Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
22-05-2024 03:59
General
-
Target
9b32ce1874ec08508778f9691984477dbad390f16e6df9c56f814b7b0f2def1b.dll
-
Size
120KB
-
MD5
34272011b912d637535ed2efa5008323
-
SHA1
907db9c0faebf7e4b38566016dc098d9b7ce0cbd
-
SHA256
9b32ce1874ec08508778f9691984477dbad390f16e6df9c56f814b7b0f2def1b
-
SHA512
669a83eead97a314b7004afdcced0ed8697a8489dd2f4287ef539ed5eb74c2e4c500fcc0b55346f8f0b95e3421fccf7d8a91962ce53c8c1a9c510b7b49eee177
-
SSDEEP
3072:ajpPkInIEMSrx9ywml61p8XKYzOZywFlM:ajpkInIEN19Ql6b8aYyl
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b32ce1874ec08508778f9691984477dbad390f16e6df9c56f814b7b0f2def1b.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b32ce1874ec08508778f9691984477dbad390f16e6df9c56f814b7b0f2def1b.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7612c6.exeC:\Users\Admin\AppData\Local\Temp\f7612c6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7614f7.exeC:\Users\Admin\AppData\Local\Temp\f7614f7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762e03.exeC:\Users\Admin\AppData\Local\Temp\f762e03.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5e84a5e6b4fe227ddeffd69fe8125f5c3
SHA15bc630a9ac4049efea4f7a8528455100f7a75377
SHA256eb744b327cb01e8f4d49b8e57d786646b8fc9341d3b0ef05780ad795119f646d
SHA512d47f755615fc52d324060f64b9e5d8b4a6a92ee9fc2d06f63488da95359e82f9da7290298a7c31b07211c66a87d6152a833421e5aae8f4d8d8bf9ccfc0e2d041
-
\Users\Admin\AppData\Local\Temp\f7612c6.exeFilesize
97KB
MD57b7c1ea58aa6d93369722fb80e2bf3ee
SHA1798afa5d96eda7bfe4f3620063bcd85c44fe78f0
SHA256d3d5e31be43fb01cb942f7cb2c3e2501bae53102392b5b266d098dd73f0305bc
SHA512a62c9db6b15807ca90fdda5db705fd860e76297dba58efd91e0f9b69918447c8d5c5cbab3ee6c708850f30a69c2f590ad2fbd99391e25bd1287097fa12ec1b8a
-
memory/1104-28-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2104-100-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2104-177-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2104-101-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2104-103-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2264-173-0x00000000009C0000-0x0000000001A7A000-memory.dmpFilesize
16.7MB
-
memory/2264-169-0x00000000009C0000-0x0000000001A7A000-memory.dmpFilesize
16.7MB
-
memory/2264-172-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2264-93-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2264-94-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2264-102-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2264-59-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-45-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/2636-21-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-48-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2636-47-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2636-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-22-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-12-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-14-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-153-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-152-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-20-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-17-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-60-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-61-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-62-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-64-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-63-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-66-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-67-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-127-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2636-106-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-81-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-84-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-85-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-19-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-16-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-104-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-15-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2636-18-0x00000000006D0000-0x000000000178A000-memory.dmpFilesize
16.7MB
-
memory/2832-57-0x00000000002D0000-0x00000000002E2000-memory.dmpFilesize
72KB
-
memory/2832-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2832-79-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB
-
memory/2832-80-0x0000000000520000-0x0000000000532000-memory.dmpFilesize
72KB
-
memory/2832-58-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2832-35-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2832-36-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2832-55-0x0000000000230000-0x0000000000232000-memory.dmpFilesize
8KB
-
memory/2832-44-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2832-8-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB
-
memory/2832-9-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB