Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-10-2024 06:53
General
-
Target
b22affe3a11ec8c8bb9b2d3f783f7dc5817fea9f0dda386e3e821796b82c7841N.dll
-
Size
120KB
-
MD5
b9c8ecb079896b948d0ddd58f730b560
-
SHA1
3af5d815de08f8e3e7a2f4f1281eeecce2cfbab1
-
SHA256
b22affe3a11ec8c8bb9b2d3f783f7dc5817fea9f0dda386e3e821796b82c7841
-
SHA512
087bbfb9b85d322d539549a9c8fce38acac42120b2bb9a198d4c04e184da31fc97ad6e92bcb385670ea73ec3ee10716df82ec5b47827737d0ba4961e74719fa1
-
SSDEEP
3072:8Y0/7+smdFPkCmZhEhYHCmfOHZZ9/G9gIuPuB:X0yT2fH7f+zeP
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b22affe3a11ec8c8bb9b2d3f783f7dc5817fea9f0dda386e3e821796b82c7841N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b22affe3a11ec8c8bb9b2d3f783f7dc5817fea9f0dda386e3e821796b82c7841N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f766c3b.exeC:\Users\Admin\AppData\Local\Temp\f766c3b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f766dff.exeC:\Users\Admin\AppData\Local\Temp\f766dff.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7687f5.exeC:\Users\Admin\AppData\Local\Temp\f7687f5.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5bdd722eed7baef2f8057437463bb3a9e
SHA19e4b11c44fda7eca06c16603bb43a7ad26ed0f84
SHA2560f544f75e1ecf281ce3d9bc0a4720da5f51a45a93e4d1ef43ea9226d9c89ee3a
SHA512c0fd5e229d95a4bf4f7c7a85ec4bd5334c917b425f2a9f268519c6b70804b5dffbab45a72d4679f26aede9fe5326c2b84fe131547fc3c5bd6e115e7880428b95
-
Filesize
257B
MD59bc323ea5e357204b405a1c86cfc43e2
SHA17ecfa4eb554a00b5881fb7da8aea44b5311adaa0
SHA256ba5a228aa947b7b0b9b86e8f80e320fb46d8994056c1b859eaf76e5dea74bb56
SHA512a20889f89850046ccecb097295639c77e15e4d1ff1a42b943e3758f08cd18e64c512e679c2c03df2e2bcb5e70d8658f5e87efd124a4e1ecd4f5ce11ce8f07eab
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB