Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
31-12-2024 15:31
General
-
Target
a0c55db81960f28e32e2c54e5ee17b31b026c881c72ec807a19d71c24324a424.dll
-
Size
120KB
-
MD5
dfd80eedc66ccc45ced978219838bcc7
-
SHA1
bf707907a3712d86cd210bcc3510398dff6c3f6f
-
SHA256
a0c55db81960f28e32e2c54e5ee17b31b026c881c72ec807a19d71c24324a424
-
SHA512
24140c13cf0b0bd870fe0d647bb0a1e5bc6da7da22298652508d20935f7c4a73867b2ed6ba66ab6967ea5c9db9e05c84b1336fb10f4bf3b3a5d3bf3617dbe3bf
-
SSDEEP
3072:pxkvFBl8ETOGajfQYNAb0X4Ye9BwJcnOl2H:pulQI6eDCcn0i
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0c55db81960f28e32e2c54e5ee17b31b026c881c72ec807a19d71c24324a424.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0c55db81960f28e32e2c54e5ee17b31b026c881c72ec807a19d71c24324a424.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f772f1c.exeC:\Users\Admin\AppData\Local\Temp\f772f1c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f773208.exeC:\Users\Admin\AppData\Local\Temp\f773208.exe4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\f775052.exeC:\Users\Admin\AppData\Local\Temp\f775052.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5c156cfd9178d1b104ebd8675bd6ff17a
SHA1eacbda9b5debb37460ee17f3bc581434adc1532c
SHA256570013984fd1d80a1d04c55a7a4ca4c48da7f19b949ad04179297c9c7edf17c3
SHA512a5e5e073fff64256aaebb73ccff5488cc61df7768127688d34828068b63b8b487a1850e0e979ba9f3d5dd4c980502abb89ec5ea2a0cd086f58425b8521093689
-
Filesize
97KB
MD533bd5c0c5ab4a008c866cbf0cfa0d86c
SHA18b38bb14dd12125f437b87275ff14924af6ab8ce
SHA256c81fcf3c50622df9260e4c751d5fc03c8644179561091247c752bcdd4b90aff3
SHA512e38d789e4dc88b88645ca278b85ed423f37857fe556268526dfa268fec4dcd299ad44175026d2d1693f633d1e6026dd936e6fae0cc4eb2bc73e01261d137053d
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
16.7MB