Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06/12/2024, 18:19
General
-
Target
a88ed4c1c7ee088cb5954d41ea604af87e7cdb2858914537137b7bcbdc655e34.dll
-
Size
120KB
-
MD5
6dfa885e54ee2857bb9a8b7fc713a986
-
SHA1
cbd51b6202037bc25dc1b9e51363d96b8be3b4ce
-
SHA256
a88ed4c1c7ee088cb5954d41ea604af87e7cdb2858914537137b7bcbdc655e34
-
SHA512
6e273eb3f603396f8cc46a4b067b6575ac6754770ec941c653c5591708984d4afbd1c7b384a21ab0f124eee7ded0ccb07092849b4890a70106f44edd4a824d9d
-
SSDEEP
3072:eOsVtD0/PwyPhG75qZCNcQ/b1mfU4J6FsIN:eOkabP05qwiA1mRmsIN
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a88ed4c1c7ee088cb5954d41ea604af87e7cdb2858914537137b7bcbdc655e34.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a88ed4c1c7ee088cb5954d41ea604af87e7cdb2858914537137b7bcbdc655e34.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f766e8b.exeC:\Users\Admin\AppData\Local\Temp\f766e8b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f767002.exeC:\Users\Admin\AppData\Local\Temp\f767002.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f768a07.exeC:\Users\Admin\AppData\Local\Temp\f768a07.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5afb80be370c3b947488f0e75e76d0957
SHA150f1e37352728246a7e2454a8df93174d5b02c4b
SHA2567e54d320143bec22083a7393a8169569f306bbd8b721c51fa869f94df23a389b
SHA5124ca30be784e56c810c8a1558b743f3a1a970f3ff32cdbe454083905ccdb9b95ce5b6a889dcc264e205f237dbbef8665649902cb47742d279eef329892b9b0f9e
-
Filesize
97KB
MD53208517b67322128f06c5e202f6d6e61
SHA1017ccd84b13068e37d961fb9669a9c851d9883d0
SHA2562382e45fcad6e70ce4684133fc3ab7b50221e90ebb87f93b4be285b2d9796de4
SHA512e46d674fb549742a55b656e3cca7ee85c8eef5b65c85160fb487ec47af935cb121dd7593965b997a07b82bf8e124fd648314e117974008a3a0766f44a1cb883d
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB