Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
31-05-2024 03:48
General
-
Target
da99f23eba0b7e1bf292e8baf923b37c3018b7c5a73e3832e353576083996fe5.dll
-
Size
120KB
-
MD5
a3b6728bd446b007a93998134bacd548
-
SHA1
4820a019b402dc3ecde758fb75878806e88124d4
-
SHA256
da99f23eba0b7e1bf292e8baf923b37c3018b7c5a73e3832e353576083996fe5
-
SHA512
f063b6c7739a9169087ce1c0065b9a883bcb9d8265d645d5d39858a40717e4a1684dab87b44914bf6e225f53dbe3b135c1e884dc0fd8fe3b2f982aa4bc4dd2e8
-
SSDEEP
1536:gjAZpFx917RZlyp8tDFLDS2S8mH4oZj+Yo7+/btthaWtnDKfolEVemZ5lEYBTV5s:gcZp37bBe78mYoZCx+/HBDKUmLTVcd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da99f23eba0b7e1bf292e8baf923b37c3018b7c5a73e3832e353576083996fe5.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da99f23eba0b7e1bf292e8baf923b37c3018b7c5a73e3832e353576083996fe5.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f767d1c.exeC:\Users\Admin\AppData\Local\Temp\f767d1c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f768095.exeC:\Users\Admin\AppData\Local\Temp\f768095.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f769666.exeC:\Users\Admin\AppData\Local\Temp\f769666.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54575bbe5b132fabdcb8e610b6aaaa9db
SHA13fd017a3337d0166d3b58ce10ef342e0c9814067
SHA25677ba70f921d0467c8ed5ac0334342bffaa013e5b62e9c0c51bacdeb960130e52
SHA512e85cc4af0ddd21fc26fd53711978480a137b064a54be1d7de7004d7626a060e493dc08841ee3d0b34a9c99529fab58446feee5dee001be19d7b94c7eb5ab8ca9
-
Filesize
257B
MD5e4f204283e90cbe745ea714b9bff6ac1
SHA1867e7b1326ccd1922a4c852b33fe01bca51ccdc5
SHA256be32ca08cf731c7f5c4e0054cedf03738821d0ebefbed6ed59fc51fb0afbf8c3
SHA51217d85aa872765173d2e4d2214b76520189e6caf0c0a7fada064b14f3059c9a74523c6da55112e1dcffa259110384c897aeb3a0d50dcabfd7cb7d11dfe54d3f40
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB