Analysis
-
max time kernel
27s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-05-2024 21:28
General
-
Target
524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll
-
Size
120KB
-
MD5
2289adfc0e5677631294a183d498064e
-
SHA1
1a1af5600aa0d8b7f08cf7df882f270a4f42d071
-
SHA256
524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115
-
SHA512
a390934d285544f44b132f2ccb0796a4443be0fbd0e9b1ff7b50336c4e9f9f7c06882a700f704e243c739271c89bc49ef83843fa2be4ad11492d9df64a6ce991
-
SSDEEP
3072:O8WntAQL/+GsgtUi2wAuzsSOWjQEcpAqmqS5Yit5fVHW:it56Gs5KX0f+qkB5fVHW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\524e94735a951a9e778b45132075f073d344c732e4c8502973060c8c32ce6115.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7629af.exeC:\Users\Admin\AppData\Local\Temp\f7629af.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762be1.exeC:\Users\Admin\AppData\Local\Temp\f762be1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f764569.exeC:\Users\Admin\AppData\Local\Temp\f764569.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5528cf456e7b9d6b80485f51a2bb1e707
SHA1ced162d61d17ad41f4a4faed8b87c953653cd1db
SHA256944f6c6d0e363491514117a3ec61de6705693bf345bef67844cff72322027fdd
SHA51291a918dc115bb6d32bffe3615e7ad94826e30b9ba7eeefb621fcbad6faad67b1ea8f5850dc75adc90b8f70e50f0608c25e5de1a44471b4abf017eed1e3f39b1b
-
\Users\Admin\AppData\Local\Temp\f7629af.exeFilesize
97KB
MD5aa951a8c02c8153ab05902165b878006
SHA1691dae5ec1572a70698ab3d9690fec2a03d65d81
SHA2568ddc10542a0283e0d8e121bee10db6e780585283b349ffe724676e2a28369cb8
SHA5127c300ce8bd5472681717a3c7140c5f629e768a102c4685b10210950becacad5eb03feb769d5138819ec6814c48427c8d68a89a4b50c196edc662991425f83a22
-
memory/1112-26-0x0000000001ED0000-0x0000000001ED2000-memory.dmpFilesize
8KB
-
memory/1752-56-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/1752-34-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1752-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1752-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1752-33-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/1752-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1752-43-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1752-52-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/1752-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1752-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1752-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1752-55-0x0000000000260000-0x0000000000272000-memory.dmpFilesize
72KB
-
memory/1752-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2232-57-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2232-104-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2232-106-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2232-97-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2232-171-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2420-19-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-86-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-23-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-22-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-20-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-53-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/2420-15-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-63-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-64-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-65-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-66-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-67-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-69-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-70-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-14-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2420-44-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2420-84-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-25-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-88-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-24-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-17-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-149-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-21-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2420-18-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-108-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2420-126-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/2696-103-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2696-107-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2696-105-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2696-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2696-170-0x0000000000900000-0x00000000019BA000-memory.dmpFilesize
16.7MB
-
memory/2696-205-0x0000000000900000-0x00000000019BA000-memory.dmpFilesize
16.7MB
-
memory/2696-204-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB