Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 20:17
Static task
static1
Behavioral task
behavioral1
Sample
3a127472d8c46c61ab688ef476639e3a.exe
Resource
win7-20220812-en
General
-
Target
3a127472d8c46c61ab688ef476639e3a.exe
-
Size
356KB
-
MD5
3a127472d8c46c61ab688ef476639e3a
-
SHA1
781f697671f7a3cf13d8cec6aaf621589323c777
-
SHA256
7258f837b9588fe9a297f48ab9d79e3f02da0196b1adfc9fb02e894744199c3f
-
SHA512
9ea661beac4b68b44eb6c686fdec0c7ab39c6ccde436be4e38bd02b5337860baf4dc49f2421f8dc95912d7e8896121a23f777e93cf7a5881ad7f8f41a5fd2b25
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPOLuNh1k0G6zZf5kdBurgI9U:EagCkDIyNTC6tRkdErrI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3a127472d8c46c61ab688ef476639e3a.exe -
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3a127472d8c46c61ab688ef476639e3a.exe -
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe3a127472d8c46c61ab688ef476639e3a.exesvchost.exepid process 2984 svchost.exe 1300 3a127472d8c46c61ab688ef476639e3a.exe 524 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1300-139-0x0000000002340000-0x00000000033FA000-memory.dmp upx behavioral2/memory/1300-140-0x0000000002340000-0x00000000033FA000-memory.dmp upx -
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3a127472d8c46c61ab688ef476639e3a.exe -
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3a127472d8c46c61ab688ef476639e3a.exe -
Drops file in Program Files directory 51 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process File created C:\Windows\svchost.exe 3a127472d8c46c61ab688ef476639e3a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3a127472d8c46c61ab688ef476639e3a.exesvchost.exedescription pid process target process PID 2680 wrote to memory of 2984 2680 3a127472d8c46c61ab688ef476639e3a.exe svchost.exe PID 2680 wrote to memory of 2984 2680 3a127472d8c46c61ab688ef476639e3a.exe svchost.exe PID 2680 wrote to memory of 2984 2680 3a127472d8c46c61ab688ef476639e3a.exe svchost.exe PID 2984 wrote to memory of 1300 2984 svchost.exe 3a127472d8c46c61ab688ef476639e3a.exe PID 2984 wrote to memory of 1300 2984 svchost.exe 3a127472d8c46c61ab688ef476639e3a.exe PID 2984 wrote to memory of 1300 2984 svchost.exe 3a127472d8c46c61ab688ef476639e3a.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
3a127472d8c46c61ab688ef476639e3a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3a127472d8c46c61ab688ef476639e3a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a127472d8c46c61ab688ef476639e3a.exe"C:\Users\Admin\AppData\Local\Temp\3a127472d8c46c61ab688ef476639e3a.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3a127472d8c46c61ab688ef476639e3a.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3a127472d8c46c61ab688ef476639e3a.exe"C:\Users\Admin\AppData\Local\Temp\3a127472d8c46c61ab688ef476639e3a.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3a127472d8c46c61ab688ef476639e3a.exeFilesize
320KB
MD54cc06b1f323b4c706fe090276efe2e95
SHA1452ca7e7c48360bda7bd57c717f18147cf5db56e
SHA2569b1038502f7b3387ff72340ff7e956c07947fce5b228d6b8da7f3635462cca7f
SHA51223d75981f1a1347ebb3dae679e624c1822c64dca622d961452903ca8e0438f0ed10b698275084adddaaacd6890e20dfacb70a2525663fb43d192f9f6c1b11e44
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/1300-135-0x0000000000000000-mapping.dmp
-
memory/1300-137-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1300-139-0x0000000002340000-0x00000000033FA000-memory.dmpFilesize
16.7MB
-
memory/1300-140-0x0000000002340000-0x00000000033FA000-memory.dmpFilesize
16.7MB
-
memory/1300-141-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2984-132-0x0000000000000000-mapping.dmp