Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 20:07
General
-
Target
1be2a0cd535cb718a3a63fd9b4b44b92365115f662095be1d32b15dce291cfcf.dll
-
Size
120KB
-
MD5
1dee215d1db76f6f2dae31e6d8911447
-
SHA1
d5537f4da98ebd34768d67594dfc13b896272a84
-
SHA256
1be2a0cd535cb718a3a63fd9b4b44b92365115f662095be1d32b15dce291cfcf
-
SHA512
12a9915f95d33572637f356723f25cf5cf72b0c2b3e21a4b185de2151cb1e58ecdfc92e1ba65ff676a89073a39fe5dc34d1bc035ca6078daab08e85474341dde
-
SSDEEP
3072:ZN/l9AjrPK8MLfUGR+meJ63v8CLlgea6+s54Q:Z9l922VcGt3vxOb/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1be2a0cd535cb718a3a63fd9b4b44b92365115f662095be1d32b15dce291cfcf.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1be2a0cd535cb718a3a63fd9b4b44b92365115f662095be1d32b15dce291cfcf.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76312e.exeC:\Users\Admin\AppData\Local\Temp\f76312e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7632e3.exeC:\Users\Admin\AppData\Local\Temp\f7632e3.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f764cb9.exeC:\Users\Admin\AppData\Local\Temp\f764cb9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a09413687f90ab2afc28455d89b2fc86
SHA1864de7cd24f93175d1eb638ac1890543a0d14b1d
SHA256c7114b4f311012669e5a76df04d5d58d438e53a6d637d45f3733dbc554e5c0f8
SHA5129803d4c8107561d387a11abb98f0dfc134cde2996351da55086f396d093d0478264f12cf9ccf3216d2509272eef1e27eccb6fb330c42dbbb3b4466e54c81cc27
-
Filesize
97KB
MD50988531a86fcaa80f945e96af4412980
SHA1b15ec43c651c7440c67052d4f8610e1e036c34dd
SHA2567fcd70cd7ed7413774bb5826f9d148255d2ca8dd7801987fc436c57a78426f5f
SHA512dd43ceff93fc28c2fe5bad6ce520b6e2e9bab80e07558f61e82b0daaa21b7f4f20aad6ff6d5345641978a8305373d6ffa690ed192beaef2fd69965a17f690820
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB