Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 20:26
Static task
static1
Behavioral task
behavioral1
Sample
f714cb80ca31ace1a6f03f28846097f6.exe
Resource
win7-20220812-en
General
-
Target
f714cb80ca31ace1a6f03f28846097f6.exe
-
Size
360KB
-
MD5
f714cb80ca31ace1a6f03f28846097f6
-
SHA1
dd9f2ac00268d2b442a992cf8cf3f3558f12e523
-
SHA256
27f99c5e2fc9622f0179d65fd26efa330ac0d547f70a57b6034baf5b5f93b910
-
SHA512
e3741a2e321ebbd1a789b8a459ec4ae103d7603a79395790a7b11649e622c6e2291139b6e5041fcbba96f9c413c44f58424836ffc759e7350d50360e2af170d0
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPT00O6f5k6sPtHdGzDBurgIk:EagCkDW0O6RkXldGzDEr1I5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f714cb80ca31ace1a6f03f28846097f6.exe -
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f714cb80ca31ace1a6f03f28846097f6.exe -
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exef714cb80ca31ace1a6f03f28846097f6.exesvchost.exepid process 4920 svchost.exe 4840 f714cb80ca31ace1a6f03f28846097f6.exe 4900 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4840-139-0x00000000021E0000-0x000000000329A000-memory.dmp upx behavioral2/memory/4840-141-0x00000000021E0000-0x000000000329A000-memory.dmp upx -
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" f714cb80ca31ace1a6f03f28846097f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc f714cb80ca31ace1a6f03f28846097f6.exe -
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f714cb80ca31ace1a6f03f28846097f6.exe -
Drops file in Program Files directory 53 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process File created C:\Windows\svchost.exe f714cb80ca31ace1a6f03f28846097f6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f714cb80ca31ace1a6f03f28846097f6.exesvchost.exedescription pid process target process PID 3396 wrote to memory of 4920 3396 f714cb80ca31ace1a6f03f28846097f6.exe svchost.exe PID 3396 wrote to memory of 4920 3396 f714cb80ca31ace1a6f03f28846097f6.exe svchost.exe PID 3396 wrote to memory of 4920 3396 f714cb80ca31ace1a6f03f28846097f6.exe svchost.exe PID 4920 wrote to memory of 4840 4920 svchost.exe f714cb80ca31ace1a6f03f28846097f6.exe PID 4920 wrote to memory of 4840 4920 svchost.exe f714cb80ca31ace1a6f03f28846097f6.exe PID 4920 wrote to memory of 4840 4920 svchost.exe f714cb80ca31ace1a6f03f28846097f6.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
f714cb80ca31ace1a6f03f28846097f6.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f714cb80ca31ace1a6f03f28846097f6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f714cb80ca31ace1a6f03f28846097f6.exe"C:\Users\Admin\AppData\Local\Temp\f714cb80ca31ace1a6f03f28846097f6.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f714cb80ca31ace1a6f03f28846097f6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f714cb80ca31ace1a6f03f28846097f6.exe"C:\Users\Admin\AppData\Local\Temp\f714cb80ca31ace1a6f03f28846097f6.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f714cb80ca31ace1a6f03f28846097f6.exeFilesize
324KB
MD5a9dac5156e7f963e2c0dd0132854c7a2
SHA14c7ed51205a1813cf434e92185e50c48cad35335
SHA25691aa77df8de60c339d69761a3de9969270dc90ed9377d05c80a1fe2c1d4a46a0
SHA512c9c81fbdee0e5efe2ee105f9f24813e6c5890cdd4c7019dbe2f5c8eac41565c7a4244478f4c588d96481263ff594ac250a0b0ebe1bcf9196f239ae8bf3374fbd
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/4840-135-0x0000000000000000-mapping.dmp
-
memory/4840-137-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4840-139-0x00000000021E0000-0x000000000329A000-memory.dmpFilesize
16.7MB
-
memory/4840-140-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4840-141-0x00000000021E0000-0x000000000329A000-memory.dmpFilesize
16.7MB
-
memory/4920-132-0x0000000000000000-mapping.dmp