Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-05-2024 23:14
General
-
Target
654c3c819cba323e39c0b0559e00fdb8ebc1158afe4737f14c5f65b4a7308d7e.dll
-
Size
120KB
-
MD5
8cf2bfbe41a50952a72d453ff8e53285
-
SHA1
9bf3b00b470f0f77f7b9c14cc5f691cad9d79d4a
-
SHA256
654c3c819cba323e39c0b0559e00fdb8ebc1158afe4737f14c5f65b4a7308d7e
-
SHA512
f5e0ab3f64610abc7093bdf7eedd4ba6b766a4056ca068b376d86eb37261dfde7a47785d3d0fec23fc03a79fd7332d9c6bac466c954eb208643545f3f24e437a
-
SSDEEP
1536:HoUEnIGDTRjdb2c1LIq/gUltBkOkDx2nqEu8VquOnMfHiqfPs0GlYs2UpcmD:CIIjD/gUltoDxYqED4uOeXs08BN
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
-
UPX dump on OEP (original entry point) 30 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654c3c819cba323e39c0b0559e00fdb8ebc1158afe4737f14c5f65b4a7308d7e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\654c3c819cba323e39c0b0559e00fdb8ebc1158afe4737f14c5f65b4a7308d7e.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761989.exeC:\Users\Admin\AppData\Local\Temp\f761989.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761b00.exeC:\Users\Admin\AppData\Local\Temp\f761b00.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f763553.exeC:\Users\Admin\AppData\Local\Temp\f763553.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD53bd2d7305d2158005560b4af3d0f735a
SHA113ee7bc89d80c8e04468dc032e3076191b5b6623
SHA2562a63d2896d21164db8eecd60e01b955ef0d52fbc6ac65d8b45e3c6687ec5fe5c
SHA512a21562276b042fd75be7692e63bd778c8eb430ca7f1895a1e20d8fd97d5a3e2d37eb9fdeff73591ad18832b75b491b774b18cc35fb75e46b7a6f549fc235d2a6
-
\Users\Admin\AppData\Local\Temp\f761989.exeFilesize
97KB
MD51ec93b7e1a4936b8e2480d5a35b4630e
SHA1c0969fdf1d5652b4792ad47067907f9f2a4adc4c
SHA256d16566006304ffdcd0f37ad0c7816dc8b850e4e507801daa22006ada533db2d1
SHA512d7ce61490b4a85c011a01e231cb75daf260967c18d0d1c9fc024e6db0b9bbb3bc206ffaaf4c33b26ae66e92d6c30f4821f04cb7bbec824c3745e211439be2409
-
memory/1128-28-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1700-103-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1700-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1700-194-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1700-105-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/1700-102-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2076-80-0x00000000001B0000-0x00000000001B2000-memory.dmpFilesize
8KB
-
memory/2076-4-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB
-
memory/2076-10-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB
-
memory/2076-58-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB
-
memory/2076-37-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2076-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2076-59-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2076-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2076-45-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2076-36-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2216-48-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/2216-86-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-21-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-46-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/2216-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2216-49-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/2216-19-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-22-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-61-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-62-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-63-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-65-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-64-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-67-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-68-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-18-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-14-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-82-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-85-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-15-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-12-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-16-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-20-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-156-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-155-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/2216-17-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-106-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-107-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-120-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2216-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2676-104-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2676-95-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2676-96-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2676-168-0x0000000000940000-0x00000000019FA000-memory.dmpFilesize
16.7MB
-
memory/2676-190-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2676-189-0x0000000000940000-0x00000000019FA000-memory.dmpFilesize
16.7MB
-
memory/2676-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB