Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
20-12-2024 08:44
General
-
Target
e8c60df9bf657535b0cce87a0cd8bb3360d711f4b8061def4f2d38bebbb02f0f.dll
-
Size
120KB
-
MD5
3968cc0695a2a192ed232743e600ed8f
-
SHA1
4a439902109785f763cd9782e31031465403cc22
-
SHA256
e8c60df9bf657535b0cce87a0cd8bb3360d711f4b8061def4f2d38bebbb02f0f
-
SHA512
1506af71dc5684bef4702af9e39f022dd34f8b0d680065315677fa0b2455e1cc47734c648b8260b4d335280a732fb64d6c1d7142348acf59da9552765e8ac7cc
-
SSDEEP
3072:JJm8Ur/oHKz11V5Kayt3qaCGlQQPLvcWdHD7WQMno0:JsrAHKD8t3LlHLvHHR0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8c60df9bf657535b0cce87a0cd8bb3360d711f4b8061def4f2d38bebbb02f0f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e8c60df9bf657535b0cce87a0cd8bb3360d711f4b8061def4f2d38bebbb02f0f.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f774099.exeC:\Users\Admin\AppData\Local\Temp\f774099.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7742ca.exeC:\Users\Admin\AppData\Local\Temp\f7742ca.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f775de9.exeC:\Users\Admin\AppData\Local\Temp\f775de9.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50f63d490334fb862db6affb6bcb738ed
SHA1c321b0da81e2c6ef43ea2bfa54a1be9b591a2e1b
SHA256e60f1eb17e06081621cf84c4a87ec721e55d422bc85edc2dcd8117beca21d774
SHA512e91b8b23877c5933f366c5c3399bf6ce7108bbc3ca847aa259374cdd1fbb1427981b8b6e1110749093e1b9eb4304577e6498a4e2628cbf615399414d64533c73
-
Filesize
97KB
MD55292870566904e1fab5d1df7420d9437
SHA16efc0cca7ee7b7a3167eb55a623bf80e2f5c9a60
SHA256ddec59fbf44420f28dc88bc0cf65ba9460aac3537527ad74f9907f798af37d34
SHA5120a7f5c8ffd1d2dcd4099fb1ded2954acd693e8adcfc1c180860d731f82087deb3da88b11d83acba4545bf616199363127ae36e2b4e46b794d3ce639304d2b1bd
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB