Analysis
-
max time kernel
28s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/12/2024, 13:32
General
-
Target
a4d8be96db054bd7355d077052e701d6d58068a51540db7925181b40a730edf0N.dll
-
Size
120KB
-
MD5
fd97ea8c53a0429eba4b0bcba51b0520
-
SHA1
3b28b5504ab944b1c05a6d3cbf5c4a7f5e29297b
-
SHA256
a4d8be96db054bd7355d077052e701d6d58068a51540db7925181b40a730edf0
-
SHA512
827f97b75c8687b09dedbca6a0c4bbee9ba1ca9426282b8ed27316351cde6d52f809d68ac76db8231c923a2dce672fffdf2a215cb018b23c1702aa272a98c338
-
SSDEEP
3072:VO5xxM3U+JBtxuSIKoCau4kSo3spF+tA3Ma/37yYs:siJXkiReUspF+t/a/F
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4d8be96db054bd7355d077052e701d6d58068a51540db7925181b40a730edf0N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4d8be96db054bd7355d077052e701d6d58068a51540db7925181b40a730edf0N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f769c01.exeC:\Users\Admin\AppData\Local\Temp\f769c01.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f769dc5.exeC:\Users\Admin\AppData\Local\Temp\f769dc5.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76bb82.exeC:\Users\Admin\AppData\Local\Temp\f76bb82.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5030ceaa2a38fa77566076d10e32052f9
SHA15866d40cc9f6cee7eab3e7a51b07e6d43b73710c
SHA2563c7b30194b1d832d0136c796a698a57e2109211d3219fce125632ef6ca09c223
SHA5126cffcd53555a426a3176805d4e4d65d6c3d59b24913156a6429e02cef76c44f3642360b98eeb69a392236ff3865f762d4b05a2c16c32c0e5b078b3d9536fd4f0
-
Filesize
257B
MD5c7d36f2ff83e7e37a7a173d158fdbc45
SHA1953cfc6e398e7048346e9037020e6109ca5b4850
SHA256a0dc2ccb6bd9c893334f3512953e1e1d69c1ae2f8c18a7c7100d1d01fda06907
SHA512a9cf3c010d7a9675873c082f9974fa9ce91c8b9029618c36dcf4ec05b63197449db4de96d936b1f4d8f6dff6268fe91f18885bf1aecb51ae0338427c823c5bee
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB