Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
21-05-2024 19:02
General
-
Target
16b4dfc06457a6bcfd10a4d7543c4a8f5aed127719d16a730e95ee08e4bd7328.dll
-
Size
120KB
-
MD5
9a9a328c781a0fcbeab84401750ab0b3
-
SHA1
856a320f326bb622de155f0e206892db0490d43e
-
SHA256
16b4dfc06457a6bcfd10a4d7543c4a8f5aed127719d16a730e95ee08e4bd7328
-
SHA512
e88fdfe1e86d2f2baeead719a1ee0bed84b5c70e1f19c3f38a43f3291ccca505e2f2e6f27b3a8fb1d2484ec90af377139fce793779e079687e811990c1e6d7d1
-
SSDEEP
1536:xQRskiO82WOFJnxM7YtICBqLSqKfe/sA2CZeMo1zJVTDwffOwe53UKl4Op2:xXO7JxM7/C4SqV/p26eHTVTcfWKKl3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16b4dfc06457a6bcfd10a4d7543c4a8f5aed127719d16a730e95ee08e4bd7328.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16b4dfc06457a6bcfd10a4d7543c4a8f5aed127719d16a730e95ee08e4bd7328.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761304.exeC:\Users\Admin\AppData\Local\Temp\f761304.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76148a.exeC:\Users\Admin\AppData\Local\Temp\f76148a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762edd.exeC:\Users\Admin\AppData\Local\Temp\f762edd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD588f248751c931d20aa112190baf53451
SHA190db7f86a4911f5f3a72246bd37dbbb6b0fb5724
SHA256af91e3f44bb628da57febbf71dbde03982563eef383cd287acaec8a0fb4a9a2e
SHA512f658bcffa552f0d604dc77f048eac0e94899fa6d3dc0ff55fc43af67a42d992e78d39390abd8426d5885b5771ce74598fd1c23283958de8f285dc435a52dab2d
-
\Users\Admin\AppData\Local\Temp\f761304.exeFilesize
97KB
MD55e1e7322707fe9f471fcb71dbc7019a2
SHA123ded2e8f9c6dbede023357c9e8db3349680074c
SHA2566f69c25685f41b3f7ddfab8026c4cd3a4c0d20ba5cfeb5a34a982db31ee30cb1
SHA512f405059b1dc75e453437610a0be53618dde2cd469b30aa9f9a1e543fd76ca431725b97022af55d09e3e3f344dfaab793574bada86d01c19a58088f1a903724e5
-
memory/1108-29-0x00000000020F0000-0x00000000020F2000-memory.dmpFilesize
8KB
-
memory/2096-63-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-18-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-64-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-19-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-65-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-153-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-17-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-115-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-48-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/2096-50-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2096-22-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-20-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2096-79-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-107-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-105-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-59-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/2096-14-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-15-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-23-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-103-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-21-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-102-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2096-16-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-82-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2096-80-0x00000000006C0000-0x000000000177A000-memory.dmpFilesize
16.7MB
-
memory/2116-47-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2116-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2116-74-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2116-60-0x0000000000210000-0x0000000000222000-memory.dmpFilesize
72KB
-
memory/2116-10-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB
-
memory/2116-9-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB
-
memory/2116-38-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/2116-37-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2116-61-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2116-77-0x0000000000180000-0x0000000000182000-memory.dmpFilesize
8KB
-
memory/2116-57-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2212-205-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2212-171-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/2212-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2212-98-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2212-99-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2212-204-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/2212-78-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2644-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2644-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2644-100-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2644-92-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2644-93-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB