Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 20:17
Static task
static1
Behavioral task
behavioral1
Sample
2932b77e08e4bedbd61c34b581d69b48.exe
Resource
win7-20220812-en
General
-
Target
2932b77e08e4bedbd61c34b581d69b48.exe
-
Size
368KB
-
MD5
2932b77e08e4bedbd61c34b581d69b48
-
SHA1
e5e9be17066875a1906892d14148d88bd3c9a019
-
SHA256
3c172f4a0a21bd8ad1fabd66548cd3fffa21e8515809b7f16d6d9d23b50ba9ef
-
SHA512
a5ec49a09bc97f579747f859f9feb8c5ebf1b4e7b240d2cd62c3a4e919d74e5f331b3a42420868924cf9ddef180e8406c5c01910da9be23e75133d06296e18a5
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPyMQqBIf5k+zwd8O3XH/Bura:EagCkDTBIRk1CcvErlI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2932b77e08e4bedbd61c34b581d69b48.exe -
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2932b77e08e4bedbd61c34b581d69b48.exe -
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe2932b77e08e4bedbd61c34b581d69b48.exesvchost.exepid process 1812 svchost.exe 2040 2932b77e08e4bedbd61c34b581d69b48.exe 1992 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2040-61-0x0000000001E50000-0x0000000002F0A000-memory.dmp upx behavioral1/memory/2040-64-0x0000000001E50000-0x0000000002F0A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1812 svchost.exe -
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2932b77e08e4bedbd61c34b581d69b48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2932b77e08e4bedbd61c34b581d69b48.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2932b77e08e4bedbd61c34b581d69b48.exe -
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2932b77e08e4bedbd61c34b581d69b48.exe -
Drops file in Windows directory 3 IoCs
Processes:
2932b77e08e4bedbd61c34b581d69b48.exe2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process File created C:\Windows\svchost.exe 2932b77e08e4bedbd61c34b581d69b48.exe File created C:\Windows\6c0bc4 2932b77e08e4bedbd61c34b581d69b48.exe File opened for modification C:\Windows\SYSTEM.INI 2932b77e08e4bedbd61c34b581d69b48.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2932b77e08e4bedbd61c34b581d69b48.exepid process 2040 2932b77e08e4bedbd61c34b581d69b48.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription pid process Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe Token: SeDebugPrivilege 2040 2932b77e08e4bedbd61c34b581d69b48.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2932b77e08e4bedbd61c34b581d69b48.exesvchost.exedescription pid process target process PID 1780 wrote to memory of 1812 1780 2932b77e08e4bedbd61c34b581d69b48.exe svchost.exe PID 1780 wrote to memory of 1812 1780 2932b77e08e4bedbd61c34b581d69b48.exe svchost.exe PID 1780 wrote to memory of 1812 1780 2932b77e08e4bedbd61c34b581d69b48.exe svchost.exe PID 1780 wrote to memory of 1812 1780 2932b77e08e4bedbd61c34b581d69b48.exe svchost.exe PID 1812 wrote to memory of 2040 1812 svchost.exe 2932b77e08e4bedbd61c34b581d69b48.exe PID 1812 wrote to memory of 2040 1812 svchost.exe 2932b77e08e4bedbd61c34b581d69b48.exe PID 1812 wrote to memory of 2040 1812 svchost.exe 2932b77e08e4bedbd61c34b581d69b48.exe PID 1812 wrote to memory of 2040 1812 svchost.exe 2932b77e08e4bedbd61c34b581d69b48.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2932b77e08e4bedbd61c34b581d69b48.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2932b77e08e4bedbd61c34b581d69b48.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exe"C:\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exe"C:\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exeFilesize
332KB
MD57f341d672a927934aec8a3aaeade04f2
SHA18d191fe20ba4dc62d38012c2c1253591fea71d6b
SHA256e44468e51f816a77ba2659484d48bcb4a10b7123be5e575b8189aa124750c6a3
SHA512bba6a08084b26e0a8ab2e05855ca73f8ac3869cf87fb678c3336182c6647cc582b90fb9720b1a23a777388f6c8bb682ada563940893393d73647895efeb8710f
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\2932b77e08e4bedbd61c34b581d69b48.exeFilesize
332KB
MD57f341d672a927934aec8a3aaeade04f2
SHA18d191fe20ba4dc62d38012c2c1253591fea71d6b
SHA256e44468e51f816a77ba2659484d48bcb4a10b7123be5e575b8189aa124750c6a3
SHA512bba6a08084b26e0a8ab2e05855ca73f8ac3869cf87fb678c3336182c6647cc582b90fb9720b1a23a777388f6c8bb682ada563940893393d73647895efeb8710f
-
memory/1812-54-0x0000000000000000-mapping.dmp
-
memory/2040-58-0x0000000000000000-mapping.dmp
-
memory/2040-60-0x00000000768F1000-0x00000000768F3000-memory.dmpFilesize
8KB
-
memory/2040-61-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB
-
memory/2040-63-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2040-64-0x0000000001E50000-0x0000000002F0A000-memory.dmpFilesize
16.7MB