Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
05-02-2025 03:22
General
-
Target
6539a25f2cba82aa95a0326686cc6406d5893e0977af48d008d8819f5a419da8.dll
-
Size
120KB
-
MD5
6265f303eb2f71ca07ba209457fe950c
-
SHA1
1fe7550e9376b1add7b580bbedce99b751cbb0d1
-
SHA256
6539a25f2cba82aa95a0326686cc6406d5893e0977af48d008d8819f5a419da8
-
SHA512
9cc4132540f127255c5bf761979abdf0f500c73f500276f009e13041dfcbd7b009680bcac8e25c809bbe53f5b9c73715c7e56adb0372cd140ec1f5002f8ca7ef
-
SSDEEP
1536:8o3zMNia+Svj2Itq7w/ZOavEVLW2i5ahwLQIFVf9mOBfaBA4a1/q7sVqZD:9jMNiaYInZOavE9thikwD4a1/dV4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6539a25f2cba82aa95a0326686cc6406d5893e0977af48d008d8819f5a419da8.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6539a25f2cba82aa95a0326686cc6406d5893e0977af48d008d8819f5a419da8.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7877de.exeC:\Users\Admin\AppData\Local\Temp\f7877de.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f787b48.exeC:\Users\Admin\AppData\Local\Temp\f787b48.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\f789203.exeC:\Users\Admin\AppData\Local\Temp\f789203.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5f1882bf6c2abeaf277f521784ad8900a
SHA10c023f778bf87752e8c305d5c89b327b112146a2
SHA256e024d859bf112017db54dc72f6e9527d09139b2037a97d9604705f535f02ba41
SHA512e1815c129a8b461a9338aa0aed576ee0edb717858958025e0c4b09220dde2ffe3783babc762c9eda73834082af8f7adcbcd66a526ab872383e89941a9ecf94f3
-
Filesize
97KB
MD5d678aacf47ccf13a896ed5fa3cadf3c5
SHA19e8cc8265b6d6c813f11ef481910f79c3c11a3e1
SHA256c0050d51f9861b357d5239111fb462a440a1895e1fd5281ea3b1ad33ad7c3b85
SHA512171f33b128b6b71b2d750ab0a6596b0decd595857cb1a079806b425a37c7bcfbdde71b0c8621ad6deb542f4d22324a6d312b23ff60cfd4769ce06a3b7e76da94
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
72KB
-
Filesize
16.7MB
-
Filesize
8KB