Analysis
-
max time kernel
66s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-12-2024 23:35
General
-
Target
ef6e9e5a5c54780ae15cb15b0afafa7b978f64ed67920d8213caa566c3eee2c2.dll
-
Size
120KB
-
MD5
1cc5407120a48b261315e018e42bdc52
-
SHA1
d24875527b76048275a91da68b197a03e89f8fd7
-
SHA256
ef6e9e5a5c54780ae15cb15b0afafa7b978f64ed67920d8213caa566c3eee2c2
-
SHA512
eb98cb4385db4cd4225040e5ea5cc76a618d971db097739ae248f1887f85ff7e22af9dd28d313ac61ce0127190b13dcc2a6779004014cab1d95476b2564d387e
-
SSDEEP
1536:mIWEvHB3H7Ny7hbzvB4YjMq6tuUOTYNWSKT81l6sP4jN6pG9ZlxED7:mIWsdZwhbLB1pWuUOT/hTSDuTb0D7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef6e9e5a5c54780ae15cb15b0afafa7b978f64ed67920d8213caa566c3eee2c2.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef6e9e5a5c54780ae15cb15b0afafa7b978f64ed67920d8213caa566c3eee2c2.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f775c15.exeC:\Users\Admin\AppData\Local\Temp\f775c15.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f7761df.exeC:\Users\Admin\AppData\Local\Temp\f7761df.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f777677.exeC:\Users\Admin\AppData\Local\Temp\f777677.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5203df7f85b58d585adddf8cc4f9f042c
SHA162ef5b732ba364e8c1b14c123d3c9683acc58827
SHA2564aa16c6cff0c3ad224abeedff24c917ef83cad5e9c40e22c6ad76c453d50d0f4
SHA512f618b905aafc7260ebb9ec7b9de89f22e9e473bfbe31e12376bf90ab63d02f7b9fd888f93f6633ec7613f92b43c51ca5477713195fbf8420fdb8ce72ed70186c
-
Filesize
97KB
MD53fb014a1991f47b88462414ca279fbbb
SHA16ae6b96857836f2aa1c65e5d4f02740388611307
SHA2565f45750ec05f6d3f87749421519653a9a43ecc2a2fa67a3e8624dccaa01d8fec
SHA512394fe7c4e1f24c7c1f0c76c296d2cf4207c519163a482522be9f71ed929cfde80efc4a54fc583e8de858a27b10b92efb6cad497bcfe511f41b9555d2e6c1164c
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
24KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB