Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-12-2024 06:30
General
-
Target
f00b2d2d09fe49949de8124d5cdfc37cde71e7f1ad9a2a6a1eb79a18350c57f4.dll
-
Size
120KB
-
MD5
0377d1e4243d8eb5cdbcfd6ee02db0dc
-
SHA1
412d7258957782e23f95a3906d651adfc2cca90d
-
SHA256
f00b2d2d09fe49949de8124d5cdfc37cde71e7f1ad9a2a6a1eb79a18350c57f4
-
SHA512
1f3c9518bd697a56f4f36d1849977a54e68c519463133d1005b3dc0c18487a3ea916048a32095e5d8d439e2fb14db522f65a38c4704ea6c5de6a5fe8dde9fed0
-
SSDEEP
1536:HpGmleHJo1/OHCy/qrBrXovssgYEaYm2yXiHwRypxoO0Qb/8t9:wrprHl/8rXovXgxaYmncXipQQ9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f00b2d2d09fe49949de8124d5cdfc37cde71e7f1ad9a2a6a1eb79a18350c57f4.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f00b2d2d09fe49949de8124d5cdfc37cde71e7f1ad9a2a6a1eb79a18350c57f4.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76eba6.exeC:\Users\Admin\AppData\Local\Temp\f76eba6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76ed4c.exeC:\Users\Admin\AppData\Local\Temp\f76ed4c.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f770760.exeC:\Users\Admin\AppData\Local\Temp\f770760.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD58d2e3b2d5c2a29f8ee29df1a4a96482e
SHA198ae8425d866858ee499b862217efdc2837687cc
SHA25654040b0bf63585eecb21fdb17363719f30cf1a812cc38ae6894c78076bee47d9
SHA51280e7308560f8840f8e98cb89e53e651b8d7d400193ba376b77ded0b6af60751725dbb86991915562d8ab85141f0f295f6f2edb094df3c669a9a23ae115faa152
-
Filesize
97KB
MD5787368a631f39df68322099ebc03e38d
SHA1fcc75bb9bfd8c8c551f8fadcc0db61dd34fabc0f
SHA25636b8d650571536151e8f5fb3d1793bc40e0b6cc835d5de60efcc036fac91365e
SHA51262b148830993ca9555c11f388129842ad29195e7bb9ca0e493c5bd7fae7a83ba0d07ffdaea84ca1dd408f90424c94eabfd01e2a8f1a630d554333c3e302b1eb7
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB