Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
29-06-2024 03:41
General
-
Target
dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f.dll
-
Size
120KB
-
MD5
6880a67ab5bb7d95e5bc5f2427213a8f
-
SHA1
ccef5f2822f8f659885d1df5c605b2599e8c3280
-
SHA256
dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f
-
SHA512
b235db86c2efe329a3f3e5dc64ac8d3f3aac873d9459a95eb5fb1ee03fd3c3d6e0c71c2cc0cc2cf487abfe3df0f9a6f77cfd4d57edabc6b82fc5cf2613554187
-
SSDEEP
3072:+DdzWPzXM2JPdRXUqdN1F3UytGYLRhPbWz/I:YdWL84l9GoRhR
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 26 IoCs
-
UPX dump on OEP (original entry point) 31 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dba03af913c5ecbaee9b89aeb9de4d017cdd22b784604713711d3837d637236f.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f76197a.exeC:\Users\Admin\AppData\Local\Temp\f76197a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f761ab2.exeC:\Users\Admin\AppData\Local\Temp\f761ab2.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763534.exeC:\Users\Admin\AppData\Local\Temp\f763534.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d0fdb9406aced5ed9ef7767c180f4a90
SHA136586ccb58481b924b7ffe60a77315eec03fa358
SHA25651ea16968e855dbc55565aee08b774f24f4b1780ad4cff973f075d8558e217b3
SHA5125ae99882d5d275b8a5a67b04b8d4cfe28723203f4f0f4bde7b75961a46c7300a95c1a25bf2565b00898a4402aae22e8b1ea9884012f2a9d3be674490f42d6385
-
\Users\Admin\AppData\Local\Temp\f76197a.exeFilesize
97KB
MD5d883c79d5d158270097407f3a27736a8
SHA1aa6a2dcdfecac50ca783cb09a8e69bce36f31ee5
SHA256bf8089541c92c92241a7c364ea46a1de748a1072b2c8ff1a27a64afa16a3225d
SHA512982e784a42fec5054cf3d75dfa2d937441b5b330f7bec749f4630a600f18c987eb4197a70dd1eca12485f75cb2d325ada51359dfb000cf4a96b163333407ad35
-
memory/1092-29-0x0000000002130000-0x0000000002132000-memory.dmpFilesize
8KB
-
memory/2032-45-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2032-8-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2032-58-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2032-36-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2032-37-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2032-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2032-75-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2032-7-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2032-55-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2032-57-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB
-
memory/2088-62-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-80-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-22-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-20-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-48-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2088-46-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/2088-16-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-23-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2088-19-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-56-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2088-14-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-17-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-18-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-61-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-63-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-64-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-65-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-67-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-141-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/2088-15-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-21-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-82-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-84-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-142-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2088-143-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-106-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-104-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-103-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2088-102-0x0000000000980000-0x0000000001A3A000-memory.dmpFilesize
16.7MB
-
memory/2112-100-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2112-98-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2112-97-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2112-79-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2112-164-0x0000000000950000-0x0000000001A0A000-memory.dmpFilesize
16.7MB
-
memory/2112-197-0x0000000000950000-0x0000000001A0A000-memory.dmpFilesize
16.7MB
-
memory/2112-198-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2768-92-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2768-99-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2768-93-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2768-147-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2768-60-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB