Analysis
-
max time kernel
28s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
16-12-2024 00:34
General
-
Target
4ee9abd2adedeade729a1766a01d1cf7ad4b934bdfeca5ff05b6ef4dedd82f4cN.dll
-
Size
120KB
-
MD5
1aef5425d150567b4f6127470710a7f0
-
SHA1
92fed5d444318dd2be77db10357fdb6bb6c33527
-
SHA256
4ee9abd2adedeade729a1766a01d1cf7ad4b934bdfeca5ff05b6ef4dedd82f4c
-
SHA512
b8de5b1601b1e592411b1bef29dc12e121401876d02314539563063a6b29a934f437ab0ad3c5b57a5034d898f677a5d44376d3e6fd6b8ccb8057d6b7db276f71
-
SSDEEP
1536:DX8baENrvgSvzW+y1YUH3rmTG9qoBEMxbpUooP2C29Uj7dJRh0C6x8hpQ7j:DX8bxrvgz++Yi3Jx1Ui59U/psj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4ee9abd2adedeade729a1766a01d1cf7ad4b934bdfeca5ff05b6ef4dedd82f4cN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4ee9abd2adedeade729a1766a01d1cf7ad4b934bdfeca5ff05b6ef4dedd82f4cN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f77406a.exeC:\Users\Admin\AppData\Local\Temp\f77406a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77422e.exeC:\Users\Admin\AppData\Local\Temp\f77422e.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f775ea4.exeC:\Users\Admin\AppData\Local\Temp\f775ea4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50f63d490334fb862db6affb6bcb738ed
SHA1c321b0da81e2c6ef43ea2bfa54a1be9b591a2e1b
SHA256e60f1eb17e06081621cf84c4a87ec721e55d422bc85edc2dcd8117beca21d774
SHA512e91b8b23877c5933f366c5c3399bf6ce7108bbc3ca847aa259374cdd1fbb1427981b8b6e1110749093e1b9eb4304577e6498a4e2628cbf615399414d64533c73
-
Filesize
97KB
MD534f971799386501f1eb4b400ee9a47d7
SHA1bd73c2d7962ab84a83023e4e9076a71b4af3846d
SHA2568f0c8dac86418ac6d45206c31339860246e5ff52e10d36eaff87aaa9900bcba6
SHA51253fd9fda87406ef2705db120d2b977be36aeed983987da3d3362610f1e79ac4a963dfe118139d11350a3910b6660d59af94c51ceb292e273ff5f50562357febf
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB