Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/11/2024, 13:43
General
-
Target
810a37e5ba8a2ccd463b2a19850d476c1c8eca86a9016381486fa778424eea83.dll
-
Size
120KB
-
MD5
700d57b5cd2de9e09438553875608b64
-
SHA1
b781cf7e5a8bbbe4bf40f4f4511e827a715ff841
-
SHA256
810a37e5ba8a2ccd463b2a19850d476c1c8eca86a9016381486fa778424eea83
-
SHA512
25454219391b1704b1ea1d82dd9064610d8fafd6d97b3f3b6915ccbffdc0330e81ab8ba8d6bca9078dd3418603f6436e76a2c81dbe21deaa9da96e170a024498
-
SSDEEP
3072:q1xPoZ8ljNp20zN3T7EnCVScVk4Kt6q0kzl:qw69NE0xD7qO9S4iVl
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\810a37e5ba8a2ccd463b2a19850d476c1c8eca86a9016381486fa778424eea83.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\810a37e5ba8a2ccd463b2a19850d476c1c8eca86a9016381486fa778424eea83.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76e10c.exeC:\Users\Admin\AppData\Local\Temp\f76e10c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76e32e.exeC:\Users\Admin\AppData\Local\Temp\f76e32e.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76fdcf.exeC:\Users\Admin\AppData\Local\Temp\f76fdcf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a31cf3f57ad0119f29d789ca913942f0
SHA19a85bf7d3ed8094437a8b148a97709f43553226f
SHA25688d7ff6d7d2f1ee02b9e8d987f1d5a54c4b73054ae99a8e4b029caf25a315ad1
SHA51229d696934518a084775fa1e304866fa3668f970e171c8526c04a9e723cbd240604701f1a3de59a1164ca441edd185f945c989d1602080a445d28c7bca4e76067
-
Filesize
97KB
MD5c86d7675eff8ebb1ef791585e3500d89
SHA11e0e8bc22d8761ef94e22deb9f725ea3208c3cf5
SHA2567d42aa7324691ddf6d095bd631f0b6f0dad68c410c681aec019428c6e4468259
SHA5128c657811edeaf90a0e2a07209d6046e437aa2a054e43aff6dabfe977f671e0fcaf3711c9c8b143364e6b00e07ca20c235d69ac62569db3e531d8b86b6f30eeaa
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB