Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-05-2024 02:21
General
-
Target
a543c7fa595125deac44d9b476386f4dccdd659c7490fb2aca85a3ba360463ac.dll
-
Size
120KB
-
MD5
3613c395cf26bbf9054e7663c70e59fe
-
SHA1
beb5c2055d48ea35ec9f6c94f4b3c3d05604709b
-
SHA256
a543c7fa595125deac44d9b476386f4dccdd659c7490fb2aca85a3ba360463ac
-
SHA512
157a61f6b9e08442b2342c624f13721aba5719671bae8be5a667bdcff6177a6fb4f48f8e1fe694ba1ea35dd2d9bf2c333f399d423dbc70334d81c688364983eb
-
SSDEEP
1536:HOaCpdvuH6Hy8YoGoc4eQVREZ51f+OXRoGKcW4wsG+jWh2LibZuTp:HzkbFYoGoc4DVRmHf+coLcOlv
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a543c7fa595125deac44d9b476386f4dccdd659c7490fb2aca85a3ba360463ac.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a543c7fa595125deac44d9b476386f4dccdd659c7490fb2aca85a3ba360463ac.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f769203.exeC:\Users\Admin\AppData\Local\Temp\f769203.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76957c.exeC:\Users\Admin\AppData\Local\Temp\f76957c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76abf8.exeC:\Users\Admin\AppData\Local\Temp\f76abf8.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5e2d4b822c67d0e7e6b5a06b9b3ca26cc
SHA153f0eb9ef187f37fa29ceefee6ab57ddeb7d1f58
SHA25648653dd954b5a6bd36a17bf8cf7ac3bb14ff3d8edd987483c81e2c07df5c150a
SHA512e4f4801933c78474204448925dcfe82194fa9da3987392d596a0db62a71dde15370def51a5cfb0ac69805e3bb18e64024929ed1490feeff77c68b3dcf0619ed9
-
Filesize
97KB
MD535b89fa336e27040b45635c4763dbd0d
SHA16777cd1abce7acca47aa26a1fc51882e3f4d8b16
SHA2565d69b72c6914daa11c13d4abf89105348a96f4fc37f9c2c2581421baa84d87bb
SHA512d2a6804cfbda74808496f854ff483576065454e1b3b6cb4d797775781547e1a64676f9b72577c537e2694081ac6a3ed75c11129c325067210af72fff281d1dae
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB