Overview

overview

10

Static

static

3

3180b40072...55.dll

windows7-x64

10

3180b40072...55.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3180b400721d12d08f1bbb3c824387808072084d6f6117b92616c4d5ca52d155.dll

  • Size

    120KB

  • MD5

    e7a2dc2e4425367d4c57944ae02e1f05

  • SHA1

    1042b169c08b787b2cf2008bacd097b772e3abc4

  • SHA256

    3180b400721d12d08f1bbb3c824387808072084d6f6117b92616c4d5ca52d155

  • SHA512

    151b9db3770e993fe04b817730828ed0a830fec5ed0cbf7b02120b6cdec3ff8f281b7b78c4fa4008a839e47c72975f1d158d0d50341bbdddb57f57fa44dc6093

  • SSDEEP

    3072:O56afCMSHn07cvlm7gWa3k010Cx+/N1TY:P4CMSH0wvlwLJ010cwn0

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1044
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1076
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\3180b400721d12d08f1bbb3c824387808072084d6f6117b92616c4d5ca52d155.dll,#1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\3180b400721d12d08f1bbb3c824387808072084d6f6117b92616c4d5ca52d155.dll,#1
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Users\Admin\AppData\Local\Temp\f76b76d.exe
              C:\Users\Admin\AppData\Local\Temp\f76b76d.exe
              4⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3056
            • C:\Users\Admin\AppData\Local\Temp\f76b8c4.exe
              C:\Users\Admin\AppData\Local\Temp\f76b8c4.exe
              4⤵
              • Executes dropped EXE
              PID:2824
            • C:\Users\Admin\AppData\Local\Temp\f76d2f8.exe
              C:\Users\Admin\AppData\Local\Temp\f76d2f8.exe
              4⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2592
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1112
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2020

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            2d1579b27cfc8388b80d85d07b85e3ba

            SHA1

            762754c8894b35cac5a8ef3be34bfedc650c1375

            SHA256

            ab8ede33d6fff9e50040522a9246737137f128393b35f62394785abc91eb530e

            SHA512

            ca021ecf3829bf733d7e0d278f6b8a44fb57dbc070d7b008f95a1f825a7ea29408b625636326c2e52849c06957db2fb35069ee885d384b9fcd69254f9c368c67

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76b76d.exe
            Filesize

            97KB

            MD5

            29974c7d2428e898aadcb8f14d0665dc

            SHA1

            be1713aac4b47e622804b7e7e93f7e708c11ccae

            SHA256

            ec855cd23a6e83c83eb610435979522b4b77bebb7596d7217787dbea20d1c826

            SHA512

            510bde41d50de160fefe0dad9e6bf069719c38cac3b7da477a4714de78117c03e7653592e34e31b20a353b8486a9345ac2d3b2da76b6d71b461966d5c0b25924

            Download Submit

          • memory/1044-23-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2592-107-0x00000000003B0000-0x00000000003B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2592-211-0x0000000000A60000-0x0000000001B1A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2592-183-0x0000000000A60000-0x0000000001B1A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2592-132-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2592-108-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2592-210-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2592-105-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2824-182-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2824-102-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2824-101-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2824-55-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2824-100-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2824-127-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3052-42-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3052-33-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3052-32-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-53-0x00000000001D0000-0x00000000001E2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-84-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-54-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-51-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-8-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3052-77-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3052-82-0x00000000001F0000-0x0000000000202000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3056-22-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-67-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-66-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-69-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-70-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-65-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-64-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-63-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-85-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-87-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-88-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-62-0x0000000000470000-0x0000000000472000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3056-61-0x0000000000470000-0x0000000000472000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3056-19-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-21-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-14-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-15-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-16-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-20-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-18-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-43-0x0000000000480000-0x0000000000481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3056-13-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-154-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-153-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3056-17-0x0000000000590000-0x000000000164A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/3056-10-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download