Analysis
-
max time kernel
24s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
17-12-2024 06:30
General
-
Target
633e801dfa663b1f6ca1377e874e9e7aa14271c70aa28d0e528d53e8e968b243.dll
-
Size
120KB
-
MD5
9f42f9b80d5b45a755c4afceecad2d7b
-
SHA1
10bc3bb7e44f0353f6da5c5e82e463d305ef8c64
-
SHA256
633e801dfa663b1f6ca1377e874e9e7aa14271c70aa28d0e528d53e8e968b243
-
SHA512
921508e0a31d8f79701795e54992286100dbbff6f67e5f9e6cb8b4f1209ca9795ced437f51c6987920e882c256996088cc32814545a1a7f23ddc505ce36d63d0
-
SSDEEP
1536:uwx9OwQmXUI7vsLOrJlCmnyQ15HKKBC+n2JDjF+w4zY9fmvkpYqARKQxvWLaYcZ4:xmWXUS19VKxJZ+w4zYwvkf6xxvTYO93e
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\633e801dfa663b1f6ca1377e874e9e7aa14271c70aa28d0e528d53e8e968b243.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\633e801dfa663b1f6ca1377e874e9e7aa14271c70aa28d0e528d53e8e968b243.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76c6b9.exeC:\Users\Admin\AppData\Local\Temp\f76c6b9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76c83f.exeC:\Users\Admin\AppData\Local\Temp\f76c83f.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76e2a2.exeC:\Users\Admin\AppData\Local\Temp\f76e2a2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59fec485583baadc957d7852ac4548870
SHA1a5eb27d64cbb256f66eb0ffb7bd23702b4552f96
SHA25604c12761c574da774b26e9d8961c4eaa8cf3dc7eb372c9cf5cfeaa7e809bafdd
SHA5126437afa625111475afa10680bac77cf89bbc190cf0f16964ab4f70f2fd90cf07c03d85f955c1268721b7cee8ef485a81ac2ea763ff52c023c1fde9d6e436e33e
-
Filesize
257B
MD59cd17ea9fbccbd5138dcbb2e7b351a15
SHA1de97de3c71b3fa5e9c4941f1a818bb39c925c1d6
SHA256d150434dc5a1b17241726b85c2dfdbf3584ecbb6b2aaa121dbbf1dd462f3bdf6
SHA5126357b72ec75590b206647510817a2a18066fdc3700f02c2b14ca183d06763e00c4d0b69c76f2b498dd9550c1befa61578940549c94ddb0b2ed6786a1efdcc597
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB