Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 20:28
Static task
static1
Behavioral task
behavioral1
Sample
e4aff308bfc1759e22bd0b9b90f058fd.exe
Resource
win7-20220812-en
General
-
Target
e4aff308bfc1759e22bd0b9b90f058fd.exe
-
Size
364KB
-
MD5
e4aff308bfc1759e22bd0b9b90f058fd
-
SHA1
25c4b6b7bde128de2d34069736d8209485470cb0
-
SHA256
361d661eddf275abdfe5f48f204cc6317156ca4575a36b1904a915c743dc97c8
-
SHA512
a92161e3a97783bc595898d121fd9962d485fbf76176a41310024cb15e9a95f910597e80621e21005d001a5b3dff36538fa18d123327669e828fd9c36f8e37e6
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPMOXY+Dfkf5kV5WxHbCNCBuf:EagCkDLXNcRk7WF1Er5cI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e4aff308bfc1759e22bd0b9b90f058fd.exe -
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e4aff308bfc1759e22bd0b9b90f058fd.exe -
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exee4aff308bfc1759e22bd0b9b90f058fd.exesvchost.exepid process 1752 svchost.exe 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe 1700 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1728-61-0x0000000001D80000-0x0000000002E3A000-memory.dmp upx behavioral1/memory/1728-64-0x0000000001D80000-0x0000000002E3A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1752 svchost.exe -
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e4aff308bfc1759e22bd0b9b90f058fd.exe -
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e4aff308bfc1759e22bd0b9b90f058fd.exe -
Drops file in Windows directory 3 IoCs
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exee4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process File created C:\Windows\svchost.exe e4aff308bfc1759e22bd0b9b90f058fd.exe File created C:\Windows\6bf70c e4aff308bfc1759e22bd0b9b90f058fd.exe File opened for modification C:\Windows\SYSTEM.INI e4aff308bfc1759e22bd0b9b90f058fd.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exepid process 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription pid process Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Token: SeDebugPrivilege 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exesvchost.exee4aff308bfc1759e22bd0b9b90f058fd.exedescription pid process target process PID 1052 wrote to memory of 1752 1052 e4aff308bfc1759e22bd0b9b90f058fd.exe svchost.exe PID 1052 wrote to memory of 1752 1052 e4aff308bfc1759e22bd0b9b90f058fd.exe svchost.exe PID 1052 wrote to memory of 1752 1052 e4aff308bfc1759e22bd0b9b90f058fd.exe svchost.exe PID 1052 wrote to memory of 1752 1052 e4aff308bfc1759e22bd0b9b90f058fd.exe svchost.exe PID 1752 wrote to memory of 1728 1752 svchost.exe e4aff308bfc1759e22bd0b9b90f058fd.exe PID 1752 wrote to memory of 1728 1752 svchost.exe e4aff308bfc1759e22bd0b9b90f058fd.exe PID 1752 wrote to memory of 1728 1752 svchost.exe e4aff308bfc1759e22bd0b9b90f058fd.exe PID 1752 wrote to memory of 1728 1752 svchost.exe e4aff308bfc1759e22bd0b9b90f058fd.exe PID 1728 wrote to memory of 1116 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe taskhost.exe PID 1728 wrote to memory of 1176 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Dwm.exe PID 1728 wrote to memory of 1216 1728 e4aff308bfc1759e22bd0b9b90f058fd.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
e4aff308bfc1759e22bd0b9b90f058fd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e4aff308bfc1759e22bd0b9b90f058fd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exe"C:\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exe"C:\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exeFilesize
328KB
MD57aad1ac5c0270bb5f4ac13f679c4a7c2
SHA1bec09207b0434c911ff73ce52393a36618de8479
SHA256ea2b99be940956b52f19ae66b8b570e51eb9c1c7252d4e082c0ae38d1f49d5d7
SHA5122a243c822ecbd28a5407adc8f8bc2ece448ebb116352b9aac1bd88478b778ecd402380fffd10875bfe71a18e72508e84122b4e26b8d8f7ffcc79abeb039760fb
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\e4aff308bfc1759e22bd0b9b90f058fd.exeFilesize
328KB
MD57aad1ac5c0270bb5f4ac13f679c4a7c2
SHA1bec09207b0434c911ff73ce52393a36618de8479
SHA256ea2b99be940956b52f19ae66b8b570e51eb9c1c7252d4e082c0ae38d1f49d5d7
SHA5122a243c822ecbd28a5407adc8f8bc2ece448ebb116352b9aac1bd88478b778ecd402380fffd10875bfe71a18e72508e84122b4e26b8d8f7ffcc79abeb039760fb
-
memory/1728-58-0x0000000000000000-mapping.dmp
-
memory/1728-60-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1728-61-0x0000000001D80000-0x0000000002E3A000-memory.dmpFilesize
16.7MB
-
memory/1728-63-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1728-64-0x0000000001D80000-0x0000000002E3A000-memory.dmpFilesize
16.7MB
-
memory/1752-54-0x0000000000000000-mapping.dmp