Overview

overview

10

Static

static

3

2b6299ed05...92.dll

windows7-x64

10

2b6299ed05...92.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 09:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2b6299ed051392c0ad1244244967ac1bf42a7743d07567887e9dc18352e76492.dll

  • Size

    120KB

  • MD5

    80affcdccc25797af3deadac82bae480

  • SHA1

    016be339264ba6056fef53bf793b44ecf7c6ce46

  • SHA256

    2b6299ed051392c0ad1244244967ac1bf42a7743d07567887e9dc18352e76492

  • SHA512

    db94d62f52787778cb48a08d7062ec107b0440170c31bc0d1c37c7ee1aefddfa9d49258f1ec3a342caf36d9b6f1b683951cfeda1d9247c4e37ccc139e0039034

  • SSDEEP

    1536:JUVYLyOUVTfcWpUSKABHmqBfQdcU8lTihWk/NdB/1BWo3ALvNMIsf:JqOUVrbUSDBqsWhvt/1VKGIs

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1160
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1188
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b6299ed051392c0ad1244244967ac1bf42a7743d07567887e9dc18352e76492.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b6299ed051392c0ad1244244967ac1bf42a7743d07567887e9dc18352e76492.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2692
              • C:\Users\Admin\AppData\Local\Temp\f76e9b3.exe
                C:\Users\Admin\AppData\Local\Temp\f76e9b3.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2780
              • C:\Users\Admin\AppData\Local\Temp\f76eb58.exe
                C:\Users\Admin\AppData\Local\Temp\f76eb58.exe
                4⤵
                • Executes dropped EXE
                PID:2980
              • C:\Users\Admin\AppData\Local\Temp\f77055e.exe
                C:\Users\Admin\AppData\Local\Temp\f77055e.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2404
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1524

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\f76e9b3.exe
                  Filesize

                  97KB

                  MD5

                  84d6ab967e42a403f4520e675668af29

                  SHA1

                  a01189da4111ca5c8b221472ee7ecb00190134e6

                  SHA256

                  9ea762db152eb532a870dc8f5e7b77b3e57fc4c1f368ce2e7340ceaf70a45d0d

                  SHA512

                  5959a0e0e5a1ded48c4540adb8e6e9336cba215b23da1f5f479df04af583bce6c2f69f9fc5de6b9893257b5c75fae91b34cf27776f94c1400d001e67367e7995

                  Download Submit

                • C:\Windows\SYSTEM.INI
                  Filesize

                  257B

                  MD5

                  40107c956e632cb69b40809d51154889

                  SHA1

                  b8406c0292c86e26de9eecd3767e4f626ea790d2

                  SHA256

                  1fca5fe2cb8f1c2d4c84ddd61d25cdbf074a31f52963ddfc969d7a76691d7624

                  SHA512

                  36cc40c5a1d60f5306bdbefc47817d9ffa6f0e58d95b44ebd671dd7db1f82bc55989f5f1f3a30f4974e93329fb37ad8ebdc03aa51b5b0200de60f8d2f9f3fe37

                  Download Submit

                • memory/1120-28-0x0000000000160000-0x0000000000162000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2404-111-0x0000000000270000-0x0000000000272000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2404-219-0x0000000000400000-0x0000000000412000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2404-218-0x0000000000910000-0x00000000019CA000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2404-181-0x0000000000910000-0x00000000019CA000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2404-140-0x0000000000270000-0x0000000000272000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2404-109-0x0000000000280000-0x0000000000281000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2692-81-0x00000000001B0000-0x00000000001B2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2692-58-0x00000000001B0000-0x00000000001B2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2692-83-0x00000000002F0000-0x0000000000302000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2692-85-0x0000000000180000-0x0000000000182000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2692-1-0x0000000010000000-0x0000000010020000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2692-8-0x0000000000180000-0x0000000000192000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2692-47-0x00000000001D0000-0x00000000001D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2692-37-0x00000000001B0000-0x00000000001B2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2692-38-0x00000000001D0000-0x00000000001D1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2692-61-0x00000000001B0000-0x00000000001B2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2692-60-0x00000000002D0000-0x00000000002E2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2780-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2780-88-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-21-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-48-0x0000000000560000-0x0000000000561000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2780-18-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-63-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-64-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-65-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-67-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-66-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-70-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-71-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-77-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2780-51-0x00000000003F0000-0x00000000003F2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2780-22-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-15-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-86-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-10-0x0000000000400000-0x0000000000412000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2780-90-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-19-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-20-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-12-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-16-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-14-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-162-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-17-0x0000000000690000-0x000000000174A000-memory.dmp

                  Filesize

                  16.7MB

                  Download

                • memory/2780-161-0x0000000000400000-0x0000000000412000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2980-130-0x0000000000260000-0x0000000000262000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2980-166-0x0000000000400000-0x0000000000412000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/2980-101-0x00000000002B0000-0x00000000002B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2980-102-0x0000000000260000-0x0000000000262000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2980-105-0x0000000000260000-0x0000000000262000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2980-62-0x0000000000400000-0x0000000000412000-memory.dmp

                  Filesize

                  72KB

                  Download