Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
18-05-2024 10:14
General
-
Target
0507872e031c245ec65195dea3229470.exe.bin.dll
-
Size
120KB
-
MD5
0507872e031c245ec65195dea3229470
-
SHA1
9bfc75c73b52142c1d2db8c7dc7d2b25a67b44c2
-
SHA256
8eab44941d3be506e2149d30d4817bf6874791ab01a6a743f579a88b0af373e7
-
SHA512
646894012737faae1e1afd75d7a0c7cfb3d683c27e36c127495b53ff9ee3227c6f5dab1e265132ebbb9dd0b03e003d4e49b405269da7870f7f75827840e8fca1
-
SSDEEP
1536:2/bqK7nO3SMcJMkC3DNUXbU2uUkBUCNyaZmPs7SNyVAUk/zqTRjJvwrO5/wM/beJ:2zf7KMMR354JmxqRUDv6u/w6beF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0507872e031c245ec65195dea3229470.exe.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0507872e031c245ec65195dea3229470.exe.bin.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f762ff6.exeC:\Users\Admin\AppData\Local\Temp\f762ff6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7631ab.exeC:\Users\Admin\AppData\Local\Temp\f7631ab.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f7651a9.exeC:\Users\Admin\AppData\Local\Temp\f7651a9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
256B
MD559bac541b1e0992090bb4a48478445d4
SHA1142350e418fdb5e15a6dd2da98102ec1fefe1e04
SHA2562c633a330cae07fc65b6934a1dc3d67d48a4d5d80162b352aa13acd49f24a3a6
SHA512a264d0e78780b9722fdae064bc90d6001b30f0f84e0602c923a429cfb8586af3386c2d834959da645c5edfaf55c365676990655f1cf5550703b66e59ca7234da
-
\Users\Admin\AppData\Local\Temp\f762ff6.exeFilesize
97KB
MD50c48a8cc52278600b2a42404c33bd1cf
SHA1ca8197097289d3892bb59109f3b07f1cd5a9edcf
SHA256e179e774b601413dc1039bd3e697ee1e71d2a052e3cf8e73f50042cb8f0003e4
SHA512eda872fde11a8f0a9ca6e6174caca9cc34e709955d0fbeb5bcccfffb5e2cb67754c35200da412100a9712176f909b487c6ae11c2258e586261255acf51894a48
-
memory/1032-104-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1032-103-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1032-87-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1032-106-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1032-208-0x0000000000A60000-0x0000000001B1A000-memory.dmpFilesize
16.7MB
-
memory/1032-169-0x0000000000A60000-0x0000000001B1A000-memory.dmpFilesize
16.7MB
-
memory/1032-207-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1104-31-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2056-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2056-13-0x0000000000170000-0x0000000000182000-memory.dmpFilesize
72KB
-
memory/2056-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2056-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2056-58-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2056-12-0x0000000000170000-0x0000000000182000-memory.dmpFilesize
72KB
-
memory/2056-61-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2056-60-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB
-
memory/2056-85-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/2056-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2056-43-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2056-42-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2056-41-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2148-20-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-25-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-17-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-23-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-18-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-63-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-65-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-64-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-66-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-68-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-69-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-70-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-71-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-72-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-49-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2148-21-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-88-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-89-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-14-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2148-15-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-51-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2148-19-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-22-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-24-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-128-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-152-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2148-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3036-107-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/3036-99-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/3036-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3036-105-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB