Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26-12-2024 08:47
General
-
Target
412ce4f49efd04b26eb1393cf92dba7a78afcbe6463d54c3739893d328f6f2bbN.dll
-
Size
120KB
-
MD5
aed78cfdd263e8bf07ef3b87cd402d60
-
SHA1
319d0da93c7edd0a507b283fd2741af47301a520
-
SHA256
412ce4f49efd04b26eb1393cf92dba7a78afcbe6463d54c3739893d328f6f2bb
-
SHA512
f2f82709514e300b9290b1b82899a3af3a271316da56d36889d67101cff60329af3bbce048183a38542ae98acd92d2990aa14bf0fb906f8bd95a1b54a1f11249
-
SSDEEP
1536:KIVHRofqtQwOM4lyyjo99elUnSEFYhHbHlaClfgkjRmA7oZoT1wCMOBTXrd:KIAqtQgg0remgJbHlaAfgIRvBTBJ/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\412ce4f49efd04b26eb1393cf92dba7a78afcbe6463d54c3739893d328f6f2bbN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\412ce4f49efd04b26eb1393cf92dba7a78afcbe6463d54c3739893d328f6f2bbN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76b3c5.exeC:\Users\Admin\AppData\Local\Temp\f76b3c5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76b55b.exeC:\Users\Admin\AppData\Local\Temp\f76b55b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76cf7f.exeC:\Users\Admin\AppData\Local\Temp\f76cf7f.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD531ed0b27c25619aa93bf7e8cc433f5b8
SHA13d998918c5e56c59f58e35893f8d3024343d05f9
SHA25617957a8545d8775b76f144788aca2bf674c2f04defe483f7ebde06a3005692ab
SHA51275529d881b0330c449866dc00520bc1df65bbcae9932e59a7f14a85330fe145c7ea7a9449e4986ce25b00c7a8c53ac8a89c7d768edd1af57602fe019ca025837
-
Filesize
97KB
MD5e64e2a680b203c4506e9e0ca3c33ef08
SHA11cb470bddaf392fb87b01dea7fd5dc850948125a
SHA25636f524b2c727c53965d606c0776e97fdabc494112c03edb42f8bfb26cea3a6f9
SHA5126913ca6f6d0db66c0bf33a254f77157b19dcbb285397558d5d692ae2ebd677fe30264259ceebc5ec79b8552331e373c80bc1cb89452676fd97c2e5eaf5e9d9d2
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB