Analysis
-
max time kernel
31s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
06/12/2024, 17:57
General
-
Target
5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll
-
Size
120KB
-
MD5
d0a76f623ebea38376b9118966fcaec7
-
SHA1
556c31a2fb32c57e7c6150f3610b80fdc24b0579
-
SHA256
5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506
-
SHA512
15f66f9431054e8ba9bd0800024aa01dff0e4a6bfedd595053fb1165c618fa89822d55387f5066d8868d4e46b1324df9503834019b3e24aca1a29c803ebb5063
-
SSDEEP
1536:CV2KzKqk0dKamvi6DSRujPOkyVX2A2jj5S1u8voByGoeAXdEXh1bzVEyaWgZcYD:CV2yaamKgFOAj5SYUZDNCh1HGyiiYD
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9150825e3b664fc09bf1e52255bcbdfb1a03f19b3af4ebdb0303ba3d6b4506.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f77824a.exeC:\Users\Admin\AppData\Local\Temp\f77824a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77842d.exeC:\Users\Admin\AppData\Local\Temp\f77842d.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f77aab1.exeC:\Users\Admin\AppData\Local\Temp\f77aab1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD57e56b5dbb567cec70d90f0d8c01195d1
SHA1a31a459cdcb2d40a2d2837c56c23c6e7d6ebb0ce
SHA256009c155ba2a9994ee9990caa4dce9eaedb26000d8ce925a103dc93c4cfdddf6d
SHA512ab9af4f3c41b10f419dc814bda4278401e05c95b342f590b45f23e3ccb9ee76f20a8ec32a9258581beec0ed9596559680839c70d7aa1379475507811d3138fbc
-
Filesize
97KB
MD5f863570d04d5ba3acdeaa906981e9081
SHA1ed0cddcc73ca643e1d90ef81be62f42f0a8f4115
SHA256010cd4ab4d4a31a404c6beda5ee7359323905b6f896ad9fc9b09d2f79d77c464
SHA512e448b6987aa0cd5411b5b0d0156ba076df66b97eb0cd5933d96ff7541b0a17d9d059ac8ed57b1f371b538bdaf83c296edf5ff987ebc82e937c1291706cac652c
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB