Analysis
-
max time kernel
28s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
16-12-2024 23:52
General
-
Target
53f9fd0e5ddf0e1e66285c72ea7028a504d0b18a8cb72da31edd4a351575fcd1.dll
-
Size
120KB
-
MD5
44b879a1d7c01ffdbfe20d0386ad8ff5
-
SHA1
e0a986d632f86ecdb167d6f5f3eafdec6ba8c18b
-
SHA256
53f9fd0e5ddf0e1e66285c72ea7028a504d0b18a8cb72da31edd4a351575fcd1
-
SHA512
9ccd7cd5ff36d0ff17254cdfc924845821b36c56a368c82f270d8f04e55e67a7b5e7894a578a5322cfeb9afce7957049b7a5a84adb911e8ad10ab29945ace44c
-
SSDEEP
3072:9cWWaDgLmp7rIBt9JE4VNugBluBAjWKMNiZpAS:9phYJlulQuS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53f9fd0e5ddf0e1e66285c72ea7028a504d0b18a8cb72da31edd4a351575fcd1.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53f9fd0e5ddf0e1e66285c72ea7028a504d0b18a8cb72da31edd4a351575fcd1.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f77ca32.exeC:\Users\Admin\AppData\Local\Temp\f77ca32.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77ce37.exeC:\Users\Admin\AppData\Local\Temp\f77ce37.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77e4a4.exeC:\Users\Admin\AppData\Local\Temp\f77e4a4.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD52460cc3c8c36f6f5281542282840b9f0
SHA1ea47f55e2d062ceeb652859a472066d363585f51
SHA256bf0a9b7ed378df6bd2eac2649b25528c4e0e097b04f3f9e00f9cde69da0b19f9
SHA512e1959ebfe302c5246ce829abc71d730ca03bb96c4452eb2a2867b6167d29f91ea95a6b60105cffbe945f75702606365f3336bc2f555d76ddefffeacb47c69861
-
Filesize
97KB
MD5d30e3d60b6019c13ebacb8fb04d60800
SHA16a55413b5d64f295629db1f49b8413609ba775f5
SHA256c5ab4823a876235a1116bc9aebe6ffe2ca17cc1309e689925c6d2ca726c7bd5a
SHA512547dc1b82051da096556b5ce8cbe5cabaa5450b220e0956f6e964e1656153fa59df144445fe248f0a7a55d190b4e478021bed270c8917b8a8afae638572c25a6
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB