Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16-05-2024 20:14
General
-
Target
eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll
-
Size
120KB
-
MD5
27042f56e7b30ffabd3dc5251f673930
-
SHA1
473077f2a7a985d6853c01f091e5884cb7cdfd4e
-
SHA256
eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14
-
SHA512
a74f0a315e497f09d753a05a2f4a52bdacdd7c93cb7e696715ea75b5f060d2957d26cb4f805ddc146fd98f330786184a7ad313fd98345f1c6e47d8c149e1a66c
-
SSDEEP
3072:v1TEbizIKxzr6tiDeccQdBrTIAvw3wCsczANu/:pzB+WeT0rC3zK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eaffcb7caefb77fd919ab1be9dc5f1e5bcb77d561e62a4e0f334229d86a66a14.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768131.exeC:\Users\Admin\AppData\Local\Temp\f768131.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7684d9.exeC:\Users\Admin\AppData\Local\Temp\f7684d9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f769bb3.exeC:\Users\Admin\AppData\Local\Temp\f769bb3.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD5bcf28b809dfc0e96aa0b1c1a80bf5e5e
SHA1306b85b8ce93fe26bdd6aef578b685b16ad9bc3f
SHA2569b818678b7acccc54f2c2cb00014bca9b8aad4c67f52cd8ea10c269a0c9b86e0
SHA512fe419f20d75616e99b735e2292b6568d29cc853d062d2502dbff63e9af479d21c31d79f00a1047cc2f0175c7b99794a2a4c85589c7994682938e2bb26e294880
-
Filesize
97KB
MD57ce4fafacb138d70c7103a92272aff53
SHA1e3ceebce6283be7f4c0b2db998b4f82aebf4fff5
SHA256b7ce269805b7f3fb1bfc61cafd6357c01ab7a37c9fa2d74837404cbfd09cea84
SHA512c3327e15e68eb41db82590e97d46f92f58903b615fa97e5a2dd345eaa0a4627aadb08f71a8692dbcecef93097e3ff148a25b453d2df9de30d79f8e110bd70aaa
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB