Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
16-05-2024 21:19
General
-
Target
3d152ace6d135f9a6cdb078519c7726dc3bf964df27c78f7728d9bf9c0e127b6.dll
-
Size
120KB
-
MD5
2358ddf81bef6ff84f52383e30d53428
-
SHA1
9570e46297fe33515b07ca058c82556aa598785c
-
SHA256
3d152ace6d135f9a6cdb078519c7726dc3bf964df27c78f7728d9bf9c0e127b6
-
SHA512
c73a4cd8fa76575121174a204e1cd30a2209b2e7970a008ff00c751594abfb9482a31214dbf79f1fc39f430ecb77a91c553db7b6f1fa66d5ba5c28f641317aa9
-
SSDEEP
3072:ktZa4LvdDveoTppH8YcTC5vKXxR8R8twx60oU:ktZaalDm2pt8YcTYiERex0o
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3d152ace6d135f9a6cdb078519c7726dc3bf964df27c78f7728d9bf9c0e127b6.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3d152ace6d135f9a6cdb078519c7726dc3bf964df27c78f7728d9bf9c0e127b6.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7605da.exeC:\Users\Admin\AppData\Local\Temp\f7605da.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f760770.exeC:\Users\Admin\AppData\Local\Temp\f760770.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f76279d.exeC:\Users\Admin\AppData\Local\Temp\f76279d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5cf5d166fd1f14799dcae5121c4e5a3e8
SHA1203a6de422cc40ada201d4afb70954e8db186e31
SHA256d5d6a8ac94189fc7f1b3bec3ce587c56b30f9faa5e4ab73b0b683ae1c03d0d14
SHA51283225f297d6689777419e720dd74cef7c4882454e612ad4b628658706eeac0e6da52c359cb1eb86957bed6c1138001e289016bb6e5d6b23572ecfa859d107b48
-
Filesize
257B
MD5ded6dd958049d2353c8d5e6fab74ba33
SHA1dc7352415864f3f8b4ed381208797aabb441bb0b
SHA25626e07d8bfbf08dcd21f99dd91dbc9adb63940987826a0728f225e4a40660f5bf
SHA51280cf2e8c60a21e5a94a78fb81ac92bb9c832cc5eb830dfc3a3d3f7ae5a4ae453e22cbe110f801487ff309fe09b78e78066c11140d61f8c6d10dd544ae1fabd5c
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB