Analysis
-
max time kernel
67s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 01:50
General
-
Target
26c71a95c23b89b75cea47ac8877c989c7c5f63ddb68846d09e5cb542bcbf957.dll
-
Size
120KB
-
MD5
e601f9cd0613f9a62f79d6ab1c3c4740
-
SHA1
d4543471bf0877142f83594b39da0b6ddcdfcebb
-
SHA256
26c71a95c23b89b75cea47ac8877c989c7c5f63ddb68846d09e5cb542bcbf957
-
SHA512
058cf620e2590eb8a3a949b2ee75efd9b1c3fd22ee8ce8a5bf204912753af122da664e5a1f194174c3e113dadc2cc56cfcff4723973ea78d715345ea7d5ce051
-
SSDEEP
1536:GZQq4WM74TFu2Q6DdfC7Oicg7R4NG0M42Ku8BsKHTxOnWpJWZPU:Gf4WMUM2QqfC7Oicg7R4ol4eqsonWu
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26c71a95c23b89b75cea47ac8877c989c7c5f63ddb68846d09e5cb542bcbf957.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\26c71a95c23b89b75cea47ac8877c989c7c5f63ddb68846d09e5cb542bcbf957.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768b8d.exeC:\Users\Admin\AppData\Local\Temp\f768b8d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f768d32.exeC:\Users\Admin\AppData\Local\Temp\f768d32.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f76a747.exeC:\Users\Admin\AppData\Local\Temp\f76a747.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59044f67c1b21fdb8847ffb6861f3f221
SHA1ffddde00455b42f304fbf942599c02a8f95ea0a7
SHA2564df63bd42fc848c931d2b2ff46b71a38e35c2914096603d695fc3b12dfde8af8
SHA512a8a0b5d917d3e16a58c454c65e34de865e104480a1f4aea27e8dfff1ca83c627b4844595694e75ecb5fdac9a01310ebabe43e2837e8571ee065e70f53bdf087b
-
Filesize
257B
MD51e8fcede76b25b9ee3f52abeacb06c87
SHA1960e1192fe4c8095685fed1edf633c403f1fb9de
SHA256cb0f08bdfb4147603f8d6e41ce3694747e84456a8e07699b4fe30fb24057221c
SHA512c2d40d126a60c97057c3ac8ec3831967f405a55b140894591e2c384300c214c4b0aef9e9c35fe44307b3e2aa385f9fd045ce0a560cc3a58fe2ed33a268b2a3ff
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB