Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16-12-2024 05:07
General
-
Target
0af4350372381d9fa3903a9e4e41eb5f9e7a9724b211da371a29236f2bb5743aN.dll
-
Size
120KB
-
MD5
2fbd67cb098d528974becf9ca393e060
-
SHA1
6390b2da857c9b0002d5615b4cffd01d492eca19
-
SHA256
0af4350372381d9fa3903a9e4e41eb5f9e7a9724b211da371a29236f2bb5743a
-
SHA512
b6df98b9221200713c8773ca3f4fa672718483cfe02e580b264f3492c444d5955b917829cbd1859b88358abe66250f86f51468f7782f9af46ee3cb8dce77a2fa
-
SSDEEP
3072:tpzg3lNJ3B9fQTn8wsUihLOpRQClmATC60:/gvNBFmn8wsbcRjmATh0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0af4350372381d9fa3903a9e4e41eb5f9e7a9724b211da371a29236f2bb5743aN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0af4350372381d9fa3903a9e4e41eb5f9e7a9724b211da371a29236f2bb5743aN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76f9f8.exeC:\Users\Admin\AppData\Local\Temp\f76f9f8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76fc97.exeC:\Users\Admin\AppData\Local\Temp\f76fc97.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f772d96.exeC:\Users\Admin\AppData\Local\Temp\f772d96.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a9114746c6c4774554cf2e1f49601178
SHA1c580628324b232e9c6d62b3e7377c61050fa1c15
SHA256f9361cc35a39077e0a7ce73ebb0ee1405d86fae2bf6c492cec1a06762ada6a37
SHA512cb687331010368f2a37eacff7c2190463fecccbd53f2746450afd6a9bf27c1b8f2d97ee269788c6217c0ecfcc9004555b8b183a85065bb8d4ae4ba96e3e8c746
-
Filesize
257B
MD5bf60c66d715da7821cbb7c96096579ea
SHA18385c6c3412bfdca1307b035eff308824aa74645
SHA256dfc85114a9b02948878fd996262d857e54edfaab64e95e2b89044e0f00b1dd0c
SHA51283a31d98edecaf83ad7f537c9caa6984627c9551fb86819578d045c97b5ddf9feee3886e39d54a524c1d34d5779a90c3425a2e71a8ad79a8f24dfa08305601bd
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB