Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16-12-2024 13:39
General
-
Target
5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll
-
Size
120KB
-
MD5
7a64d212765cd73abbaf9d029794a5b0
-
SHA1
d3c4467355398ec5c40a863eb000bfaf60f9b581
-
SHA256
5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140b
-
SHA512
80d62c48dcba94777e7ae8320a86ac64d1838dfec840b8708741032111f73c4404f8ca4de7a8100673c48e5863f7f4412f15d7d94b2526a77934f7da06c6faad
-
SSDEEP
1536:yNpXNV370nW/deVWifQ5udLFh7uZncixc2ttrftgBn5gZHwYAWr9y1lgBGu9pHCx:yHNd70WMVWZYFBexBt9Osro1lKXVs
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5a909b8bfbc11504be8d47b6f70d26dd6cf7c01eb387fd0b7f776f084c42140bN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76af91.exeC:\Users\Admin\AppData\Local\Temp\f76af91.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76b145.exeC:\Users\Admin\AppData\Local\Temp\f76b145.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76cb3b.exeC:\Users\Admin\AppData\Local\Temp\f76cb3b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5328b36b361271e299371bf479f2b0071
SHA1d8ad63154146c558d8e029b912e70fd36e468dfa
SHA25613acd03482bc53b18a1a9b7278de32556d9d4bb56c0f41e0b26f1ebdeb208863
SHA5125dc32f7eb8b4e4aae2eafce2b88cd541f6a41a0ecdc96a8a6187b2e307454d6790e028cbe8f5e6d44057763164fe333b9a717eba8d888d22abecea36b2e58e2f
-
Filesize
97KB
MD5340330a060f3baa0fbe0071059344c1e
SHA19935a8d041e27402d27a7df76955c97a544fe8cf
SHA256d7ed5e52606b00eaf1fed390f4597eb6a26aca307e9343bfe0d7ce82f5023d28
SHA5127029e3bf859bd8d55b8ee6a9e30b42d528387def53d3a74b84bb016cb6cab629d9cb37b2d9a91020979f1ba427caac800971178571dfea16f0d5412ef7241f82
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB