Analysis
-
max time kernel
13s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-07-2021 07:04
Static task
static1
Behavioral task
behavioral1
Sample
b277141c357912e3cf76cf2eff36d2d9.exe
Resource
win7v20210410
General
-
Target
b277141c357912e3cf76cf2eff36d2d9.exe
-
Size
2.9MB
-
MD5
b277141c357912e3cf76cf2eff36d2d9
-
SHA1
dfee214eec9da65da55ce47f44ccb0ae4751195e
-
SHA256
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
-
SHA512
11aad22541baeeb19f54b306b3719da789287ce5ad2aec9218c2b305b69d4bd8fe794063fab761ce5f90a02ffb506ed9b2431966a2e9aa605647508f5326159b
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b277141c357912e3cf76cf2eff36d2d9.exe -
Processes:
resource yara_rule behavioral2/memory/900-114-0x0000000002210000-0x000000000329E000-memory.dmp upx -
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b277141c357912e3cf76cf2eff36d2d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b277141c357912e3cf76cf2eff36d2d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b277141c357912e3cf76cf2eff36d2d9.exe -
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b277141c357912e3cf76cf2eff36d2d9.exe -
Drops file in Windows directory 1 IoCs
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI b277141c357912e3cf76cf2eff36d2d9.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4080 900 WerFault.exe b277141c357912e3cf76cf2eff36d2d9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b277141c357912e3cf76cf2eff36d2d9.exepid process 900 b277141c357912e3cf76cf2eff36d2d9.exe 900 b277141c357912e3cf76cf2eff36d2d9.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription pid process Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe Token: SeDebugPrivilege 900 b277141c357912e3cf76cf2eff36d2d9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription pid process target process PID 900 wrote to memory of 724 900 b277141c357912e3cf76cf2eff36d2d9.exe fontdrvhost.exe PID 900 wrote to memory of 720 900 b277141c357912e3cf76cf2eff36d2d9.exe fontdrvhost.exe PID 900 wrote to memory of 968 900 b277141c357912e3cf76cf2eff36d2d9.exe dwm.exe PID 900 wrote to memory of 2340 900 b277141c357912e3cf76cf2eff36d2d9.exe sihost.exe PID 900 wrote to memory of 2352 900 b277141c357912e3cf76cf2eff36d2d9.exe svchost.exe PID 900 wrote to memory of 2516 900 b277141c357912e3cf76cf2eff36d2d9.exe taskhostw.exe PID 900 wrote to memory of 3024 900 b277141c357912e3cf76cf2eff36d2d9.exe Explorer.EXE PID 900 wrote to memory of 3256 900 b277141c357912e3cf76cf2eff36d2d9.exe ShellExperienceHost.exe PID 900 wrote to memory of 3272 900 b277141c357912e3cf76cf2eff36d2d9.exe SearchUI.exe PID 900 wrote to memory of 3500 900 b277141c357912e3cf76cf2eff36d2d9.exe RuntimeBroker.exe PID 900 wrote to memory of 3760 900 b277141c357912e3cf76cf2eff36d2d9.exe DllHost.exe PID 900 wrote to memory of 4052 900 b277141c357912e3cf76cf2eff36d2d9.exe DllHost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
b277141c357912e3cf76cf2eff36d2d9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b277141c357912e3cf76cf2eff36d2d9.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b277141c357912e3cf76cf2eff36d2d9.exe"C:\Users\Admin\AppData\Local\Temp\b277141c357912e3cf76cf2eff36d2d9.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 10563⤵
- Program crash
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵