Analysis
-
max time kernel
28s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
16-12-2024 18:17
General
-
Target
ebb493b4d22258346d9c1fa6cffb580509cfe79c9b3e7a938935b64b4d0f6455N.dll
-
Size
120KB
-
MD5
2e2cd0f76ecc931217e27fd4526f1d50
-
SHA1
e66fa05267a769e72bc97bbe3ca96c6a7a748be8
-
SHA256
ebb493b4d22258346d9c1fa6cffb580509cfe79c9b3e7a938935b64b4d0f6455
-
SHA512
30833205e3c2d345722aa5d37f0433d8471cbec3c6b75177511a6952e9e911d8c5b56a070af133230db0c6ed6519095d191e98f8890f9cf21130f4b77ec8aabe
-
SSDEEP
1536:tpQMaAyoiSc3YNMy1Un1yy+cW0T4sWkUeBS/gqWHwQXx0KURjNDShTDjSItuOfdz:tSpW41J+UT4sW4SQHdURYTiuuAd3d1
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebb493b4d22258346d9c1fa6cffb580509cfe79c9b3e7a938935b64b4d0f6455N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebb493b4d22258346d9c1fa6cffb580509cfe79c9b3e7a938935b64b4d0f6455N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7699a1.exeC:\Users\Admin\AppData\Local\Temp\f7699a1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f769b84.exeC:\Users\Admin\AppData\Local\Temp\f769b84.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76b819.exeC:\Users\Admin\AppData\Local\Temp\f76b819.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5ea67806dcfca8cf2b8dfd17965e07c50
SHA1009a6df2c84a76e89baaeea7df0021e0b8064306
SHA2568f977758b162e08643f3fdf337d871915707e3d8acabea5df77e9bbbdd728007
SHA512ded5eaa408b92eecf552c4c3b7627ac1441f730e6f010917ac3d527bd8a760d5096de9398abf096a647b8caead51d205a8fc49a9b8fd9cd3bae02fc640ef772b
-
Filesize
97KB
MD57692c47416d755f6b436014b4a7e832b
SHA1b09efbc1cfbfe5fba0160a9bd473eb41d563516d
SHA2564c047def938c02e45dfa0db840e942dd7e911c20a7da41aa6963f2ce0c2cf4b5
SHA512b111cde3003fc6c3d131975f774e83b4e97efc2ba20fd49e7dc02ed27e4ae3be63541a9250946eea583748e2702d6728d4a03d54e527146e68cb5ddc6248529e
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB