Overview

overview

10

Static

static

3

7e72095dc9...e1.dll

windows7-x64

10

7e72095dc9...e1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e72095dc929622d7806f4a6a1abc628f54605f47f9c29e1535bf31ca174fee1.dll

  • Size

    120KB

  • MD5

    7f1fa28da60fbbc5141dd2cbf7acb0d4

  • SHA1

    fbc5bfd1e59f0656d8faa4428992ba35f70c0111

  • SHA256

    7e72095dc929622d7806f4a6a1abc628f54605f47f9c29e1535bf31ca174fee1

  • SHA512

    ba80e9c36759155bca40f394a1df5163a14560e4642f59ed48fba0a2227239fbdf5eddeab8e291e874d37f3ec993def15a19be61edda874212abf5254e63abf6

  • SSDEEP

    3072:6MZLCImgW99TlBMDWxmOYRJZS5TEYbVqNZ:1BCqmdQB3IRJqNZ

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 9 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1108
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1196
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e72095dc929622d7806f4a6a1abc628f54605f47f9c29e1535bf31ca174fee1.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e72095dc929622d7806f4a6a1abc628f54605f47f9c29e1535bf31ca174fee1.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1768
              • C:\Users\Admin\AppData\Local\Temp\f76b136.exe
                C:\Users\Admin\AppData\Local\Temp\f76b136.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2468
              • C:\Users\Admin\AppData\Local\Temp\f76b2bc.exe
                C:\Users\Admin\AppData\Local\Temp\f76b2bc.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Drops file in Windows directory
                • System policy modification
                PID:2664
              • C:\Users\Admin\AppData\Local\Temp\f76cd0f.exe
                C:\Users\Admin\AppData\Local\Temp\f76cd0f.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:1864
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2028

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            4bd5d8ac3b9415241806adcb9016c105

            SHA1

            940ad8badb2cadd2bbcc4edcdd84c457defa1595

            SHA256

            5bd1735b87bc4e7e9bb4485dee5ded2daccfb4c7c943571166ae65c7398e16f9

            SHA512

            214926a2d00a7e9c712ab130c8e71b5f9735276e910c2620769d995f7370cd456a2bb4a3b41c3ce9f83e57a9b4bc833e681542879a86815df10d7c22476c8722

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76b136.exe
            Filesize

            97KB

            MD5

            61256d5a731e0b42aab3cc3c8e2d1e2e

            SHA1

            a6507b09d7fa2c478b22fa0d4b3f22ff492f2250

            SHA256

            2206b728cd5d5c40609789d2a96de396c6ad2158a6c4f927b9ffd1407000faca

            SHA512

            a5c7e01175705279bc93a1766dfad47726a9055dc3dc3838ff7e392c895751373b36db98d8880109070cab2b0d8b227c270290e2171f224dc3c855ca2e490ac6

            Download Submit

          • memory/1108-28-0x0000000000250000-0x0000000000252000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1768-36-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1768-78-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1768-80-0x0000000000270000-0x0000000000282000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1768-56-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1768-58-0x0000000000250000-0x0000000000262000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1768-59-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1768-35-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1768-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1768-8-0x0000000000110000-0x0000000000122000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1768-45-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1864-104-0x0000000000330000-0x0000000000331000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1864-134-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1864-216-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1864-105-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1864-217-0x0000000000920000-0x00000000019DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/1864-82-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1864-189-0x0000000000920000-0x00000000019DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-63-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-87-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-48-0x00000000004A0000-0x00000000004A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2468-15-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-49-0x00000000004A0000-0x00000000004A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2468-19-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-62-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-61-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-20-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-65-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-64-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-67-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-68-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-21-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-46-0x0000000002E10000-0x0000000002E11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2468-14-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-77-0x00000000004A0000-0x00000000004A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2468-84-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-85-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-10-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2468-11-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-17-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-22-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-18-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-16-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-106-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-155-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2468-13-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2468-156-0x00000000005B0000-0x000000000166A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2664-129-0x0000000000220000-0x0000000000222000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2664-165-0x0000000000930000-0x00000000019EA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2664-164-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2664-98-0x0000000000220000-0x0000000000222000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2664-100-0x0000000000220000-0x0000000000222000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2664-99-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2664-60-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2664-218-0x0000000000930000-0x00000000019EA000-memory.dmp

            Filesize

            16.7MB

            Download