Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 23:31
General
-
Target
77c704bf3dc915f8eb58061b2d5d5c96ee5aaa411abdafff45092a55b5a1e2cb.dll
-
Size
120KB
-
MD5
7e3276869b9a581ed0be28e57c4ccacc
-
SHA1
22a8baf07364098add53f76614b8d66027fac40a
-
SHA256
77c704bf3dc915f8eb58061b2d5d5c96ee5aaa411abdafff45092a55b5a1e2cb
-
SHA512
47432260c277c90aadb56e428a99843b8faa45a57495c9e1af4059c2f1daa9e666a4e71022546162255da0962b3e51c03ae830563285b0d6daf3ebf6e93d644c
-
SSDEEP
1536:59I1gCYxO8qxsGXaNxkWfAladz6c0V2Iv+BFsG8JGZmYUwdO56KsyNjD+5wsbiX:yTs7NxktFV2Iv+BGHGZmYUwnqmOs
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 27 IoCs
-
UPX dump on OEP (original entry point) 33 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\77c704bf3dc915f8eb58061b2d5d5c96ee5aaa411abdafff45092a55b5a1e2cb.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\77c704bf3dc915f8eb58061b2d5d5c96ee5aaa411abdafff45092a55b5a1e2cb.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7613fe.exeC:\Users\Admin\AppData\Local\Temp\f7613fe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f761555.exeC:\Users\Admin\AppData\Local\Temp\f761555.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f762fe6.exeC:\Users\Admin\AppData\Local\Temp\f762fe6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD561ce88ec2646f852012ef51ce3b108a0
SHA12657434441875bead25e62f71b7ea2d32a38fee4
SHA256f172a972ac7c82967463ce5c6fbe275b34d84456c7c008ea07c28e198b7815e8
SHA512855b26aad0fa425494703b3c50f071f8932f4fb4453795f4f86befdebb815c45771ac8ecb0062573362d76c5881d570bced7662f61e143fe2e759e020c6989f6
-
Filesize
97KB
MD5379d78f0fcc8fd86ff45371a43d9528e
SHA1f38b524940d52f06162bbb3836dd1390739ca84c
SHA2565402a9b80d8755ab9a28f85a55a75722bca978adf0efd8479d773e95f9a4ff58
SHA512b23a2bc287fd36870681ef6af465058feca4609d31730004c780297fa6d187ebc4316112ec365a4c3cef73ac128551d6bdb30ebd7832d7c68ba5536213d5a691
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB