Analysis
-
max time kernel
96s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-01-2025 13:33
General
-
Target
6d818af364efbf2c67597b4bc0aa3c864a18f13f5fb024c61820c91fac2be24bN.dll
-
Size
564KB
-
MD5
dafc2120970c9d846c12f37d528f4480
-
SHA1
3d45f04488011222ef3dade86a3b4ad1b0ea4774
-
SHA256
6d818af364efbf2c67597b4bc0aa3c864a18f13f5fb024c61820c91fac2be24b
-
SHA512
8d456236055ca3dd0f1b6aa6fe0f022043b4280d4cca5b07cbaf1ccf2c3b2d18999f9dd97882c53a9309fd9373ed01b089be00040ecaac3d69dcaa2f3f9082b3
-
SSDEEP
12288:tehnaNPpSVZmNxRCwnwm3W3OHIIf5m9RhWFVA:teh0PpS6NxNnwYeOHXAhWTA
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 45 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d818af364efbf2c67597b4bc0aa3c864a18f13f5fb024c61820c91fac2be24bN.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d818af364efbf2c67597b4bc0aa3c864a18f13f5fb024c61820c91fac2be24bN.dll,#12⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 6083⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3484 -ip 34841⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5fbd57568c7e969025fd7a77d6a9e5f45
SHA1d8c221556c7dbeb55cbfe80a3006b6578e2ae4bd
SHA256b820d32dc781d4a3af1cc452d73d4f57e1d963da4cdec90cb0660837657c8328
SHA512c8d4e5b78e01570d02f0953bd0ebd818ed2985dfc5006ba39ce101693f1bc9de8550b9149d3028911ec5c1371b813f0bc8391d10294e04022b52a91c3d47f5cf
-
Filesize
404B
MD5216b1cc3f4bf530eb79a6b9720a597d9
SHA198927288469d6335bfdea81bee9d7bfe45aad453
SHA256bcfecec923e66638af8661c39051a771997ad4bf37a32d8cef9b5a010d26c246
SHA512e7ad4421ce6e3236db0308edeafeb484d1c2d12c5a1424173645aed91b079ad87072769aacaeb9e0a9be40189e3acbae82403bb7763b76f383d63310a6ef2ece
-
Filesize
404B
MD5d2032be599ce6ac42a5b9078f9756b43
SHA18c244a1d8721734cf6ccaf0cb7781209d39faa03
SHA2561322bc82d007b4095c175e1ec16d486687411ec6d14eda19346bf28c997f4a46
SHA512647a10b56d760e0888c5d137037cdc5c4611c0fde424df97aa605d16393ba314503a0c8ba72ca2566195da3174386efbb2dad9e0d739fabbcef19f52c7e866c8
-
Filesize
5KB
MD587d92eca257825714ce8e9a9548e0fd5
SHA12d292a8a3a3cb6feadeb9707af5f26725aaf01a8
SHA256152e3bf0022f36370497563658724a049695df0a6c6101291c1bccb34c297acf
SHA512bed7c1846ce14b59f5dc859f75230a585a351f71266dbe6d2df8f37cde600a5e16f7f84b803a0fdb4a9c4ccbb3f4bb5c5b51ff17318f3c37d0d2c5fd8417f437
-
Filesize
3KB
MD574186f17d1f8ca26fbacb45e63e35648
SHA120493115389346d74c7bf87fb26a7916a2b15c85
SHA256b6952802857c4f2c6761993fb1efd284d9d3f808d77f81e2b140a88866178338
SHA512822e6a5b159e078e5f0cbb808d7772a8a3f9629bb1e1e559f5ddf112e5f2543c83db1c63db4b7ff9eb1347927c92c99bb295df8b6698871b7cfd0ec4b495c90a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
164KB
MD5a3b1f1c4cd75bea10095e054f990bf1d
SHA115bf037b2166d2533e12bbec9f1d5f9a3ad8c81b
SHA256a4c51942f696650a7ce0530a88c3742380ac82bc1ddc75c24d1417f0958caaee
SHA5127457591c9676baa6043e4c3ae6ede364f19964c4e4e6a91a06e148221402791cabf9d5ab2bfcb629120ab136fee0a2994c0830f7cbfb112c5c6b07109b6a1a94
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16KB
-
Filesize
84KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
208KB
-
Filesize
40KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
556KB
-
Filesize
556KB