Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
26-05-2024 20:08
General
-
Target
2acbf4c90d074db6004ae8b0d2250965e8a95f1f144d47196245256b21c1dc83.dll
-
Size
120KB
-
MD5
149a1b5c4a45b9773e70f0d1160479a0
-
SHA1
7c2d9a5590929f26f7fbe1d577d855767107b4b5
-
SHA256
2acbf4c90d074db6004ae8b0d2250965e8a95f1f144d47196245256b21c1dc83
-
SHA512
d075f1921da508e857973fc6bcac36886285dcf29965772f3d3aedb766b3120272ac4c32a40724fe5476434b091565d3f10727dd775ddd9dec3f4d55ba43f854
-
SSDEEP
3072:bwDZYTlhrcjk8lxC4VD1uTy9u524jeHp4:bwDYhrek4pV5gyu5l6p
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2acbf4c90d074db6004ae8b0d2250965e8a95f1f144d47196245256b21c1dc83.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2acbf4c90d074db6004ae8b0d2250965e8a95f1f144d47196245256b21c1dc83.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761e4a.exeC:\Users\Admin\AppData\Local\Temp\f761e4a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76204d.exeC:\Users\Admin\AppData\Local\Temp\f76204d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f763a42.exeC:\Users\Admin\AppData\Local\Temp\f763a42.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f761e4a.exeFilesize
97KB
MD5d3fe956e33f2086342d97dc6ca39d8aa
SHA152a111cf63e57c7947db8fd245dff138ad91a863
SHA256642932d20410d9ecc313c0593a80fd88f80b9dde9e3a79cbbdddd10975a4a8ec
SHA5129d2fb17e32dc848c43dcf558d94cad56c81eb2803922e2dd4692cadfbeb7f75eecbc58a0a6eb9e89e8beb2d7b8e34d38f1172a34e77a77f1bc0112c8e86f1c8a
-
C:\Windows\SYSTEM.INIFilesize
257B
MD559f913a19fc872d5101de7eff6c0322b
SHA192efde00c264990d0fed905bd7ff1cc53a17a4b3
SHA256de67743aa71562d09e7dec465e691d8ed516dcc1217efc83419f22e01acb9785
SHA512f816390a7aa9fb92bdf1b7f9e42dcb9c43257962dc83ecd7a264d9927f809b2c2ba20d63806b5b8e2ce4c5439d83102efea6594b382de706f3a08300cf05481a
-
memory/1112-30-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/1744-64-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-144-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1744-66-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-21-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-19-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-15-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-65-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-16-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-20-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-24-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-51-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1744-23-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-145-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-79-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-113-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1744-60-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1744-110-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-109-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-106-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-17-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-105-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-49-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/1744-102-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-22-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1744-18-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-82-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/1744-80-0x0000000000960000-0x0000000001A1A000-memory.dmpFilesize
16.7MB
-
memory/2120-61-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2120-62-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2120-77-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2120-9-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/2120-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2120-75-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2120-11-0x0000000000130000-0x0000000000142000-memory.dmpFilesize
72KB
-
memory/2120-39-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2120-38-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2120-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2120-48-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2120-58-0x00000000001A0000-0x00000000001A2000-memory.dmpFilesize
8KB
-
memory/2192-94-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2192-95-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/2192-63-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2192-91-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/2192-169-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/2192-174-0x0000000000930000-0x00000000019EA000-memory.dmpFilesize
16.7MB
-
memory/2192-175-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3044-103-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/3044-100-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/3044-101-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/3044-179-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB