Overview

overview

10

Static

static

3

1dfada4108...dc.dll

windows7-x64

10

1dfada4108...dc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1dfada41083d3a3f8390120c7d402636c1983e3870cff2962e08b10aab5aaadc.dll

  • Size

    120KB

  • MD5

    45aa6febc3a89e5271faf9fac8a0d591

  • SHA1

    dcafd896c71e5441c23282c89db9219917840e29

  • SHA256

    1dfada41083d3a3f8390120c7d402636c1983e3870cff2962e08b10aab5aaadc

  • SHA512

    fd6e5eef12c1e483cd69ce2e541d5cb3be0764b564b72fcac71966a88e590559107b8f7e2b83b9ebdc1ac460df86afe2143445f33911fe5102eee6dc74f76fc8

  • SSDEEP

    1536:2HNmz46IQB9nPQA6qCvFXVTLh+acQNyZYBS00hFpl5EsnSRItDioQ0jYSbRACpd:Q04JQBq1VnhIQBB0d59SRaioDjYSbqCD

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 9 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1168
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1204
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfada41083d3a3f8390120c7d402636c1983e3870cff2962e08b10aab5aaadc.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfada41083d3a3f8390120c7d402636c1983e3870cff2962e08b10aab5aaadc.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Users\Admin\AppData\Local\Temp\f764cf8.exe
                C:\Users\Admin\AppData\Local\Temp\f764cf8.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2248
              • C:\Users\Admin\AppData\Local\Temp\f764e8d.exe
                C:\Users\Admin\AppData\Local\Temp\f764e8d.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Drops file in Windows directory
                • System policy modification
                PID:2628
              • C:\Users\Admin\AppData\Local\Temp\f7672c0.exe
                C:\Users\Admin\AppData\Local\Temp\f7672c0.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:584
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1488

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\cwjv.exe
            Filesize

            1KB

            MD5

            b360fa63134a63f9acfe046d2dfe10d9

            SHA1

            b47a7f2ad61c79e454b55e39b0d7500aca753a17

            SHA256

            03e0c6c4ca8a24f961477887763397045e67862e059f7494014aefc21891d40e

            SHA512

            575673255d389fc6667f46931301925bf4bb3030d7a3f6da3d3e7d878f86bb496ad6706e20191a1daa2e177cacda9b677424327bd9d438c1ad109c4222064102

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            fff842c79b5fdb1003518d49dfc50c8d

            SHA1

            080f8f1c1c5e2a13037d8a4ce39241da31f0fdec

            SHA256

            a5fc34e2839beb9b2e66cb958d1ed42d4633467545b6e6a000b9bea93ef95c9e

            SHA512

            95ac0c202a64a3d4f351645c82fb1a5770064411cfb77e1957d81d13994fc30955816acd7dd33c4dd2fcfae9d1eef1a91864a1f90b1725e2d3f80813be0ef9af

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f764cf8.exe
            Filesize

            97KB

            MD5

            5e69ec71ef0e6197016c73c6ec9f3594

            SHA1

            5ed251d21228ac768911387915c55ebd0c8633b3

            SHA256

            976ce05521da2b4bdfd59f001f7e7b65cb0521a3522067b12f93bc9eb43bb30f

            SHA512

            5d033079d12dd302bb6987ecf7665bc67b30431e8545f9d2b6ee1edd104917560b965e8c633327b701baf3f5fe2aa2edff130de3dd81a4bfcaaa064f3fe593fd

            Download Submit

          • memory/584-211-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/584-210-0x0000000000990000-0x0000000001A4A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/584-186-0x0000000000990000-0x0000000001A4A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/584-167-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/584-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/584-102-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1108-23-0x0000000001F10000-0x0000000001F12000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2248-63-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-108-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-18-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-48-0x0000000000530000-0x0000000000532000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2248-47-0x0000000000530000-0x0000000000532000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2248-20-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-40-0x0000000000540000-0x0000000000541000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2248-16-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-11-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2248-22-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-21-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-12-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-19-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-17-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-14-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-60-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-61-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-62-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-150-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-64-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-65-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-66-0x0000000000530000-0x0000000000532000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2248-68-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-149-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2248-69-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-107-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-83-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-105-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-15-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2248-104-0x00000000006D0000-0x000000000178A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2628-166-0x00000000009A0000-0x0000000001A5A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2628-99-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2628-173-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2628-172-0x00000000009A0000-0x0000000001A5A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2628-93-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2628-123-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-58-0x0000000000230000-0x0000000000232000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-51-0x0000000000290000-0x00000000002A2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-8-0x0000000000130000-0x0000000000142000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-70-0x0000000000230000-0x0000000000232000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-9-0x0000000000130000-0x0000000000142000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-81-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-31-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3052-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3052-30-0x0000000000230000-0x0000000000232000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-57-0x0000000000290000-0x00000000002A2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-39-0x0000000000280000-0x0000000000281000-memory.dmp

            Filesize

            4KB

            Download