Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-05-2024 22:39
General
-
Target
69112ba47ec8a1bc22664bdbb6fe998f1e7421492b70f7c9f40aa7cb105e290f.dll
-
Size
120KB
-
MD5
beead762eaa5edf1743bf5224684e9f3
-
SHA1
6a2a8fec5809d1eb159933ac94a525c91de022b4
-
SHA256
69112ba47ec8a1bc22664bdbb6fe998f1e7421492b70f7c9f40aa7cb105e290f
-
SHA512
0d423f181b041d5f74c9474a5e8a404b8423b3ef9292788cbc72b6f62bfa2d2142f70f502de4a6555c2b480e458c28ca8f4b309c8bf9ade2fa00d26f4289c7aa
-
SSDEEP
3072:2pw8bwsJqU5BGnhFhLU4AJA0UdKkTnhzB1+jgX1dqUoL:9EqnHhU4Aih4kTnhL+w1cUg
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\69112ba47ec8a1bc22664bdbb6fe998f1e7421492b70f7c9f40aa7cb105e290f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\69112ba47ec8a1bc22664bdbb6fe998f1e7421492b70f7c9f40aa7cb105e290f.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760f5c.exeC:\Users\Admin\AppData\Local\Temp\f760f5c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7610b3.exeC:\Users\Admin\AppData\Local\Temp\f7610b3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f762af7.exeC:\Users\Admin\AppData\Local\Temp\f762af7.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5ec065997b770f85fd20c8679e35e8894
SHA144dc3c43dcdb5da5f5fd4eca48ab91fa6fbb69e5
SHA2563994de6d60586a578bb3bd0193b1ddf8d4b374b34d662b97d8d5fb9fed1ef6cc
SHA5125bbc16e7bebd7cd1bc2acced61913bf765fa0e6114444d45638e9a22a544f0ddffc3ab75a1cde5d9e87a789a3b2c874cef9525bcedc52985e2d4373a5aee8299
-
Filesize
97KB
MD5abdc9a2edfe4e5f29507f197e5b7decf
SHA18ff59bbe7b8417cd7e8904d101669ae99d76b5f9
SHA256be6ec9676d815bc67fced2b2d9cbbb547280ffa25f1bdc71e1c21bc3d954ca98
SHA512eb45cca15fb76165772eef0c480cba34829e6f455bb72c5cf232aa1c9a401acd4235395ac40f4d561a0f2c270d8141d29b545d07b6db8c82f2bff0efca900478
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB