Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
10-06-2024 14:08
General
-
Target
812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll
-
Size
120KB
-
MD5
f68983f581a6f30e7d711b2beb0511dc
-
SHA1
91621a37288c69e03fb7d1ef3eb1b7d91256a637
-
SHA256
812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e
-
SHA512
4fc2f454e19c70ddcada597d4789569b98160dfe042a353acecb5a5985a695352bfefbb7160cce04ade4a3692119b72044d52667e06a10635e2803bf4a06909f
-
SSDEEP
1536:8x2cBfTG7CVH1SWjthuY2y/HWP7cdPTn0QI0BUQ7ZRKfSfDD24r4NTo5cte:rsACVH1hht2Ta0QIUUQQOlsMm
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 27 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\812758fba4a065bce800b5cdb70e06c9b3c41106a7e206cfd3f94e94ec0de87e.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761bca.exeC:\Users\Admin\AppData\Local\Temp\f761bca.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761d31.exeC:\Users\Admin\AppData\Local\Temp\f761d31.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763775.exeC:\Users\Admin\AppData\Local\Temp\f763775.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5db77c5e0623f11f2ec5d498795b85c15
SHA19d91d97fd088c5578a2db52b36aa7aa07618dea5
SHA2564b4f5dcdc35f9837e06aecfd932d1edfd85684151854c2a9e54773eee6710474
SHA51236e46bac4a0e2e4d4e704d512d023dbf9fef042fa2627374a415a0119c60e33847a07ef16248cbf9a1c7ad97573e34075bcae46a7cee1d95c51743fb21b951e7
-
\Users\Admin\AppData\Local\Temp\f761bca.exeFilesize
97KB
MD58ee6703590006427c3f796a027c4095c
SHA137c19b27659a5b6ff318c02974ab96e23db7e725
SHA2566363f8ce2b7fecfd4f64dd1145234a27dc165d74b13b9a15cb3cd452e0a182ec
SHA51249338191d2907f501c5cf80e8ba9f2a0fd9dc9b6d6d133181abc068e50db0c1e350ab09ce0a495c14bd6f9f24c9f76f8a2dd500292dcf9033ff053466f5d916e
-
memory/1112-29-0x0000000000110000-0x0000000000112000-memory.dmpFilesize
8KB
-
memory/1584-210-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/1584-211-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1584-183-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/1584-106-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/1584-102-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/1584-104-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1584-80-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1972-62-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-107-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1972-14-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-155-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-49-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/1972-48-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/1972-46-0x0000000003CE0000-0x0000000003CE1000-memory.dmpFilesize
4KB
-
memory/1972-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1972-23-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-125-0x0000000003CD0000-0x0000000003CD2000-memory.dmpFilesize
8KB
-
memory/1972-16-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-20-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-19-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-15-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-22-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-18-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-61-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-63-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-65-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-64-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-67-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-68-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-17-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-82-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-84-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-85-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/1972-21-0x0000000000520000-0x00000000015DA000-memory.dmpFilesize
16.7MB
-
memory/2456-57-0x0000000000140000-0x0000000000142000-memory.dmpFilesize
8KB
-
memory/2456-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2456-36-0x0000000000140000-0x0000000000142000-memory.dmpFilesize
8KB
-
memory/2456-59-0x0000000000140000-0x0000000000142000-memory.dmpFilesize
8KB
-
memory/2456-45-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2456-10-0x0000000000110000-0x0000000000122000-memory.dmpFilesize
72KB
-
memory/2456-9-0x0000000000110000-0x0000000000122000-memory.dmpFilesize
72KB
-
memory/2456-37-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2456-58-0x0000000000160000-0x0000000000172000-memory.dmpFilesize
72KB
-
memory/2636-105-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2636-160-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2636-97-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2636-96-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2636-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB