Analysis
-
max time kernel
95s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18/12/2024, 21:42
General
-
Target
270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719.dll
-
Size
499KB
-
MD5
513adbaff9834e9531b99707b51849ba
-
SHA1
9480449adcdd288e6b2331284838de464479111b
-
SHA256
270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719
-
SHA512
f073ba08e5272372211899b54aeee9b75a66f92ad441821797c90660aae252bea4c86a351110b2963fe5e80076b49e859594171bafe91346b2a8635d6e714518
-
SSDEEP
6144:P0IEu0/l7rUdoqWMvjcw3sWSAoITM+NPUHFWna2Wb8dzLSAHRI5jq:u79qXvjRc5AoIY+NPUlWna8QD5O
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 50 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\270486a14b13b411325508cd1dd8ed7d3efe91e1c54828b63756a1904c3bf719.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:700 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD55e99ec80bb4e60401972729dff7db4f2
SHA1a68a2f47614d8afd1b7afd1e0620d32cd393e2c0
SHA2566ac6e0c6b415580d28c082f0e59f45289379890a167c088a557d3e2578b424e0
SHA5127670c7e91ae9555458275effc570e107c9ae43b02e65f9200b773f9139dfe228faf55f5c4ac5d9d713d0231e16c129baf1c289534b42ac7b4d042f370240c654
-
Filesize
404B
MD5737b66fdd9e48fcf1a3bc5e25aa5c4e6
SHA146af19d0eb7c85245081cea8e84d6d7e518e1222
SHA256f0843df50d51ce1b954306cf5da4f29c648e124e15a3a1a29b291d5008977cca
SHA512c4f716ea65ddd266ab6b5c56548155179f02a42d527546652b50b26ad8d64802ac0148b3536fb05ba07639004695271b61a3aa1a78bf8436b3955955daad692f
-
Filesize
404B
MD5bbe5baa09c1443edc18d10b03732b7b0
SHA1b55ac9130848a747356154e86f85ba2ad8422811
SHA2569d8175c0f273ab5ce850e5c7aff61db0085abdecaddcc0199250abcafd3b2170
SHA51213d68254ab461c3d0f2d6b7652c3579386577bab9abce75fa186e5d0061b6a2caec092d223217324f0bced279239062c3c11fdb63e4795ad40b388dfd582a3ef
-
Filesize
5KB
MD51487c6bde1e7e232771eed8f464b9210
SHA1d2efc52c2e963445fc2b55521814e129a2d1a0e5
SHA25609463f0457f4107bc7ee5aab3d55f0ef91ac38aeb566f86e5227ca45f42b4099
SHA512d96763754d085e4511a2dd018ee5ed7712b4ead634d9b7afe918ba30c4385c8b811a3b39983ae825037b4104ead83855ba5cf987e81ca75838dbd8ab0115a0df
-
Filesize
3KB
MD5ac1c9ac34bfe783a2510c61c1481f4e7
SHA1a9d83a3709a6b4ec6793e449b81311b74fc0ce2b
SHA25689ac85bc6976fc2ef924b6ae3ff276919d05e6ec24744d0cd92e0e0428a00acc
SHA512c4478dfd613bc416c923b1e0423d9d7c8ef404a164360f3bd1870ccccb50aa9889e870a24238545170d26d11e1cd80b0b598096a458eb9e1442c0ca63933c3f0
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
Filesize
40KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
208KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
208KB