Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
21-05-2024 20:01
General
-
Target
26e4dc69f0d7a25a4ae222b317c290a488feec3f44ef2f3a7518e03bb5b598bd.dll
-
Size
120KB
-
MD5
e976dbc171d407020a5cc6a6fa0f033a
-
SHA1
199916460894dc53d2d0446029b46b1b77ad371c
-
SHA256
26e4dc69f0d7a25a4ae222b317c290a488feec3f44ef2f3a7518e03bb5b598bd
-
SHA512
6d09fc6b1489308b8875902ec22e717e059938a44fcf7b16fb52ccc99c4b7bc6245a46073ff0b61fa326a59ee55654ccb37d1792ee80de278023429eedbc8cd7
-
SSDEEP
1536:UsTqMu+5SzVpDVObENz4yC8lA9TC19RVvP9/go6Kqdqa46Pqk0cDwc5f2XEw:UyCKO4nFUP/gkoqa46PvrOX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26e4dc69f0d7a25a4ae222b317c290a488feec3f44ef2f3a7518e03bb5b598bd.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26e4dc69f0d7a25a4ae222b317c290a488feec3f44ef2f3a7518e03bb5b598bd.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f767a8d.exeC:\Users\Admin\AppData\Local\Temp\f767a8d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f767d89.exeC:\Users\Admin\AppData\Local\Temp\f767d89.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f769453.exeC:\Users\Admin\AppData\Local\Temp\f769453.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50d7a66de1be5aaf4b4e46d68e30248ec
SHA157c627ad2136ae3fc16fb1c2425f71336752b050
SHA256388e70feb3e48e66e7e7b8e1296dfd87cec9312401054d9593c196594aefe55e
SHA512d169b7ce0f5e0a5ae82a181a6c5bdd7f9132898ca2d4886a922e3e777a27889beb90e2af505f2bedf59b3eabcd3f3ceb0ee1c578b977b2b4eda3fdbf58597aa4
-
Filesize
97KB
MD5db43d620df054c2b5fc4545ea01b8c14
SHA16fca2b0349055014b96bcdd6130584f4978719b1
SHA256a6ba27aa9fda2dd24cdd3eb288982dbd3dee4c53554b4f7bffe8e91ddd0fc37d
SHA512641cb050813ded7596e3efe5f8045165bcb6f8920fdc898081f158681f1101f901d372c9e9741718624f5fee925f71e4548cce14ecce2504830a324d1fcf2cf5
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB