Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
21-05-2024 06:05
General
-
Target
f7462da9ffe4521da7316b26060466faaa4983998512a233673e46185981bd48.dll
-
Size
120KB
-
MD5
7e9cef318d8f37a1ba44a4a3146de478
-
SHA1
16fb6be0650f787c1e7181d3cba8f339d95c288c
-
SHA256
f7462da9ffe4521da7316b26060466faaa4983998512a233673e46185981bd48
-
SHA512
e6e7be221c5b9cfb1b91cb872f110bf5e70d9a07c372f367edcbcfcbf39e38275f046d8510301113b60e090627071d30cff75878d1a0c4da7495682be7cc82d8
-
SSDEEP
1536:IAFI3WgACSo/GEiRJV9FIs1SrLiD35zeHAQTbncFSfT0oGLiqwL:3O3WgAdcGVlD10GJiHAQXceT3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7462da9ffe4521da7316b26060466faaa4983998512a233673e46185981bd48.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7462da9ffe4521da7316b26060466faaa4983998512a233673e46185981bd48.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760fe8.exeC:\Users\Admin\AppData\Local\Temp\f760fe8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76115f.exeC:\Users\Admin\AppData\Local\Temp\f76115f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76310f.exeC:\Users\Admin\AppData\Local\Temp\f76310f.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f9b44a13b34947031cf586171dccedda
SHA1f9ccd0495406a8dd81068bf145959456fc762eaf
SHA25625aa0acf85906140daeb9c4a87f957f733c5ad881dbda924ccc984e1ef018e08
SHA512c010df7879938e1ac8b625d9aeb5d94117e03c0c189dabeb8213eb2d7ebf8ec60477506a1b495e9e5104d9dc081ad2041a50bad9f203adc9f7b489df42bd05ec
-
\Users\Admin\AppData\Local\Temp\f760fe8.exeFilesize
97KB
MD57c51a99bd5b4cef671870bfedcaf0ee7
SHA132201d67393cb100b8e6bb80dea7e8c41e8552fe
SHA256788d5156cee080a8f379cac969c8572363df0c6f5a9192f377e6cecb9422cb38
SHA51283e97b328c3be3541c8c747adb4b5718baf9e11a7f30c5275802cf877bda88117a363d978eeaf1c685ee0522e385a71d8bb4c3d7789b12c164b18382b087c67b
-
memory/1072-28-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1640-62-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-118-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1640-18-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-19-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-21-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-49-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1640-64-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-65-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1640-48-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1640-22-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1640-141-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-20-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-46-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1640-80-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-105-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-104-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-63-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-16-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-17-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-15-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-61-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-14-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-103-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-12-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-101-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-67-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1640-81-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1904-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1904-59-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1904-76-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1904-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1904-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1904-58-0x0000000000230000-0x0000000000242000-memory.dmpFilesize
72KB
-
memory/1904-45-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1904-56-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1904-36-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1904-35-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2460-99-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2460-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2460-97-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2460-96-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2460-180-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2472-175-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2472-91-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2472-92-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2472-98-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2472-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2472-150-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2472-176-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB