Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 06:43
General
-
Target
906112bff82ce544eb488aa538bc50644038d743c75fdc74c5b7eb9281be6b2c.dll
-
Size
120KB
-
MD5
4e079bea91961cb95b37607a010c8092
-
SHA1
5f9fdd19170ab411176f9eb6ed7e4a7b76a70560
-
SHA256
906112bff82ce544eb488aa538bc50644038d743c75fdc74c5b7eb9281be6b2c
-
SHA512
0c7fd5959c8eedc391c0e194a845df35062df6780392286cd41d270f7a4c3b26bb1ae6cc324a3be88811115ac1d5bad5c4f6cf9d9b026332161d58081061cfef
-
SSDEEP
3072:qeONJ7+0EOpva/JtKhikimqfD7N4FMjLnL5+kfa0y:PObtD18gJqfD6FUL5+kfa0y
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\906112bff82ce544eb488aa538bc50644038d743c75fdc74c5b7eb9281be6b2c.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\906112bff82ce544eb488aa538bc50644038d743c75fdc74c5b7eb9281be6b2c.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76fa08.exeC:\Users\Admin\AppData\Local\Temp\f76fa08.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76fb8e.exeC:\Users\Admin\AppData\Local\Temp\f76fb8e.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f771eb7.exeC:\Users\Admin\AppData\Local\Temp\f771eb7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5fecaef3fcc834c106115a51238829dbe
SHA11b89118b6624562f33c0854546760f98bc8ce525
SHA256d1527de15a1d03de1c753d2c735a25293e8e4026fb6c9f3828043f2988c1e941
SHA512ebcf13af3be1f694fa783df788279977da52593eaa72b28f2fb479a2ca7cbf5487b7a5f0f91a6e94a15eaa2d6119c18294630d6b08b76d49789255dc63ec30fd
-
Filesize
97KB
MD5e824e90442b856fc203994d2989653e2
SHA1019f423ef78b2b1795f6da9404248600429ebac1
SHA2568a3215ee3a3b271bbb00c73ed55695cdd28fdef0fd0e35fa5ccd0b010464e207
SHA512ffbb19c2d9aad51a893571937d4a47891a2e7c0ff6a4e8534f5dce495d365b467c252e616cafc6379137bb40da8c656c6e93eed01f92bbda8c495f7c00e67a69
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB