Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-04-2024 14:01
General
-
Target
23c66b2b9d28c3e0876e5c90807b5d34685b67b073600241fece8533169e3aed.dll
-
Size
120KB
-
MD5
cebed667b3a471e339078fdd942c2850
-
SHA1
ed14da58f6faa33d158f49ef6b0b5a4041e6cb3c
-
SHA256
23c66b2b9d28c3e0876e5c90807b5d34685b67b073600241fece8533169e3aed
-
SHA512
0961ff9b42eb308627fdaf8bb57d8d6659ffb10068d17827a59b18ef78e381a95bddc3a98007106e1544e3ef4a9db441e00194e3417a7d5475b86840be5df75d
-
SSDEEP
3072:eMZu+FeCnIyznifZ/fW9PyOq1o6xYq3Xb4R:7eNy+Bg+3X
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23c66b2b9d28c3e0876e5c90807b5d34685b67b073600241fece8533169e3aed.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23c66b2b9d28c3e0876e5c90807b5d34685b67b073600241fece8533169e3aed.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761046.exeC:\Users\Admin\AppData\Local\Temp\f761046.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761564.exeC:\Users\Admin\AppData\Local\Temp\f761564.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762c10.exeC:\Users\Admin\AppData\Local\Temp\f762c10.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f761046.exeFilesize
97KB
MD5cfbcbf19dfbdaa0734382e0a558c4842
SHA181ad048d3efba7904425d502914eef2bda1e467d
SHA256ca7f83eadd7b802f751ba211614c51d0bb27f86087c762c51981973d036d7c79
SHA5127cf2c53bbdc12776c38e57aa5a7f576c0a5af8ca7d35213f62a39a96870d7a97387a2d9eecf4793b1c27ba7729a168d2d5bbc41aced1574a072fe95ed28640b1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD568c2b0260c1633175d4d8ee90db8984d
SHA1dcee63b1e6d156b2088f4efb0bf8ec587c9f8020
SHA2563326414785e1e1b4503258779bc252a2217754425811c28a3784b4e1fc5c163a
SHA512dded53ff8d571da995c3371e2df205941525d923cc80f21c742e635f2a4a85214ce308a1cd41e350d68b7146b56d99d383f050f16e99102507f0fe92ed3351fc
-
memory/544-70-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/544-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/544-72-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/544-75-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/544-27-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/544-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/544-31-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/544-44-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/544-25-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/544-32-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1112-15-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1948-58-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-10-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-24-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-29-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-21-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-35-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1948-18-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-52-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1948-55-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1948-53-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1948-56-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-57-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-16-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-59-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-60-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-62-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-14-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-13-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-26-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-144-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-77-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-78-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-80-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-82-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-106-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1948-104-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-102-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/1948-100-0x0000000000670000-0x000000000172A000-memory.dmpFilesize
16.7MB
-
memory/2884-98-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2884-99-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2884-76-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2884-152-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2884-192-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2884-193-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-93-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2972-92-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2972-91-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2972-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-45-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB