Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
27-07-2024 05:39
General
-
Target
ef51e4909f91aa98222a5bf06f9094b8b57bfe13b680b0993b6bff84f9fccdf2.dll
-
Size
120KB
-
MD5
9dbe339110471fc693d9d0384eb2d885
-
SHA1
6dbae8edfa16b87114033376bb4a20e3935aeb46
-
SHA256
ef51e4909f91aa98222a5bf06f9094b8b57bfe13b680b0993b6bff84f9fccdf2
-
SHA512
f3469f815b47c897f8b8e8c2bc63a4e58fab38df9517f3b48c120637582d342cde1d10f30e6f836cd723f4a96d684e19da942b14abf59abbfe1ccbcd24b7ac67
-
SSDEEP
3072:C3vkeOwHayJaawrdD7XdLyUgYfbpO4dus9nYiEkukXgJ7D:ykJ/yEaa5teOMa9nYhI6
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef51e4909f91aa98222a5bf06f9094b8b57bfe13b680b0993b6bff84f9fccdf2.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef51e4909f91aa98222a5bf06f9094b8b57bfe13b680b0993b6bff84f9fccdf2.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76706f.exeC:\Users\Admin\AppData\Local\Temp\f76706f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f76760a.exeC:\Users\Admin\AppData\Local\Temp\f76760a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f768a45.exeC:\Users\Admin\AppData\Local\Temp\f768a45.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5015813afb2f3140919ff0ab484a3fe41
SHA1237093ef0044d884abf432c86ef3c7720cf44c1a
SHA25651e25f0dc74d7e2c52970d3ef19d2a8438217f2f83dba8735810a23a1cf47f11
SHA512912035b477927c31cb8c4e87e803af32d84237cb08421658a9912586089ee0ea49cc8db2aaefd3e91c365b3f8167367a34768ac8d16e82226c00bdb4c56cdcab
-
\Users\Admin\AppData\Local\Temp\f76706f.exeFilesize
97KB
MD5288f06c3909c0ead8ffb2b5866c3d5ae
SHA18592bcc5f64a1c531c96babb0af7667f7e9488a4
SHA25653f8c8ce7f19ecdec3c630511381545d89e9481e28f15194163b1f035bef4afa
SHA51233ff76ad8679205b77a92d7c915688c3d6d27a5c392c476720a4e53f67d2c1737cddb22a0462853e111aceb08c3b219e715c1c5669636b784633ea329aa75be3
-
memory/772-89-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/772-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/772-62-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/772-97-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/772-96-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/1092-24-0x0000000002010000-0x0000000002012000-memory.dmpFilesize
8KB
-
memory/2328-183-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2328-147-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2328-98-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2328-99-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2328-100-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2328-77-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2328-182-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2752-14-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-103-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-10-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2752-21-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-20-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-17-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-18-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-19-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-16-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-50-0x0000000000460000-0x0000000000462000-memory.dmpFilesize
8KB
-
memory/2752-63-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-64-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-65-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-58-0x0000000000460000-0x0000000000462000-memory.dmpFilesize
8KB
-
memory/2752-13-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-15-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-79-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-131-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2752-113-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-22-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-112-0x0000000000460000-0x0000000000462000-memory.dmpFilesize
8KB
-
memory/2752-110-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-93-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-48-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/2752-102-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2752-107-0x00000000005D0000-0x000000000168A000-memory.dmpFilesize
16.7MB
-
memory/2900-34-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2900-47-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2900-57-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2900-60-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2900-59-0x0000000000440000-0x0000000000452000-memory.dmpFilesize
72KB
-
memory/2900-78-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/2900-74-0x0000000000270000-0x0000000000272000-memory.dmpFilesize
8KB
-
memory/2900-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2900-9-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2900-35-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB