Analysis
-
max time kernel
73s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
16-12-2024 05:34
General
-
Target
91fb8b80023fad2d586cadd740e6df49e5ddc561fe42097e5402423b5bbd03d4N.dll
-
Size
120KB
-
MD5
4b95d07ac023df674ad3c7f1a01b0550
-
SHA1
e88a8d19dbaf05db02ccb81c62138de9f4d985f6
-
SHA256
91fb8b80023fad2d586cadd740e6df49e5ddc561fe42097e5402423b5bbd03d4
-
SHA512
e30d8ebe948ef90c9e10dbdb8c4c023ddef9295de69535a7a06f5fc36d60adf62723e869d4b7266a301e1b45d00439aecddd959cdc603781a7695dca81d142b2
-
SSDEEP
3072:5ZNwZApGpcHr+9DTBIxCsICaHIA4Ac3gDPnj:TgApzHSFTWxOW+z7j
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\91fb8b80023fad2d586cadd740e6df49e5ddc561fe42097e5402423b5bbd03d4N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\91fb8b80023fad2d586cadd740e6df49e5ddc561fe42097e5402423b5bbd03d4N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7795e9.exeC:\Users\Admin\AppData\Local\Temp\f7795e9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7797fb.exeC:\Users\Admin\AppData\Local\Temp\f7797fb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77afee.exeC:\Users\Admin\AppData\Local\Temp\f77afee.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD54c3ebe91d69164fc27f89034758414e6
SHA1a44ce700347a8a61aecd981726c83ac8858e44c8
SHA25658a4bfa4379aa05db4d0798f2d357fc38061a44963cbd6621a88c98912316c35
SHA5125dd76210cc3fc74705dd10ac12d4ae01eed84e1e592a3c2fc0e2209faeb7753f94f78446e285bbe48d6668d4227ae27e4922cd20482b31590156624321d1a849
-
Filesize
97KB
MD5a2b98a89b68e3d0de4601db9c0af111a
SHA161d45d674e5570700cb9a3872c5b57ca1af57fd3
SHA2561a23f421d123c34620db57ac3ddcffb45d6f36a98709fd0d5a12afd2b672bf51
SHA5123c2123c047902a485ee579c633a82f71f9850e3d2b178c6e934bab4b902810f51089ef8f1f48ac2acd1895f059ff2dcd7244b03a92d897411abec277d0866b1c
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB