Overview

overview

10

Static

static

3

8bee719785...6b.dll

windows7-x64

10

8bee719785...6b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bee7197857d1faf1d0c150b03b5adca9511a6c50ffe495d788be30540d1186b.dll

  • Size

    120KB

  • MD5

    88b267e320744aebf1edf33964ecc3ed

  • SHA1

    269d7ea4dc06f746e5286fc7fca95b4ed61de4dc

  • SHA256

    8bee7197857d1faf1d0c150b03b5adca9511a6c50ffe495d788be30540d1186b

  • SHA512

    8011d7e8d9adc2af3c8e4695c3731234be6baefa49c4ca6b3a99f6966a84819947cc251c4378258c068f14e5b9a322ad68b48eff8c6f5f7be9cec7616ae95aeb

  • SSDEEP

    1536:oJD2i2CoUmIs+izYPN3i24Y/KIqkXlcOQgRCXEljyagNUed824:0DsUmIEzu14Y/K/QlcpWylP4

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1184
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1236
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bee7197857d1faf1d0c150b03b5adca9511a6c50ffe495d788be30540d1186b.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bee7197857d1faf1d0c150b03b5adca9511a6c50ffe495d788be30540d1186b.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Users\Admin\AppData\Local\Temp\f769be2.exe
                C:\Users\Admin\AppData\Local\Temp\f769be2.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3032
              • C:\Users\Admin\AppData\Local\Temp\f769d77.exe
                C:\Users\Admin\AppData\Local\Temp\f769d77.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • System policy modification
                PID:1048
              • C:\Users\Admin\AppData\Local\Temp\f76b79c.exe
                C:\Users\Admin\AppData\Local\Temp\f76b79c.exe
                4⤵
                • Executes dropped EXE
                PID:2680
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1288

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            664290c31bcd2114d33c932af4ddf294

            SHA1

            8039694993d6c04df019173c6c4990ae14c34a85

            SHA256

            dd5ea0f03aeb746c12eea7b3f397a6b38f41b76a388b5ac33b9ab8da863f5ab8

            SHA512

            334661b53bfc98814654bc0e0ea9a4d8f460e7b698f5b3f58f3e2fe1a2ad3c01945d17af6afc43d432b1fb676d807794006ab323a381da1a61d5dd9dcd957136

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f769be2.exe
            Filesize

            97KB

            MD5

            fbb52d0bd66c865e4fc88bb1eb6f8aee

            SHA1

            6a74fe7ac16220c590b5e6c10f6c853477a9646e

            SHA256

            94f9a8eb0cff26b9dd5f88a089536a04de4fdcb6f8e4967e32f5a3cc365c6485

            SHA512

            2c28c47a4521f08e830ee68895c5b05af035e6ba2aeedb61d242dd6ae5a26466b97804e79a483bbb6d71b3de41247a7d6322c2556b3da6dc4989f153ba5e4cd4

            Download Submit

          • memory/1048-185-0x0000000000910000-0x00000000019CA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/1048-186-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1048-168-0x0000000000910000-0x00000000019CA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/1048-128-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1048-99-0x00000000003F0000-0x00000000003F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1048-100-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1048-101-0x00000000003E0000-0x00000000003E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1048-63-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1120-28-0x00000000001D0000-0x00000000001D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1944-58-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1944-47-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1944-2-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1944-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1944-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1944-4-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1944-10-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1944-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1944-59-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1944-60-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1944-61-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1944-83-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2680-110-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2680-109-0x0000000000270000-0x0000000000272000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2680-133-0x0000000000270000-0x0000000000272000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2680-190-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3032-70-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-18-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-66-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-67-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-68-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-64-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-71-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-19-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-75-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3032-85-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-87-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-90-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-21-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-65-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-15-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-14-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-12-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-20-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-16-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-154-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3032-155-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-17-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3032-50-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3032-51-0x00000000003F0000-0x00000000003F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3032-48-0x0000000001930000-0x0000000001931000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3032-22-0x00000000006A0000-0x000000000175A000-memory.dmp

            Filesize

            16.7MB

            Download