Overview

overview

10

Static

static

3

d09f9a7735...eN.dll

windows7-x64

10

d09f9a7735...eN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d09f9a77358ae48847187f7480a1491bf21da860d0426caa38e5481a86286c9eN.dll

  • Size

    120KB

  • MD5

    8e3c24b6764a6d39ba21ed6994de1d30

  • SHA1

    2ec15db0cc8799160eabceb4a12b8da246357deb

  • SHA256

    d09f9a77358ae48847187f7480a1491bf21da860d0426caa38e5481a86286c9e

  • SHA512

    1fe132146416b83b48562e19bbbcf8b8c3c91ec788b4b01020725b8a348d76cc8a696e1630d3bed82d4859a8cd1e89527b68db2cf88a78fbf99149a423f3373e

  • SSDEEP

    1536:Kf/Wj6Ja0xSdsrZDlqzm6fudKfTusbKTCkDdkybW7eTUmfkJg7M1Ygd2/eNOove:Kf/WxYZpsmo//bKGkDGQW2pfYygEeDe

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 17 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1268
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Users\Admin\AppData\Local\Temp\d09f9a77358ae48847187f7480a1491bf21da860d0426caa38e5481a86286c9eN.dll,#1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32.exe C:\Users\Admin\AppData\Local\Temp\d09f9a77358ae48847187f7480a1491bf21da860d0426caa38e5481a86286c9eN.dll,#1
              3⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1600
              • C:\Users\Admin\AppData\Local\Temp\f76eed2.exe
                C:\Users\Admin\AppData\Local\Temp\f76eed2.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2632
              • C:\Users\Admin\AppData\Local\Temp\f76f038.exe
                C:\Users\Admin\AppData\Local\Temp\f76f038.exe
                4⤵
                • Executes dropped EXE
                PID:3048
              • C:\Users\Admin\AppData\Local\Temp\f770ada.exe
                C:\Users\Admin\AppData\Local\Temp\f770ada.exe
                4⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2012
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1312

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            bae13c8e994e8cfc609f9d063afbf1df

            SHA1

            ad63cbb3de4c858acc0e98a8a38ed4c7c3cc9fff

            SHA256

            19f1d1e100ccc5c62ef15be1a8abeee7a284dd4a72c42aecca840d3ca83f8327

            SHA512

            5912ae728050a0f6d2a62c25ca4a4f89d5cfcc366e06dae4286bbe0ff89a35b1d6c09576462db248da8cb14b57a3967b99cceb28c309e89b738ab115a2b16ddd

            Download Submit

          • \Users\Admin\AppData\Local\Temp\f76eed2.exe
            Filesize

            97KB

            MD5

            f8238e8a2f92856b726339c3c0a74661

            SHA1

            1fbbbbebdc63e3d645fbc2f32986fa694c17d4f3

            SHA256

            d43da33677b75cf289b40d2db566918762b92ecf48f01471d2bb5c40cd8f8478

            SHA512

            5b5301a47f941846407f45d20c4eeab78188c852d568129293b3029defcf719be94abb46cdfeb16395d95bf26886859cabce4ad992faeac5152d4b1a069f2310

            Download Submit

          • memory/1116-29-0x00000000001E0000-0x00000000001E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1600-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1600-79-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1600-1-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1600-58-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1600-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1600-47-0x00000000001B0000-0x00000000001B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1600-60-0x00000000001A0000-0x00000000001A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1600-2-0x0000000010000000-0x0000000010020000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1600-9-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2012-109-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2012-107-0x0000000000270000-0x0000000000271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2012-216-0x0000000000930000-0x00000000019EA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2012-178-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2012-177-0x0000000000930000-0x00000000019EA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2012-217-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2632-14-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-85-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-18-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-48-0x0000000002F90000-0x0000000002F91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2632-15-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-23-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-11-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2632-63-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-62-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-64-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-65-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-66-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-68-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-69-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-21-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-74-0x0000000002F80000-0x0000000002F82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2632-82-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-50-0x0000000002F80000-0x0000000002F82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2632-87-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-51-0x0000000002F80000-0x0000000002F82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2632-22-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-19-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-16-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-17-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-20-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-159-0x0000000000520000-0x00000000015DA000-memory.dmp

            Filesize

            16.7MB

            Download

          • memory/2632-158-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3048-163-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3048-128-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3048-98-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3048-104-0x0000000000260000-0x0000000000262000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3048-106-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3048-61-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download