Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
15-12-2024 22:05
General
-
Target
4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll
-
Size
120KB
-
MD5
c47745b1195f7c9a274921de15ff7c1a
-
SHA1
d0faa49e7e94a7069febab86a57528a903bc39cb
-
SHA256
4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05
-
SHA512
8c31e3b2b5b655e0c49f027fd53f9a28ac6729348069c776a7ced77c088e11695da06924d56df5060cdaeeee2728bb3628e10adb7bf3872a69cf7c8ee992a18a
-
SSDEEP
3072:euYY3Nd1zWEFscoa2pZI28s1N5h+saUHogCHp:ZYOd1zWEFEG25N5UpngCJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f776162.exeC:\Users\Admin\AppData\Local\Temp\f776162.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7764db.exeC:\Users\Admin\AppData\Local\Temp\f7764db.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f778305.exeC:\Users\Admin\AppData\Local\Temp\f778305.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD562efb4ab0e42045134ca80f867cd6cf2
SHA1729434ce2842fb4b9349efd4c61570f77f974108
SHA2567b1988586faabda080e94ef4fc5e4a9c109d6b5bbd819e9ad219ea778b002b42
SHA512b75b3a1baa68691deee990e17ab45c49ee338b114bd63a61193234460e409a971426a75edab194465033abf23824a1cf0216271ba890d1491bfe270840e2a6df
-
Filesize
97KB
MD51c8db678d5eaa482d3124f483f4fe42c
SHA19c87e342508405bbfa12d8105c24318b0ce22997
SHA2566bade7cea956e302bfb87477b216a457defa23724e4451440382645087ecae8a
SHA512c6ee14521d11d81292abbadbebaa19525bbbef0810e325054ce5a675bc8655a7ef4c4a8f794716f436f7189f62a4301d35887aab9a0e826564843ce13f4e0eb9
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB