Overview

overview

10

Static

static

3

812f939215...51.dll

windows7-x64

10

812f939215...51.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    812f93921569c7180f67f5c95687ee9c78ff336b6fcc9c62a5589cc08d7b2d51.dll

  • Size

    120KB

  • MD5

    2297cb27693852f31f95a1fe6c65c02e

  • SHA1

    1c3063b830cbb7f4cd99bf08222782d3c41165f9

  • SHA256

    812f93921569c7180f67f5c95687ee9c78ff336b6fcc9c62a5589cc08d7b2d51

  • SHA512

    e1aa29ceda8a02bc0a72c88919889688804aa30f31386c7815362b589be32727b29084920e7878e406bf6541e00d6d2c718672c0ceb98c4399924832cc961dc0

  • SSDEEP

    1536:NZFvAVW7gulsX2+uU9tmeNqAQZBEAnLvVoyU1PPY7Kdabk6EbiDE:XFYlulQfuStLNqrXEADhU1P3dabUW

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 16 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1040
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1096
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1176
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\812f93921569c7180f67f5c95687ee9c78ff336b6fcc9c62a5589cc08d7b2d51.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3008
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\812f93921569c7180f67f5c95687ee9c78ff336b6fcc9c62a5589cc08d7b2d51.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Users\Admin\AppData\Local\Temp\f769a4c.exe
                C:\Users\Admin\AppData\Local\Temp\f769a4c.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2100
              • C:\Users\Admin\AppData\Local\Temp\f769be2.exe
                C:\Users\Admin\AppData\Local\Temp\f769be2.exe
                4⤵
                • Executes dropped EXE
                PID:3020
              • C:\Users\Admin\AppData\Local\Temp\f76b5f7.exe
                C:\Users\Admin\AppData\Local\Temp\f76b5f7.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2676
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1796

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\f769a4c.exe
            Filesize

            97KB

            MD5

            ca44e185c384877562feea5f34662be6

            SHA1

            8f71a8d71a039c83024ee5d7c50654df51e3233b

            SHA256

            68b002a34e95d6c2891f9a4cdd8859ec57d3ff1addd515845eac48def1d8d78f

            SHA512

            edffd612d143ac8239ba3e4f686e5263b078b5c963d5866f5db373c0e1c42c1cf832057ed9d83e9d7ec7fb3827bba349fe6d223eb678342468082320124bc2da

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            34efd89f1723306c9c72ed95c52f3313

            SHA1

            187fffe357a7027848dc8b66e57345f48751e294

            SHA256

            94750d717d53c5039273b0701fda58ba4d8fbff17ba085f9824b95e32348b5aa

            SHA512

            21f213f060d90f228ffee777914871c62cf6c1528376044efff88def065730a626c59b029c7dbd4fec51bdcd1818d405a1a70b795289467943222123a2ff3180

            Download Submit

          • memory/1040-25-0x0000000002010000-0x0000000002012000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2100-42-0x00000000002F0000-0x00000000002F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2100-22-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-55-0x0000000000290000-0x0000000000292000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2100-108-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-86-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-23-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-20-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-19-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-16-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-14-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-106-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-84-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-151-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-68-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-13-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2100-150-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2100-105-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-83-0x0000000000290000-0x0000000000292000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2100-24-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-21-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-18-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-82-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-17-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-62-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-61-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-63-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-64-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-65-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2100-67-0x0000000000670000-0x000000000172A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2344-32-0x00000000001F0000-0x00000000001F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2344-31-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2344-41-0x00000000001F0000-0x00000000001F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2344-50-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2344-52-0x0000000000200000-0x0000000000212000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2344-53-0x0000000000130000-0x0000000000132000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2344-2-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2344-4-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2344-0-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2344-12-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2344-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2676-101-0x00000000003B0000-0x00000000003B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2676-104-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-102-0x0000000000360000-0x0000000000362000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2676-163-0x0000000000A80000-0x0000000001B3A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-80-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2676-203-0x0000000000A80000-0x0000000001B3A000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2676-204-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3020-103-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3020-96-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3020-98-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3020-176-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download