Analysis
-
max time kernel
8s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
18-12-2024 21:42
General
-
Target
270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719.dll
-
Size
499KB
-
MD5
513adbaff9834e9531b99707b51849ba
-
SHA1
9480449adcdd288e6b2331284838de464479111b
-
SHA256
270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719
-
SHA512
f073ba08e5272372211899b54aeee9b75a66f92ad441821797c90660aae252bea4c86a351110b2963fe5e80076b49e859594171bafe91346b2a8635d6e714518
-
SSDEEP
6144:P0IEu0/l7rUdoqWMvjcw3sWSAoITM+NPUHFWna2Wb8dzLSAHRI5jq:u79qXvjRc5AoIY+NPUlWna8QD5O
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:340993 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5c9240d97ea7f09c96e9142c6bbee8501
SHA1f9792c4dc02fc3dded597178378552a61c1c1cb7
SHA256920bfad4b26a66894c7d247babe43765808ab1e9ead3214df11f53779d9e2814
SHA5125795fb6c3357b9ac32ddd2f25ec47c04649ed249acd7e7ef99553d657063936950ffad4e55ed00a3b73e6be03a6266a16ab3731a1df71eeeb87a752055ec3d2b
-
Filesize
342B
MD5472819d69b4a79a862904824f3d431e9
SHA1dfad08fa8c43ccda3f23fe0b347a184213a41591
SHA25616d7c8715d5dadf2f2408bb311fbb3ce4548cc255578789a875b6d69ec72f99b
SHA512f9f996ccd4996be7fecf27f13cbb1ab3fda4f1d69ff88ba327d21d29f50194c07f42632d464922cc49ae96a205907178b71dda9055fd7cbee855c2609a750860
-
Filesize
342B
MD519357414a92a5bcd0154ee0ba5d0217b
SHA187a96c4f21c46f38df636216bec439f64c393ed8
SHA256611d7516df9d44ec9ed84db46b40989dfc5d39ddb43a1545f2a0809dfed48aea
SHA512e04f5c3b8a52650099e6cc404a667c7ca6037d9040008ca4d4b0c081fcd7faebcb0c2d55aa492b0f010e7052a4788ea2769014af4189c26a48b3ef9ad7da51c5
-
Filesize
342B
MD515922497cc7d6b7ecd0e33e704d657c0
SHA18d59b83ba9a1dece11f5117fa2bd12f14babd44a
SHA256b26717141860d9deeb8d1ca4826b5527f7cea975ee1aa63dad4702c59afe8090
SHA5120aa19d768d1b002203bef37f478fd6ab3ea8347a5ee8a423c4635dcecb35b364e8a892cb656a24d920ad3d94269fcc384cd23dc7c91d09280bb89692db1a71a5
-
Filesize
342B
MD5ca83d21ed68c0fe218557f7aab3e5ab7
SHA133a4592a4326e72a9b069cb083af7c95df5ef521
SHA256877b0a1782443dfb21a78461f4d209d5c79fdf9496531b5b720471c506b735be
SHA51267a96e85e5fa4ff0c4b56b31a78cd46854f3e3042f7071bb9f68d1376192b3e29d5ba2873b711beb24a8490c290940f7d580de7778d301e8b5e2708b5038b63d
-
Filesize
342B
MD525e1dbea550f6956914fae6f3c0a955e
SHA12e76d5be770125bea365eca83a533c638b23c5f9
SHA2560a5587625a7bf5ca93cd4e70581949de5545031a46b0f6885b438fcd40845b21
SHA5122b41fc32cbf52fcd2659ac978f9518a419c0e6b9f9140d12dfe71dc4138f4b1dcf3cb8951765439ba1e66ffe563bb4e16ca7ba3093ae8b820c2b226ff533d2c3
-
Filesize
5KB
MD5ad5e8f565a25ae1579283ac86504a10a
SHA1caaf5a819acd241545e30ea49f34b1a62c77607e
SHA256ae2c5b8f37ad5f7f364b64f422c90713d13fa8b7b675e578c986f31d340c5473
SHA512b08aacd547aecada202f90f352c14a889d6fb615bf7d5c5029b52fa5dcd95df90a04fabc7dfc1ad33106fd5688588a07475f4af413148fcde9a4e41697b51d2e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
257B
MD5450acbd6f9c46b5b00a31182917fe26a
SHA1200262d4885265666061d85cf55df50d4cc7f503
SHA2566ddcc430d40292ac95391157fa6653e838aeef40627b011cd074aa72f74d573a
SHA512fbc6c5694bc739ed12114e7f3a712f23868d26d33248ad57284bc1fa86bd4bdd23a3850ea0b1f9739c2732165c4b4cdb1a19209677da4858afefccaf91838aea
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
84KB
-
Filesize
40KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
208KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
208KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB