Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 00:57
General
-
Target
99c60186c570a0ef4e6951e19c714216ba6e7f4f27c3e68e135ddfda89876878.dll
-
Size
120KB
-
MD5
474edd37a54d3f8b36ced305a5512794
-
SHA1
866c29fbc94bd5ab80856366a8a6c0b9048dd27f
-
SHA256
99c60186c570a0ef4e6951e19c714216ba6e7f4f27c3e68e135ddfda89876878
-
SHA512
951e75d90fbdb08aed2384735b7b07695500d39134fecc9838fa1890a2be81f38c604008e6ae005cc98d0b2ed238ffebcaa8046e4d51915f85a22822d7186109
-
SSDEEP
3072:nPkAecUa+QNyH3fZEPCTF1dm2adHwAzN:sWUdEOvaPC/3axjp
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99c60186c570a0ef4e6951e19c714216ba6e7f4f27c3e68e135ddfda89876878.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99c60186c570a0ef4e6951e19c714216ba6e7f4f27c3e68e135ddfda89876878.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76a92b.exeC:\Users\Admin\AppData\Local\Temp\f76a92b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76ac27.exeC:\Users\Admin\AppData\Local\Temp\f76ac27.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76c487.exeC:\Users\Admin\AppData\Local\Temp\f76c487.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD518d9de8c0ccf2f5c3ce05767846d240b
SHA1bff3f3be5229584521d9f9dbb0b331a3f0cac202
SHA256c434d522262ee59b861ebdc5231eb35e1df300201247e73e6ff9c3414414e131
SHA512b3eee009a6b74813c77ac79c48de7776c76fdb01cb3da73965e665c4cab0da3429e663a0ba61d9eebd3a7c3b8b1e0e5850cc294c344dfc0ccdce5056db8b5c4c
-
\Users\Admin\AppData\Local\Temp\f76a92b.exeFilesize
97KB
MD54865d9bd8fd04c1af6631e15f4171b01
SHA11baf405ceb55cfa35c5a69044603ea8583e0a1ef
SHA256f3074295106404a859c1718c44f60e2f1ed3747ffe95c6647c7bd7e97de61336
SHA5125da59bb0e2b9bb7b6c4f10a7148f7ad41cddd0970425cb64b5cb5415eb3b501ae4571055310a86743a63873b9bf7f1934a7ee3cc2129029ab46c5b443e4c966b
-
memory/1112-29-0x0000000000310000-0x0000000000312000-memory.dmpFilesize
8KB
-
memory/1524-63-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-107-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-62-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-17-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-64-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1524-19-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-22-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-111-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/1524-109-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-15-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-20-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-18-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-68-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-57-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/1524-65-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-87-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-86-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-84-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-21-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-23-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-49-0x00000000002E0000-0x00000000002E2000-memory.dmpFilesize
8KB
-
memory/1524-16-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-82-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-13-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1524-12-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1524-47-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/1524-66-0x00000000006B0000-0x000000000176A000-memory.dmpFilesize
16.7MB
-
memory/1556-58-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1556-10-0x0000000000120000-0x0000000000132000-memory.dmpFilesize
72KB
-
memory/1556-79-0x0000000000120000-0x0000000000126000-memory.dmpFilesize
24KB
-
memory/1556-77-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1556-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1556-36-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/1556-37-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1556-46-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1556-4-0x0000000000120000-0x0000000000132000-memory.dmpFilesize
72KB
-
memory/1556-59-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2532-104-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2532-96-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2532-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2532-171-0x0000000000950000-0x0000000001A0A000-memory.dmpFilesize
16.7MB
-
memory/2532-99-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2532-178-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2532-177-0x0000000000950000-0x0000000001A0A000-memory.dmpFilesize
16.7MB
-
memory/2712-81-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2712-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2712-106-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2712-105-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2712-182-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB