Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
11-06-2024 00:48
General
-
Target
948b9a0a1289e60bef06a547c6ebb9fb032cfff6c738accc7d9c3b0fb8fdfbd1.dll
-
Size
120KB
-
MD5
4eae6b2e5635ad34d664864e147f0f2d
-
SHA1
145c6cab6f374b929a6aeec8c48e4aac60997876
-
SHA256
948b9a0a1289e60bef06a547c6ebb9fb032cfff6c738accc7d9c3b0fb8fdfbd1
-
SHA512
14f8dca9a8348295c8bcf1b5b5df495d35832ed77c0068c8fb68c8363fb699e1e82f033633ae4dfa4456853583b309bc270841515d52c340ffdc8cd16abc750e
-
SSDEEP
3072:izNK4uqQWvq54EdSV+WTeT1Gun4VdNMA8V2X1zrAE:YK3q/C5rw8pGu43Nu0trAE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
-
UPX dump on OEP (original entry point) 28 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\948b9a0a1289e60bef06a547c6ebb9fb032cfff6c738accc7d9c3b0fb8fdfbd1.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\948b9a0a1289e60bef06a547c6ebb9fb032cfff6c738accc7d9c3b0fb8fdfbd1.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f760c02.exeC:\Users\Admin\AppData\Local\Temp\f760c02.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f760d78.exeC:\Users\Admin\AppData\Local\Temp\f760d78.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7627ac.exeC:\Users\Admin\AppData\Local\Temp\f7627ac.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5b7c19e0c61477275148468751d0f877b
SHA13ae5e3e366388f5162f1bb30d7139b0cc39e7841
SHA256eed83c5b590aa3ac2692271dd2a0b3699c538e7651131a6e164ee1e5449e3f6c
SHA51219527a090cded1a65f2ca9891481533fbde72a7bae043ebb3517612dba5e7b3e9d4a8d150769876ca083630368cc5c7b0c6fcf01d80b2b50bd8899e18df3bd05
-
\Users\Admin\AppData\Local\Temp\f760c02.exeFilesize
97KB
MD5b4eb138de3dd7720bcd792976718bd75
SHA1c81ed62a689dad66deceaed8c0163a54346121a5
SHA2560a15b8d06abf95dba5cc6d951222633fcee11f5b1f240ad039b7551bb89b2fb2
SHA512766230c963a9f9ba62639c13b189d0c722658e34b38a01ef13bebbfb616e1d8603e9f4742286be2bbedef2d76dcd5849e1a3dc36cff3881417da093fca399beb
-
memory/1044-29-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/1372-103-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1372-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1372-101-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1372-190-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1372-99-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2300-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2300-78-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/2300-4-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2300-59-0x0000000000740000-0x0000000000752000-memory.dmpFilesize
72KB
-
memory/2300-74-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2300-60-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2300-47-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2300-38-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2300-37-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2300-57-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2300-10-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2408-100-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2408-91-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2408-185-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2408-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2408-161-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2408-186-0x0000000000910000-0x00000000019CA000-memory.dmpFilesize
16.7MB
-
memory/2408-94-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/3056-48-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/3056-21-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-65-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-66-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-63-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-62-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-14-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-81-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-82-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-83-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-23-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-17-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-50-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/3056-64-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-22-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-102-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-18-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-106-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-108-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-113-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/3056-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3056-151-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-20-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-16-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-19-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-15-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/3056-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB