Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
16-12-2024 18:32
General
-
Target
cae2b8ebdd47c2d7097fd21cf465dc59c981975deb9e6a4b4dc1fc9daaaaa3ffN.dll
-
Size
120KB
-
MD5
2f947c28de0d615cf2526bd328565570
-
SHA1
7e8a07125c9503ba8984e94691a0a9a5cf0752ed
-
SHA256
cae2b8ebdd47c2d7097fd21cf465dc59c981975deb9e6a4b4dc1fc9daaaaa3ff
-
SHA512
92d07c0cbc9101b82d821534b8919ff331ad9b892b36c2bdb0a59a01efdce2ac251d966ad12a8e9dd029c1f2c85fb265fab6e56b0e52585e5979fa3084b78423
-
SSDEEP
1536:k5UrRXFvW2ETeaHMXclBt21VO3IJuAWhEMFT0eBf+pY3/xsCOFR8tJP:kS9Ceo/BIVO3wuAWKSGpY3GCN
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cae2b8ebdd47c2d7097fd21cf465dc59c981975deb9e6a4b4dc1fc9daaaaa3ffN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cae2b8ebdd47c2d7097fd21cf465dc59c981975deb9e6a4b4dc1fc9daaaaa3ffN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f769a8b.exeC:\Users\Admin\AppData\Local\Temp\f769a8b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f769c30.exeC:\Users\Admin\AppData\Local\Temp\f769c30.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76b9dd.exeC:\Users\Admin\AppData\Local\Temp\f76b9dd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD555eee58704ad92d1ae7597871b08c7ac
SHA19788c294fd6b25df41c320bf9ca7d6045be0f131
SHA256ff8deff5f87ab97e797e9b30d97ff5e15fad84cc6cba41ceafeff076052f05a3
SHA5124b76b7a3033c07485cf4e5680e07984c64b0e6c68119d88492ff1139df35d5dd5e2d127636bb55bb27e22b1aede0044fd8729503d8203e5f345b7f5b867262f6
-
Filesize
97KB
MD55bf84153f4e2efe53252de5f8f6cae8e
SHA186b53ea74c103ae0868d19d28e8ef54f60cb2197
SHA256c8d8e0ce9675cdd9a10c71699cdbca3c23c1cf0c992a7c42622aae1ffb37bca2
SHA5129060aa7dd541835172389c43024fc4810e150ae1cecd0ccbb2ec50bc890c6635bed2e4c8dc6b37b21bace836de3d0c0804026d784fd2112b8929891933bc8633
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB