Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29-12-2024 02:13
General
-
Target
9af3a06787c32483f0b2bb516df5d3e78de72215efe7a183d512406aa6b26cfc.dll
-
Size
120KB
-
MD5
5744aebab236b969abc08da4a88c3745
-
SHA1
340df8644e6bfcec8487f7a91409cb0c3d53cc7e
-
SHA256
9af3a06787c32483f0b2bb516df5d3e78de72215efe7a183d512406aa6b26cfc
-
SHA512
2c179fcc0b4ac126fb42edf9c5c53ff1bddb61a980f5a37d0b460b84b272bf18d2e0d143ead308d339975fce2f76fb039cf41f9470e5be55a586b31efaccd75c
-
SSDEEP
1536:41dVfjrQlgLiV1GLgnhBv9pB8q/JZ/qYK/bBOtR5BGqYlowz6g3tWkhu6DIR9O8:uJQa7gnHrBJ/XqYa1kRKq6o2Xu6cR9R
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9af3a06787c32483f0b2bb516df5d3e78de72215efe7a183d512406aa6b26cfc.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9af3a06787c32483f0b2bb516df5d3e78de72215efe7a183d512406aa6b26cfc.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f768b7d.exeC:\Users\Admin\AppData\Local\Temp\f768b7d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f768d03.exeC:\Users\Admin\AppData\Local\Temp\f768d03.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f76a728.exeC:\Users\Admin\AppData\Local\Temp\f76a728.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5da491f0c21a3b378485ebdff915fbe14
SHA1962aedd8e0ced2a205e5d9365fb4d8ecafa90c37
SHA256c4679db85f9188eb4db5f5167ed48e4458a54b584759d0007ed783d898921cfe
SHA5127d5b6cf3a7518cf19b2765f5b9b3d424f82f856f43b001b721d8bd808ac922816d4a9ee13ae281177d4d84c2ad3a1db37a34684a737d8fab8bc6b93991766740
-
Filesize
97KB
MD561dfc27d99cac37b1852708e16aad96c
SHA1c307de2d9fa9c6e9228ca11b0cd9c7de0aed25ab
SHA25685df0ddba90caa8cabffccf5a7eb0cb7e37e2d4e638f721f82d369dd67bb5474
SHA512c167acac4b08b4109aed90d1879ea3cc022d399b09beed64d020747e3a21d0af22da877a585901d99c90b8f34c9d5a7fab076fc5ee1f308c709d38564561c4ae
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB