Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17-12-2024 04:43
General
-
Target
c61080b2053d469f9fd51fea056abf12669a92c5c1ee4257fd162d5039317153.dll
-
Size
120KB
-
MD5
1901d561a8f0ab76de2d748818c0719a
-
SHA1
73def8243376ecf609eea8825578829fd15227b0
-
SHA256
c61080b2053d469f9fd51fea056abf12669a92c5c1ee4257fd162d5039317153
-
SHA512
b5794bd4f26a2ed92398fbc6ba5be4a7a145dc98c66be48035c78b1f615fd94f3e01eda7b672cf3d1c7184ca1170377486f0adcd64a66b76ca24f3b438fc4c23
-
SSDEEP
1536:MqEFDRUCUFxB4QIEwW3ClSP/AB9WYdFXaJWgDaxUUF/Kb6uNYkkMB:nCt+xB5IEGl4HfaaU1o6CYVMB
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c61080b2053d469f9fd51fea056abf12669a92c5c1ee4257fd162d5039317153.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c61080b2053d469f9fd51fea056abf12669a92c5c1ee4257fd162d5039317153.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f770f6c.exeC:\Users\Admin\AppData\Local\Temp\f770f6c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f771381.exeC:\Users\Admin\AppData\Local\Temp\f771381.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f773295.exeC:\Users\Admin\AppData\Local\Temp\f773295.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5a33aac844fecc4e6cb6e0cf190a2be45
SHA1656c84f4b9f750c62e1ae52ee9d128853124edfa
SHA256d210637c2ee910c4ccba8a96d61a64263d2b52d8597dec26a28116bace905bff
SHA5126b924a8f9b984aaecfb4d456f99901a090a54d89d64fb38c63cc3097f0536a9c54c5cb12e62d1d430ef78bca2eca0eee8ad3802470c9266a648fb5c5888d7fe6
-
Filesize
97KB
MD5aabf6e4da2db7e6d74322ceefa9c0313
SHA1b77a121679d46601edf948f3d6f2f9f328c3cbdc
SHA2569a345049bb944c3ec301048ff33d817f1e0f42786955794421ccb5859179b514
SHA5123d2f3a8da1380b8d902de477a911833b6db34498cf9efdbd0d53744f48af9285edcd17eaa223fd2e84247b29e6b2320f82f79ef9dc006e49ed039551522d09b7
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB