Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 12:41
General
-
Target
65901adbb7289cb2a60c2d2adcfb6167c58b0cdcacd31fd25e4198842039f712N.dll
-
Size
120KB
-
MD5
c8dcc05346af66afd3d3df4e8007a9b0
-
SHA1
3085f84eef8302d5591b4e3a8b3e2eca4a70fb21
-
SHA256
65901adbb7289cb2a60c2d2adcfb6167c58b0cdcacd31fd25e4198842039f712
-
SHA512
595215e96ce928a33c6de29506437635a5e8bc9dc06123f6f82564d782aea0f947759daa7a49c402220c1820b009db7c343c446e02568fc9eaefc68260473ec8
-
SSDEEP
3072:FHPtxi7j/vjfNslYBYa8c+9nZDZ4JUyZ59urcJ3K:Rbi7rjfjBYDvZDyJUEmQ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65901adbb7289cb2a60c2d2adcfb6167c58b0cdcacd31fd25e4198842039f712N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\65901adbb7289cb2a60c2d2adcfb6167c58b0cdcacd31fd25e4198842039f712N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f771eb7.exeC:\Users\Admin\AppData\Local\Temp\f771eb7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77201e.exeC:\Users\Admin\AppData\Local\Temp\f77201e.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f7740f6.exeC:\Users\Admin\AppData\Local\Temp\f7740f6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53e0e86d42e11b33132d45eb8c3b0ad4a
SHA184ab823206d1f5b96b6f6a5c530829f1afd27cfa
SHA256b4eaa92c9c09078c2abafe549d8ecc0f53fb70be2e01bf341051999e31a5a1b3
SHA512ef463a95310f48177c4536919ac4d71fef53b95e49c91278f05badf21718c65124113baf2b0588c1bbf476c83d89d9ceac244887507e8ba6405d808d9144b304
-
Filesize
257B
MD51a44a111a565afe99d1aa4fbcab019c4
SHA1d4809dac3d52a38c734380dba1018778d7866eb3
SHA25651d46ddcf3de8ac2db405875b0fe03cdcce7a93f6917ece81e2f661d072ebb70
SHA512a09667069448c4340d049434365d68731869a09256e9a870423e55c0df111d0b7b0ad0788f7946b7efe38cbb8ea6ad1df563717e5ebdf7b0936c58cd3078c6f9
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB