Analysis
-
max time kernel
90s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
26-12-2024 19:42
General
-
Target
710c93298431c3f73b3aac53d0a15106f3678d3b24d34f017b314a14b7ff5120.dll
-
Size
120KB
-
MD5
05e7fcb40c376a3312aca4bf54ea8c0e
-
SHA1
2ef02b2c4fff7e3e24bc0569583a0de278deaf7a
-
SHA256
710c93298431c3f73b3aac53d0a15106f3678d3b24d34f017b314a14b7ff5120
-
SHA512
d82a23f7921531c55c7fba46847c429dc00d0e79f49dc764e0ea1dbd13ec390af0e0c4a9b5c297bba6b49ade39a0a149b1989b10cb882456b8b1f8e1bd3e19c5
-
SSDEEP
1536:KIVHRofqtQwOM4lyyjo99elUnSEFYhHbHlaClfgkjRmA7oZoT1wCMOBTXrdt:KIAqtQgg0remgJbHlaAfgIRvBTBJ/t
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\710c93298431c3f73b3aac53d0a15106f3678d3b24d34f017b314a14b7ff5120.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\710c93298431c3f73b3aac53d0a15106f3678d3b24d34f017b314a14b7ff5120.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f777d5a.exeC:\Users\Admin\AppData\Local\Temp\f777d5a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f777e63.exeC:\Users\Admin\AppData\Local\Temp\f777e63.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f779b94.exeC:\Users\Admin\AppData\Local\Temp\f779b94.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5436c3ec5688c2c594f47fd980c188b26
SHA172411146984bab4d8b0d90777ee1f6a6656aa6a5
SHA256359bca1dd20d6b062d2121556d3a1446f2be722e13bdd03d28f537b4b926d3ab
SHA512c58ed6a4d035db54554db5351bfed8f37b4177c906b9a4f0b1a3517a50de301dce133d4f54e0b822dbab89dc9e967ec4a4063263b6c3e7e38eb024edd6effee0
-
Filesize
97KB
MD5e64e2a680b203c4506e9e0ca3c33ef08
SHA11cb470bddaf392fb87b01dea7fd5dc850948125a
SHA25636f524b2c727c53965d606c0776e97fdabc494112c03edb42f8bfb26cea3a6f9
SHA5126913ca6f6d0db66c0bf33a254f77157b19dcbb285397558d5d692ae2ebd677fe30264259ceebc5ec79b8552331e373c80bc1cb89452676fd97c2e5eaf5e9d9d2
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB