Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
17-12-2024 10:59
General
-
Target
a6a872ec195427d8541db257cc612efc9ededccf9258a92b33674ff26b924f68.dll
-
Size
120KB
-
MD5
571ab0ff276f26b7c7b7b839b736eb7e
-
SHA1
3396482f5e2fee68fc47a42ec6d729b286259795
-
SHA256
a6a872ec195427d8541db257cc612efc9ededccf9258a92b33674ff26b924f68
-
SHA512
d8b05b9b9f87ce101cd603ae23c5f1dae415d5605de62eb0a820fd0b5a949b34179b6b90f2b458ff77c6d9bf14da7c8eec3bcc6237cb8577914094790b288aea
-
SSDEEP
3072:PqYabBrMrjSBrkVlNl5/rgSSF8K7OYww3gzw:PqYirjSlNl5/kkYew
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6a872ec195427d8541db257cc612efc9ededccf9258a92b33674ff26b924f68.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6a872ec195427d8541db257cc612efc9ededccf9258a92b33674ff26b924f68.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f772636.exeC:\Users\Admin\AppData\Local\Temp\f772636.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77279d.exeC:\Users\Admin\AppData\Local\Temp\f77279d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f774caa.exeC:\Users\Admin\AppData\Local\Temp\f774caa.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5fc312ea364f0d13ee2848f78cb0a4ee2
SHA1799bf0a24efa6c18f44d9c14d202a7ff3322377a
SHA25644b47f19d89007dfd4fb83e7390062d4dc8300515a44b8a56f543630a75dc82f
SHA5124a7b1efc9b68eb54292faa09af7e93469f96123c959e53ee16446c08ba6efec2454d84bd26e234b7193adfc3f21fc6b3e51c5a784dc50e9c04c56dd26350a4bb
-
Filesize
97KB
MD514aa616df025d44e0e6861a4073e76a7
SHA138ea85496150e9b2a5714cd6eb1c9b5128c6af9d
SHA256e4905801ac018c6d3dd4eee2eb8e98e28ec0be3286bb40541870fb650b5adf23
SHA51217ea5cfa4c480a2685fbd522c4f62dae4b70cfb95bce4815c3607b6410c2859384565fd157c60ccf99b0be0f336447cb6f5ea6c0fb6c0e697b533e76cd64ec0e
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB