Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
16-12-2024 07:28
General
-
Target
9ac52c0e2f3f2cb522378d6bdd1bce7b80bc1997794f14c2a74fe0604b3a169eN.dll
-
Size
120KB
-
MD5
429f6990aea3ac2049b5f28b22ba93b0
-
SHA1
12617c4b7b0b8a85348f0a6aaf2a2263a75c0a3c
-
SHA256
9ac52c0e2f3f2cb522378d6bdd1bce7b80bc1997794f14c2a74fe0604b3a169e
-
SHA512
72a59d460d8c44326ce1d3edfc35b964ce2434aa6a11182976e3c4ff81d271732e25a18b91615403ab40d9a0b1dc3494ae30cd26e587e22d5ee380f5a7798621
-
SSDEEP
3072:xL1WiK8Bhv5dZ59lZNJ2/pLyanOJo7SA:vWczv5LqBbn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ac52c0e2f3f2cb522378d6bdd1bce7b80bc1997794f14c2a74fe0604b3a169eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ac52c0e2f3f2cb522378d6bdd1bce7b80bc1997794f14c2a74fe0604b3a169eN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76b193.exeC:\Users\Admin\AppData\Local\Temp\f76b193.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76b348.exeC:\Users\Admin\AppData\Local\Temp\f76b348.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76cd4d.exeC:\Users\Admin\AppData\Local\Temp\f76cd4d.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50db24aaf44d4a519be66e7ca14ddd26c
SHA171a439a13893ea1ea135611396bf8feb6cbcd473
SHA25642ac727db5ee4bf251f3137ccab43870b3b15478dcdc3bdee4b2a26662e225cc
SHA512d300e6e66c6a063072393c9e0b7e1928d8a5064363106f5949c0a9b2648b3cbb051235193c39f2ac9cc7cc5d3c06ef4510ed23fdc8c99ff322afaab7d4756db3
-
Filesize
97KB
MD5882b66215632bf9fc1c872bbfae5378c
SHA16b31efe410eb1339fe6a74f88ba0c40ecb249243
SHA256722a2312c385db0eba7f57e6424170026509dd4cf3647fddfa3490f940d71e5a
SHA512a4d07fe8a1361315c72f459073cc58912a85948e2cd289673d898b89036931934370df47e46b7957550f9bd0dc1a854cb784eda50ed6e7cb02c1a9ded0262ce9
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB