Analysis
-
max time kernel
30s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-12-2024 07:14
General
-
Target
8f8a3d70664e8ab775690ea82ec80a35f0956ae179d834a593d66e8b7273d053.dll
-
Size
120KB
-
MD5
5e27c8e0e0c65fc6c8f02d47a804b022
-
SHA1
9dea34f77cb816b82b9afc3592ab20964788a342
-
SHA256
8f8a3d70664e8ab775690ea82ec80a35f0956ae179d834a593d66e8b7273d053
-
SHA512
9b841636a11cadb58c3d23ee02308708616a06e1188392fd9306d5681bc7a6b6acce5c1f1d0b3016e92b5a5974301f8419df8e2075920bf15ce00d51dc7d487d
-
SSDEEP
3072:SMsyq2ae8W67cw36kTI5ODYmST+y0CxSfwNpv+Yl:Sl2ae8mg6kTtV4+ywyVn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f8a3d70664e8ab775690ea82ec80a35f0956ae179d834a593d66e8b7273d053.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f8a3d70664e8ab775690ea82ec80a35f0956ae179d834a593d66e8b7273d053.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f786d05.exeC:\Users\Admin\AppData\Local\Temp\f786d05.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f786f95.exeC:\Users\Admin\AppData\Local\Temp\f786f95.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f788797.exeC:\Users\Admin\AppData\Local\Temp\f788797.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD57e9a5225fd464a0120b3268aee9b862b
SHA154d7e798fe12a779b31efa5498f62de959ab7874
SHA2561f43a74a447e73154e52f4f8e42706fe847b31a1ec90cd9ba3016598493ddd85
SHA512de5a1b15aeb499ac5599da1bdaaa1eb9f88285d980cef3a99dca1d785fe3824a344f57a1c8405e1e48b40b46d8490384ab7ac45fbd95321973e1a1eb3a7cb4ba
-
Filesize
97KB
MD568c354b8f304adb33092da2620b592c1
SHA13a2fd57eed024973f7b32711cd1dd6f04c19216c
SHA256dc29449361bfc49fee67089e4c56e2cde17fd3a7ab491278618ec5a879488e80
SHA51234fb97b4a0677cbbca5f0bdb68d9597ce401cda978ee160a51b81c1e8d10994580cac2bd7e2e22a4adbdcfaa6372b2dde181a636bb260d83368991ffa88fc213
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB