Analysis
-
max time kernel
84s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
16-12-2024 08:52
General
-
Target
453df06e2eac4d5fbd0593556a657ff82acab8f1cf098ac93e61dad233ceabd8N.dll
-
Size
120KB
-
MD5
186ad9330eeef8c01a8e2b74fe42ffc0
-
SHA1
b804a1a4173bb362860276e2611e775155f9c3c5
-
SHA256
453df06e2eac4d5fbd0593556a657ff82acab8f1cf098ac93e61dad233ceabd8
-
SHA512
01abe036db94ede921e93f5b07e9377321b7b731f1bfb6e5d54c06e0c23390ab22c8688d4bf77f1c1a43a783c72fdf58ed611c1cdceb8fc5b3e6a3e2a2ae580b
-
SSDEEP
3072:DU6EGh36atFkgKooKmvuX/+piO3S6T3w6NZ5xW8:Dz36aERomm8N3S6TP9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\453df06e2eac4d5fbd0593556a657ff82acab8f1cf098ac93e61dad233ceabd8N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\453df06e2eac4d5fbd0593556a657ff82acab8f1cf098ac93e61dad233ceabd8N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7803d8.exeC:\Users\Admin\AppData\Local\Temp\f7803d8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f78054e.exeC:\Users\Admin\AppData\Local\Temp\f78054e.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f781fb1.exeC:\Users\Admin\AppData\Local\Temp\f781fb1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5d75492dc2ffa30a4747a444b4bb2a9de
SHA13154c2b467d19357eedd58374605ddc5567c5c3d
SHA256da30eb3b8f1a4a300ef1a3a4efda6902d052d961181da46b3e10bd6c006dd996
SHA512023ea91d483e6c8b10863ff2fe834023d9cae4ebcf7620f673fcef664ea059ad30c9f41a8941c432059ac31aad944e9f7b0bf57b112263d55fd57b97cad665bd
-
Filesize
97KB
MD560f82e71a5c4ce68f8f815377db45c48
SHA11588ec1f28906b76ea7c041460f4c42de265c7bb
SHA2561f3b31efcedbc9d1454c3961b54730a39f890d5939f23e3a30201037133f5092
SHA512c43f40d13e52a1f8e0f6b63648c8b7a8b0344ff4ac44338f0d9c40304725b9a68fb6a331ef1ea4b7159f1bd93a3a04c5dddbd34d275c8bc2b29a40f03bff1836
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB