Analysis
-
max time kernel
85s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-12-2024 01:30
General
-
Target
1937188fc53fe17abc9f1eaa0ae1ba96ee6c0f500c4229689ddd05e8843324d6N.dll
-
Size
120KB
-
MD5
e27f2599b81fe6c32dad4b92f96cf4f0
-
SHA1
6e737171929c4332d82b6757fa7e96f9dac67745
-
SHA256
1937188fc53fe17abc9f1eaa0ae1ba96ee6c0f500c4229689ddd05e8843324d6
-
SHA512
5da79c165c06a95e1d4a7f09d8cbb4b9a9d635b20813ff65e751fa4f3eff1e932439afca9e5d2cd3a47e72708e2287fa0813dd7e08101ffcf742b477f71e3849
-
SSDEEP
1536:mwYhS7/ocx823mlEQyraNYjFAIFpOIj66x++UPmC9nP3NuU8KBEJt6qEeS:mzi/ocG2fC0xH6WLrC9nPdIhD6kS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1937188fc53fe17abc9f1eaa0ae1ba96ee6c0f500c4229689ddd05e8843324d6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1937188fc53fe17abc9f1eaa0ae1ba96ee6c0f500c4229689ddd05e8843324d6N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768b5e.exeC:\Users\Admin\AppData\Local\Temp\f768b5e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f768d13.exeC:\Users\Admin\AppData\Local\Temp\f768d13.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76a747.exeC:\Users\Admin\AppData\Local\Temp\f76a747.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5fdf093aaa6751f13e4ef38387cac78a3
SHA1b6c990cfc554f7a5ea809b038b41dd38aaae8b92
SHA2569b52cf31e243c6ed9f2ffc02e9dfd95aa627da7b36c60bdb3ef8c6b7383bd6c9
SHA512f1d5b4b6228336ff6ce338072de4b689a26dfd6105fb191b97d7b272c04b70f76c889f877946e93404b7a70d48a22d5fcd9b67b232f733260e1af3ac4da996d5
-
Filesize
97KB
MD57011ef1ba39450c77e0789cc1f5cecbe
SHA14e09071a66c8c36909c5580fb2d89fe05d4b7545
SHA256b3ef16fb404f4f1e802cc5fd2373b80a5c5e822cc72e17bf81ac117b894b6063
SHA512986e297ab8bb26ec6e6c3fd03e743862860fea96badf92ac939783154b38459e0ce13566611192182e64723f310c666c3bed90c89855d60147cd68a54b2f0bb3
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB