Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27-05-2024 01:53
General
-
Target
b68dcdfb2184b5a8050fb69a9db0c6ff8e85d7924aced564679b1dfb83eefdfd.dll
-
Size
120KB
-
MD5
86d18e6b1175fe1a81d460da89c4517b
-
SHA1
ed67c5ce16f77c41c329481b4ef9196b530fc559
-
SHA256
b68dcdfb2184b5a8050fb69a9db0c6ff8e85d7924aced564679b1dfb83eefdfd
-
SHA512
07c3c1ffeb865a8c2c700327d1d11966d61bdf5b7d156a3e3a7b598b9d36a91388c3c32531319f7048df4df95a163ec78e2559f51d5fb10a6e136357869a91a6
-
SSDEEP
3072:yPVj8NtkpT+5CQ01cvKgIJfQGJ5brPolkpqMF:ypct4qlNuJ5b3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b68dcdfb2184b5a8050fb69a9db0c6ff8e85d7924aced564679b1dfb83eefdfd.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b68dcdfb2184b5a8050fb69a9db0c6ff8e85d7924aced564679b1dfb83eefdfd.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768ab3.exeC:\Users\Admin\AppData\Local\Temp\f768ab3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f768d71.exeC:\Users\Admin\AppData\Local\Temp\f768d71.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76a4c7.exeC:\Users\Admin\AppData\Local\Temp\f76a4c7.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ea1739ae7d7f98f4b1d5ef23217359ae
SHA1bd1d5907fdd8d3ead3d189ba6bd5e6a3bd613479
SHA2564ee0d7f2cc8c3f7252f78959f82a60911676fdf048166f9311d63e9ab800bce6
SHA512cfe0098727d81e914f131f1904f270c93a26389ac60b237fdf4580c47d291c81c53db19df55aa54d3c8a9e199504b4f25dd951528f5611c1e16836ef7cd42b6f
-
Filesize
256B
MD567a22ddf8af89b799a654cfc2f620138
SHA1d9b43c8bdaf2358b77f7548c8c713e1b2b313114
SHA256eb0b4b9567e6477bcfaf4e23411312cf3f9f800da75e39dccc02896b03caf81b
SHA512bb5f9ae2c637223d752f81c5c434ea7b6d1e80f04180e07a6eeec8a768d04779b4ec0e1c8a7bf60fdf87b1a3e7026e1ef933c17b76f5c92c71d775e65c350aa1
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB