory.dmpFilesize
16.7MB
-
memory/1124-22-0x0000000001F10000-0x0000000001F12000-memory.dmpFilesize
8KB
-
memory/2376-10-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2376-38-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2376-40-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2376-77-0x0000000000100000-0x0000000000102000-memory.dmpFilesize
8KB
-
memory/2376-70-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2376-11-0x0000000000100000-0x0000000000112000-memory.dmpFilesize
72KB
-
memory/2376-8-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2376-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2376-39-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2376-42-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2376-41-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2376-71-0x00000000002E0000-0x00000000002F2000-memory.dmpFilesize
72KB
-
memory/2704-95-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2704-138-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2704-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2704-97-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/3064-176-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/3064-175-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3064-106-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3064-142-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/3064-102-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3064-103-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/3064-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB