Analysis
-
max time kernel
27s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
31-12-2024 14:29
General
-
Target
95059c3a41b69fe5e1e9541f9154077f8a6970e92fcd95b538ba750b26e9ecfaN.dll
-
Size
120KB
-
MD5
e6865723ddb66b3526e8f5f882408800
-
SHA1
c9edb8b59fd2586523e1ad74d6c67d8547e2421e
-
SHA256
95059c3a41b69fe5e1e9541f9154077f8a6970e92fcd95b538ba750b26e9ecfa
-
SHA512
a86021be4c79bb4094f12ab3e6350a83d30840f2564b360e95326b538bb5ed072c5d77e3256990cbd6c9b83944c1a5e9eaab732e85101f81d78eafd69705c059
-
SSDEEP
3072:spQG4mKVGceRPNoc3Omks+1c0yM6KKsC4aMayz+LRp:eV4zBe8c3ysOyM6sC4aMayaLj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95059c3a41b69fe5e1e9541f9154077f8a6970e92fcd95b538ba750b26e9ecfaN.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95059c3a41b69fe5e1e9541f9154077f8a6970e92fcd95b538ba750b26e9ecfaN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f77e041.exeC:\Users\Admin\AppData\Local\Temp\f77e041.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77e32e.exeC:\Users\Admin\AppData\Local\Temp\f77e32e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f77fbec.exeC:\Users\Admin\AppData\Local\Temp\f77fbec.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5e550cc15a820193054d47600d07a274a
SHA1abfd07fce647dd97b49b6114cc85e51ad117a8cf
SHA25671ca3ef63e31d3a60dfcb91483ad7cba0031771b8b77f2f279ee1a5f5af0bd95
SHA512a5fe5a10641760dbc9a5b16fbba375092a60f730367b2261307f54d94a9e5a40ce68cdeae422bdd245f26b158d7eafae4ad0469d75bef9f002bea56afa247d43
-
Filesize
97KB
MD5a7a26bad5c2e0c83a6d37c322b126fab
SHA1293c826c00bdb7b6c97591eeeda91a51f1b5476a
SHA2566f4c7c57d57054abd053f6d51fa5301241b5ffa3ec2095722af160713618bdd4
SHA512ed276ee549a6683f92b64c2dc235079fdb293f4f21ed64dd9a11afb5377f7995a5505fdbc979871ddacd2fe7c485ca57f3251574f9af41c6077a59f3928bb1b1
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
72KB