Analysis
-
max time kernel
28s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
06/12/2024, 18:32
General
-
Target
84066ff1a558a6cc5ed0546c0c6efc57d17a7e6c786e807fe5574f1186f6f8ebN.dll
-
Size
120KB
-
MD5
acb3fff292e1a589757706508b2da4a0
-
SHA1
ba54ff5d6ddf083de779710bf7839cf64f4951d8
-
SHA256
84066ff1a558a6cc5ed0546c0c6efc57d17a7e6c786e807fe5574f1186f6f8eb
-
SHA512
97f6ccd5d27f7cdbe5af3912c1cbc4e7d72d452590d9a7d91625512c8c17be8053a6b6097aa55bb50acf01f2154df5104ad1f6cfabaccb0545889e552b70f5ff
-
SSDEEP
1536:jdTJ570lUjwQLBnoZC4O+lWPxcXTpjkral7drrf4Uuw1T3834BcGV6ei6mpTSX:RjYlUzLyQXkUeXTxKy7pgUuus34Bb4p
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84066ff1a558a6cc5ed0546c0c6efc57d17a7e6c786e807fe5574f1186f6f8ebN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84066ff1a558a6cc5ed0546c0c6efc57d17a7e6c786e807fe5574f1186f6f8ebN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76e179.exeC:\Users\Admin\AppData\Local\Temp\f76e179.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76e31e.exeC:\Users\Admin\AppData\Local\Temp\f76e31e.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76fd43.exeC:\Users\Admin\AppData\Local\Temp\f76fd43.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5f7e45aaae6b5142ec91b3b84b31de236
SHA11c828934ed8404d1906e131cad6623fc58b0623d
SHA256f04dc004f031ab1b7fbd29403a619b63fc73912ba8f4e1d826d9f854a86f010b
SHA512ce2018311237fb2eb46f8eb9a05a8ef300a4993ec03ba026e6cd7cf879dacd8255a1197912613a843599f21642823385cb6a37619f27a4ea5ceca5c340fbe757
-
Filesize
257B
MD5220868444fbfc10ab6498074e8aebcde
SHA1379e369718da876e8322c63bb2f37c3acd9b9f33
SHA256c199e7cba3fae6c516bc8ca51549418892c51094e2d4179ecdc99616f663fc00
SHA5123d6f3d6ef0580f6f58c3724a50c22afff8a1933d39b341ca092b95449b5c5f773f49259af8d766625abc5c6c6bf6e6a46972e1565d9009e885fa6ac9bd72079f
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB