Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 20:26
Static task
static1
Behavioral task
behavioral1
Sample
bdfafdb3b05bae0c6b7c9c190e591a70.exe
Resource
win7-20220812-en
General
-
Target
bdfafdb3b05bae0c6b7c9c190e591a70.exe
-
Size
364KB
-
MD5
bdfafdb3b05bae0c6b7c9c190e591a70
-
SHA1
5cde118351549571ee86c4edfd76b53bf4649196
-
SHA256
341d6f81dde5483542adb5eb378958e90e40619825b29708f59289a5500c630e
-
SHA512
058cecada7cf173ea6d0cb598fecc82194d76e586ae86f5948ceaa2519a7db41a164f3284bea6f1e14ba5c5ef21d70a5a28df4e5cee07e945d4a894cec61ffd9
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgP0oXrf5kzUI8yzyRqBurgIsU:EagCkDeerRkzUI8yORqErGI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe -
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdfafdb3b05bae0c6b7c9c190e591a70.exe -
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exebdfafdb3b05bae0c6b7c9c190e591a70.exesvchost.exepid process 1652 svchost.exe 2036 bdfafdb3b05bae0c6b7c9c190e591a70.exe 1740 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2036-61-0x0000000001D10000-0x0000000002DCA000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1652 svchost.exe -
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bdfafdb3b05bae0c6b7c9c190e591a70.exe -
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdfafdb3b05bae0c6b7c9c190e591a70.exe -
Drops file in Windows directory 2 IoCs
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exebdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process File created C:\Windows\6c25ca bdfafdb3b05bae0c6b7c9c190e591a70.exe File created C:\Windows\svchost.exe bdfafdb3b05bae0c6b7c9c190e591a70.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exesvchost.exedescription pid process target process PID 1816 wrote to memory of 1652 1816 bdfafdb3b05bae0c6b7c9c190e591a70.exe svchost.exe PID 1816 wrote to memory of 1652 1816 bdfafdb3b05bae0c6b7c9c190e591a70.exe svchost.exe PID 1816 wrote to memory of 1652 1816 bdfafdb3b05bae0c6b7c9c190e591a70.exe svchost.exe PID 1816 wrote to memory of 1652 1816 bdfafdb3b05bae0c6b7c9c190e591a70.exe svchost.exe PID 1652 wrote to memory of 2036 1652 svchost.exe bdfafdb3b05bae0c6b7c9c190e591a70.exe PID 1652 wrote to memory of 2036 1652 svchost.exe bdfafdb3b05bae0c6b7c9c190e591a70.exe PID 1652 wrote to memory of 2036 1652 svchost.exe bdfafdb3b05bae0c6b7c9c190e591a70.exe PID 1652 wrote to memory of 2036 1652 svchost.exe bdfafdb3b05bae0c6b7c9c190e591a70.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
bdfafdb3b05bae0c6b7c9c190e591a70.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bdfafdb3b05bae0c6b7c9c190e591a70.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exe"C:\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exe"C:\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exeFilesize
328KB
MD5f6b648a2b321d2fb39c4d78574960f5e
SHA1caff9dcd26852bf7dd8b0bdbf9ee4b9cfe3595e6
SHA25632525613d50b9ae8664db463921c26e462fa3ee5610a04bb286285059cf3dbdc
SHA512a0461c1028ecd1f0e31c09dcecde2699ab6d39038c8441bf1a591c2135a7b69dd2752dcc0b8501435b5ea4b92ca563c6b2b61e6bbc8c2b565d3a125291eddc3e
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\bdfafdb3b05bae0c6b7c9c190e591a70.exeFilesize
328KB
MD5f6b648a2b321d2fb39c4d78574960f5e
SHA1caff9dcd26852bf7dd8b0bdbf9ee4b9cfe3595e6
SHA25632525613d50b9ae8664db463921c26e462fa3ee5610a04bb286285059cf3dbdc
SHA512a0461c1028ecd1f0e31c09dcecde2699ab6d39038c8441bf1a591c2135a7b69dd2752dcc0b8501435b5ea4b92ca563c6b2b61e6bbc8c2b565d3a125291eddc3e
-
memory/1652-63-0x00000000002C0000-0x0000000000313000-memory.dmpFilesize
332KB
-
memory/1652-54-0x0000000000000000-mapping.dmp
-
memory/2036-60-0x0000000075B81000-0x0000000075B83000-memory.dmpFilesize
8KB
-
memory/2036-58-0x0000000000000000-mapping.dmp
-
memory/2036-61-0x0000000001D10000-0x0000000002DCA000-memory.dmpFilesize
16.7MB
-
memory/2036-62-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2036-64-0x0000000001D10000-0x0000000002DCA000-memory.dmpFilesize
16.7MB
-
memory/2036-66-0x0000000001D10000-0x0000000002DCA000-memory.dmpFilesize
16.7MB