Analysis
-
max time kernel
20s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
17-12-2024 07:07
General
-
Target
e78db7b4e925e3070cafea6f405ec836108046487743779b3b3fb03b0f86ec9fN.dll
-
Size
120KB
-
MD5
bf96e07a3d5bb51ca6bf334536c3b280
-
SHA1
1b3a3261eee9ee3947ec2c5bb0912d060e780469
-
SHA256
e78db7b4e925e3070cafea6f405ec836108046487743779b3b3fb03b0f86ec9f
-
SHA512
f1913a4fab515feea736422720e407e219e9b9198ca25bd6a0664d3fc31b8ac19745386986c860070907578fad7376563bdc495ace9b1d2727e4a4e0f00da84d
-
SSDEEP
3072:5HvA1XuW8EbPFm1U4CBPyj9h7vB18Bjus7Zz:Wd/8OPQ19h75qBjn7Z
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e78db7b4e925e3070cafea6f405ec836108046487743779b3b3fb03b0f86ec9fN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e78db7b4e925e3070cafea6f405ec836108046487743779b3b3fb03b0f86ec9fN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768e0d.exeC:\Users\Admin\AppData\Local\Temp\f768e0d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f768f73.exeC:\Users\Admin\AppData\Local\Temp\f768f73.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76a9f5.exeC:\Users\Admin\AppData\Local\Temp\f76a9f5.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD54daa67aa412feb66105b0e5a82c46bed
SHA1b6287c473059b72d34f377c98bbc8dcdb82521d4
SHA256f7d697a41ae3075cac1fc9b9735c63a5d4279902f321d48d7a555e45453d30af
SHA5129ef7fe9bef70441f1570670e4d48363ed0769c823d466b8a0c0052f46f7460f04f2cd8e0c999bc93fd9d487f4bb5c5624b78ee7a3288a4b6d4d40bfdb429df2a
-
Filesize
257B
MD54ffb07d503e895024776f50601f4bb5e
SHA117d30dd21a2241a05e5c3adf146c2a163344dd42
SHA2563ff4b5f143216cbd01bc262c71386346e8c7b17499b30f41270d0617b5614a0d
SHA51201c8332696e7ab14121a4d8db2d7700904a63d74b32553eb02d2c0c60eb326a091c287e0c46208381378737524ea2b1a68d2b1bb05b689e6184fefe788f17a8e
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB