Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
01-07-2024 02:33
General
-
Target
c6dc39e0ca504d863f0b63e142075ad08968b81974be1614146b785c128fc1c7.dll
-
Size
120KB
-
MD5
161e0c7cd597f02dd080d2a73cdadaa6
-
SHA1
6798849f70d401db5cf36fa40aaa010e187c4043
-
SHA256
c6dc39e0ca504d863f0b63e142075ad08968b81974be1614146b785c128fc1c7
-
SHA512
196925a94bf4fa355ab1b3f08daa97a64bdeba540f0828713c06a90f0ac9025b89dcb5aece47eaf9697d913676086e8bae0176cbd9d71947c59e42f3fb768dd5
-
SSDEEP
1536:7nZYHfqvVwZ+bJIZNZnU0+5Th79iX3YNvMZAevJWRghfwwDCcSsDndj7I+bI:8fV+bJwNZnODNUhWwfwsDd/I+bI
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
-
UPX dump on OEP (original entry point) 27 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dc39e0ca504d863f0b63e142075ad08968b81974be1614146b785c128fc1c7.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dc39e0ca504d863f0b63e142075ad08968b81974be1614146b785c128fc1c7.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f761fff.exeC:\Users\Admin\AppData\Local\Temp\f761fff.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f762185.exeC:\Users\Admin\AppData\Local\Temp\f762185.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f763abf.exeC:\Users\Admin\AppData\Local\Temp\f763abf.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f761fff.exeFilesize
97KB
MD54f1ac5e14f40a0554557906f9a104e3c
SHA1244ae4d16673c8941cd5750d247d9b55689d31a1
SHA256eb86ed7288e376094acee6f9848ddf235a601f96a930580e3abe26735512bfd2
SHA512f277e2663b50968ff89589676a18d035d09f6b39fbd85d78df944d687c74a83ff61128f087a4b7bd1e14e971090e34c706eba6d64a52d4aa89754f5d5d9611d7
-
memory/1100-24-0x0000000002070000-0x0000000002072000-memory.dmpFilesize
8KB
-
memory/1776-105-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1776-161-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-83-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1776-108-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1776-106-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2192-22-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-43-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2192-23-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-152-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2192-123-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2192-56-0x0000000000290000-0x0000000000292000-memory.dmpFilesize
8KB
-
memory/2192-14-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-19-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-17-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-18-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-15-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-16-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-84-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-62-0x0000000000290000-0x0000000000292000-memory.dmpFilesize
8KB
-
memory/2192-21-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-89-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-20-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-86-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-63-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-64-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-65-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-67-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-66-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-69-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-70-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2192-156-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2444-53-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/2444-42-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2444-82-0x00000000001D0000-0x00000000001D2000-memory.dmpFilesize
8KB
-
memory/2444-7-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2444-32-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2444-9-0x00000000001D0000-0x00000000001E2000-memory.dmpFilesize
72KB
-
memory/2444-33-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/2444-79-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2444-51-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2444-8-0x00000000001D0000-0x00000000001E2000-memory.dmpFilesize
72KB
-
memory/2444-54-0x0000000000200000-0x0000000000202000-memory.dmpFilesize
8KB
-
memory/2540-98-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2540-55-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2540-157-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2540-99-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2540-107-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB