Analysis
-
max time kernel
129s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
5729a35b76d5e98b89cf013ca1b93aed.exe
Resource
win7-20220812-en
General
-
Target
5729a35b76d5e98b89cf013ca1b93aed.exe
-
Size
360KB
-
MD5
5729a35b76d5e98b89cf013ca1b93aed
-
SHA1
412d40df4526c68a1b0398f4a4b0cd0fe18a866a
-
SHA256
4652709c58a2be46a1543c18f6d5c2e57b1fd1ac25cdb0b894e46e42456c3a6a
-
SHA512
332efdc32d3cb8086f8822e4dbab7652eebfb37a05913822b2a6a7740977eaebb245779b98284823c1f63d9ccc167b7c0bb3c4a17c6a37192b75b39772dd398f
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPNmv5+9exbaS5f5kjhm5BurT:EagCkDewqz5Rk1m5ErmI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe -
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5729a35b76d5e98b89cf013ca1b93aed.exe -
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe5729a35b76d5e98b89cf013ca1b93aed.exesvchost.exepid process 3392 svchost.exe 1880 5729a35b76d5e98b89cf013ca1b93aed.exe 1784 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1880-139-0x0000000002350000-0x000000000340A000-memory.dmp upx behavioral2/memory/1880-141-0x0000000002350000-0x000000000340A000-memory.dmp upx -
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5729a35b76d5e98b89cf013ca1b93aed.exe -
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5729a35b76d5e98b89cf013ca1b93aed.exe -
Drops file in Program Files directory 52 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\ApproveInitialize.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process File created C:\Windows\svchost.exe 5729a35b76d5e98b89cf013ca1b93aed.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exesvchost.exedescription pid process target process PID 2156 wrote to memory of 3392 2156 5729a35b76d5e98b89cf013ca1b93aed.exe svchost.exe PID 2156 wrote to memory of 3392 2156 5729a35b76d5e98b89cf013ca1b93aed.exe svchost.exe PID 2156 wrote to memory of 3392 2156 5729a35b76d5e98b89cf013ca1b93aed.exe svchost.exe PID 3392 wrote to memory of 1880 3392 svchost.exe 5729a35b76d5e98b89cf013ca1b93aed.exe PID 3392 wrote to memory of 1880 3392 svchost.exe 5729a35b76d5e98b89cf013ca1b93aed.exe PID 3392 wrote to memory of 1880 3392 svchost.exe 5729a35b76d5e98b89cf013ca1b93aed.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
5729a35b76d5e98b89cf013ca1b93aed.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5729a35b76d5e98b89cf013ca1b93aed.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5729a35b76d5e98b89cf013ca1b93aed.exe"C:\Users\Admin\AppData\Local\Temp\5729a35b76d5e98b89cf013ca1b93aed.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5729a35b76d5e98b89cf013ca1b93aed.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5729a35b76d5e98b89cf013ca1b93aed.exe"C:\Users\Admin\AppData\Local\Temp\5729a35b76d5e98b89cf013ca1b93aed.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5729a35b76d5e98b89cf013ca1b93aed.exeFilesize
324KB
MD58d944e02f449d6981b2cdeb3e8c7d3a7
SHA1e5efa1756d703aa86c7b1fdfcf00fc5b0733a029
SHA256dc7fc1f197a9ed882c912595e6db763fbdf6226d4df2801b9347f0a471ed8cd3
SHA5126e28cbfb5afaef4194c55bb23f4608d934fbc99ab05508da89636bfb0015f20902e6db7a9afe59b47cf3a7a38cf8ac1d397e4af744dcca2747999ef68b974679
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/1880-135-0x0000000000000000-mapping.dmp
-
memory/1880-138-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1880-139-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/1880-140-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1880-141-0x0000000002350000-0x000000000340A000-memory.dmpFilesize
16.7MB
-
memory/3392-132-0x0000000000000000-mapping.dmp