Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-04-2024 20:49
General
-
Target
c7ade882c9e3d3c7d9ddfdecccf2389f64357ee87eef4a5e98630e00da758551.dll
-
Size
120KB
-
MD5
7a253dc8d67931c56ef51cfe9c86e1e0
-
SHA1
c44460fc23c253f2cfaa8ac53d93c05728a3763e
-
SHA256
c7ade882c9e3d3c7d9ddfdecccf2389f64357ee87eef4a5e98630e00da758551
-
SHA512
332d50852381800e7c2c1675b25c912850b9822788eb42cbc99a85edb5fcbe6cf24ceb3d7bd99a248eea0b0df9d7c739f25bb6184d74465b58fae7a41623ac62
-
SSDEEP
3072:z6o5fYOU4nCAhcdoga5yJ0dn2V1kPEWJ:zhpYkCazga5yJFsEW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ade882c9e3d3c7d9ddfdecccf2389f64357ee87eef4a5e98630e00da758551.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ade882c9e3d3c7d9ddfdecccf2389f64357ee87eef4a5e98630e00da758551.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7617d4.exeC:\Users\Admin\AppData\Local\Temp\f7617d4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761d70.exeC:\Users\Admin\AppData\Local\Temp\f761d70.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f7633ae.exeC:\Users\Admin\AppData\Local\Temp\f7633ae.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f7617d4.exeFilesize
97KB
MD5f59b49647df2775f80f9587fc325673b
SHA1032bd172edab0bacffa526068e1e9b9770ba6c55
SHA256dec97f6b21c2c69ec42264e1ba681ae54b5f20e9f3c4553bbf06c1b264d8e33f
SHA512a4b4963041c75e587d5b2902e8eaee2e201e4eececd988949d7f351a2d9586a7e563abf771f5749967ee89a97814e3f9ebb145f974138a3d93004c27c5614ff0
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f322c941ff116a2d46fc12ccc8bec53d
SHA14782c4d64efd99f4362f24c813c45c65f71e7e11
SHA256a3f4095c1a8ffa78ca78fe85a3db7efe8335368475311e4e1d10d6af0e8dab8c
SHA512d1a69aba2820aec94989590f2fe0667dc32a5a2123c1102ff71e2b3da7be403de60be91b539394f7014f3680637732f829d764f4808f5b1d890e130d58805259
-
memory/380-58-0x00000000018F0000-0x00000000018F1000-memory.dmpFilesize
4KB
-
memory/380-82-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-15-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-9-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-17-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-21-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-24-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-26-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-140-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-59-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-103-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-84-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-14-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-80-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/380-60-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-47-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-76-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-63-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-29-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-62-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-57-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/380-35-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-107-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/380-79-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/380-61-0x0000000000660000-0x000000000171A000-memory.dmpFilesize
16.7MB
-
memory/780-186-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/780-147-0x0000000000920000-0x00000000019DA000-memory.dmpFilesize
16.7MB
-
memory/780-78-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/780-102-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/780-99-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/780-100-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/780-187-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1076-16-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2000-94-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2000-93-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2000-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-49-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-34-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2340-44-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-33-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2340-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2340-30-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2340-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2340-74-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2340-28-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB