Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
6cc8b99d70415efafb6c6940c32c000a.exe
Resource
win7-20220812-en
General
-
Target
6cc8b99d70415efafb6c6940c32c000a.exe
-
Size
356KB
-
MD5
6cc8b99d70415efafb6c6940c32c000a
-
SHA1
a321dd57e185fc403b5785cbab75d3ab4e72a56b
-
SHA256
b56f19f8aac8093b066b17dad53257e7223bebbdcf94bc0354893e5feaf4236b
-
SHA512
cfa754cba8235a97ae032aeba29c3bbbb95a3061ec4835bcb077dbeeddff583afbc2162a9263e7198650f6d94b64a4b61deaf006ade0a91a4002bd1b92978810
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPsOObf5kIcpkkBurgIA7wrYM:EagCkDaOObRkNErOI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 6cc8b99d70415efafb6c6940c32c000a.exe -
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6cc8b99d70415efafb6c6940c32c000a.exe -
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 6cc8b99d70415efafb6c6940c32c000a.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe6cc8b99d70415efafb6c6940c32c000a.exesvchost.exepid process 1452 svchost.exe 1020 6cc8b99d70415efafb6c6940c32c000a.exe 1048 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1020-61-0x0000000001D60000-0x0000000002E1A000-memory.dmp upx behavioral1/memory/1020-66-0x0000000001D60000-0x0000000002E1A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1452 svchost.exe -
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 6cc8b99d70415efafb6c6940c32c000a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 6cc8b99d70415efafb6c6940c32c000a.exe -
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6cc8b99d70415efafb6c6940c32c000a.exe -
Drops file in Windows directory 3 IoCs
Processes:
6cc8b99d70415efafb6c6940c32c000a.exe6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process File created C:\Windows\svchost.exe 6cc8b99d70415efafb6c6940c32c000a.exe File created C:\Windows\6c53fb 6cc8b99d70415efafb6c6940c32c000a.exe File opened for modification C:\Windows\SYSTEM.INI 6cc8b99d70415efafb6c6940c32c000a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6cc8b99d70415efafb6c6940c32c000a.exepid process 1020 6cc8b99d70415efafb6c6940c32c000a.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription pid process Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe Token: SeDebugPrivilege 1020 6cc8b99d70415efafb6c6940c32c000a.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6cc8b99d70415efafb6c6940c32c000a.exesvchost.exe6cc8b99d70415efafb6c6940c32c000a.exedescription pid process target process PID 1972 wrote to memory of 1452 1972 6cc8b99d70415efafb6c6940c32c000a.exe svchost.exe PID 1972 wrote to memory of 1452 1972 6cc8b99d70415efafb6c6940c32c000a.exe svchost.exe PID 1972 wrote to memory of 1452 1972 6cc8b99d70415efafb6c6940c32c000a.exe svchost.exe PID 1972 wrote to memory of 1452 1972 6cc8b99d70415efafb6c6940c32c000a.exe svchost.exe PID 1452 wrote to memory of 1020 1452 svchost.exe 6cc8b99d70415efafb6c6940c32c000a.exe PID 1452 wrote to memory of 1020 1452 svchost.exe 6cc8b99d70415efafb6c6940c32c000a.exe PID 1452 wrote to memory of 1020 1452 svchost.exe 6cc8b99d70415efafb6c6940c32c000a.exe PID 1452 wrote to memory of 1020 1452 svchost.exe 6cc8b99d70415efafb6c6940c32c000a.exe PID 1020 wrote to memory of 1192 1020 6cc8b99d70415efafb6c6940c32c000a.exe taskhost.exe PID 1020 wrote to memory of 1272 1020 6cc8b99d70415efafb6c6940c32c000a.exe Dwm.exe PID 1020 wrote to memory of 1324 1020 6cc8b99d70415efafb6c6940c32c000a.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
6cc8b99d70415efafb6c6940c32c000a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6cc8b99d70415efafb6c6940c32c000a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exe"C:\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exe"C:\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exeFilesize
320KB
MD5838827f04ef483faa1f876ae2e661682
SHA12c3ffb8ebf823f3ad5f192e65eb6885ab5dd90e1
SHA2560dd8f1c6883aa47a0eda16f5df8e6192865d828ba5056cb6736c8689cdf3c2ca
SHA512adc2568566713eab005fae3ff9f9b3a29b260ba75e28d68bd94f22b616a3b9972ab57c26d722fa3043615599ba7a2d9802b67dc2311d95ebb069afeebbd3ff9a
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\6cc8b99d70415efafb6c6940c32c000a.exeFilesize
320KB
MD5838827f04ef483faa1f876ae2e661682
SHA12c3ffb8ebf823f3ad5f192e65eb6885ab5dd90e1
SHA2560dd8f1c6883aa47a0eda16f5df8e6192865d828ba5056cb6736c8689cdf3c2ca
SHA512adc2568566713eab005fae3ff9f9b3a29b260ba75e28d68bd94f22b616a3b9972ab57c26d722fa3043615599ba7a2d9802b67dc2311d95ebb069afeebbd3ff9a
-
memory/1020-60-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1020-58-0x0000000000000000-mapping.dmp
-
memory/1020-61-0x0000000001D60000-0x0000000002E1A000-memory.dmpFilesize
16.7MB
-
memory/1020-63-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1020-65-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1020-66-0x0000000001D60000-0x0000000002E1A000-memory.dmpFilesize
16.7MB
-
memory/1452-62-0x0000000000190000-0x00000000001E1000-memory.dmpFilesize
324KB
-
memory/1452-54-0x0000000000000000-mapping.dmp