Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 20:26
Static task
static1
Behavioral task
behavioral1
Sample
70b5c9728d562a25271a4df812e03c93.exe
Resource
win7-20220812-en
General
-
Target
70b5c9728d562a25271a4df812e03c93.exe
-
Size
356KB
-
MD5
70b5c9728d562a25271a4df812e03c93
-
SHA1
d853a26ccac28f2664158006879b19dfef4e9faa
-
SHA256
31f0ed2c07c2f6cee25a794fe568be149099bb901779056f05073b5f3432d3da
-
SHA512
0a57e4bfdbd97965b43fd96fc1cd2ca94035fc747a00bd249618e4c8c89f294c6266743a61d5162f003c267eeecabb68c2b531232d1097437e41ed53838be719
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPjTU1DVBf5kx3JsR1WBurgI6:EagCkDa1DVBRkYWErXI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 70b5c9728d562a25271a4df812e03c93.exe -
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70b5c9728d562a25271a4df812e03c93.exe -
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe70b5c9728d562a25271a4df812e03c93.exesvchost.exepid process 2496 svchost.exe 628 70b5c9728d562a25271a4df812e03c93.exe 1884 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/628-139-0x0000000002400000-0x00000000034BA000-memory.dmp upx behavioral2/memory/628-141-0x0000000002400000-0x00000000034BA000-memory.dmp upx -
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 70b5c9728d562a25271a4df812e03c93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 70b5c9728d562a25271a4df812e03c93.exe -
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70b5c9728d562a25271a4df812e03c93.exe -
Drops file in Program Files directory 39 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\SelectSkip.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process File created C:\Windows\svchost.exe 70b5c9728d562a25271a4df812e03c93.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
70b5c9728d562a25271a4df812e03c93.exesvchost.exedescription pid process target process PID 4944 wrote to memory of 2496 4944 70b5c9728d562a25271a4df812e03c93.exe svchost.exe PID 4944 wrote to memory of 2496 4944 70b5c9728d562a25271a4df812e03c93.exe svchost.exe PID 4944 wrote to memory of 2496 4944 70b5c9728d562a25271a4df812e03c93.exe svchost.exe PID 2496 wrote to memory of 628 2496 svchost.exe 70b5c9728d562a25271a4df812e03c93.exe PID 2496 wrote to memory of 628 2496 svchost.exe 70b5c9728d562a25271a4df812e03c93.exe PID 2496 wrote to memory of 628 2496 svchost.exe 70b5c9728d562a25271a4df812e03c93.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
70b5c9728d562a25271a4df812e03c93.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 70b5c9728d562a25271a4df812e03c93.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70b5c9728d562a25271a4df812e03c93.exe"C:\Users\Admin\AppData\Local\Temp\70b5c9728d562a25271a4df812e03c93.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\70b5c9728d562a25271a4df812e03c93.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70b5c9728d562a25271a4df812e03c93.exe"C:\Users\Admin\AppData\Local\Temp\70b5c9728d562a25271a4df812e03c93.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\70b5c9728d562a25271a4df812e03c93.exeFilesize
320KB
MD5944882c8f03f8a82a6629fa85e82a320
SHA11b71e96e47fe0186c7aec4915121ec596c78cdd6
SHA25652df671c60f711a00e48d7d78acfca5a472c817f0c43689b6477b2112d55d343
SHA5128a530c08b62272903d254a79e0d8c42e32da459a9bce2cec44648dcba8f98d05c34cafa9f6766c6fe2feebafda8d7d59c479037510991bfaad24d44bd8c713d3
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/628-135-0x0000000000000000-mapping.dmp
-
memory/628-137-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/628-139-0x0000000002400000-0x00000000034BA000-memory.dmpFilesize
16.7MB
-
memory/628-140-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/628-141-0x0000000002400000-0x00000000034BA000-memory.dmpFilesize
16.7MB
-
memory/628-142-0x0000000002400000-0x00000000034BA000-memory.dmpFilesize
16.7MB
-
memory/2496-132-0x0000000000000000-mapping.dmp