Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:20
Static task
static1
Behavioral task
behavioral1
Sample
932c3d05d58be94ff13ed7662c66312d.exe
Resource
win7-20220812-en
General
-
Target
932c3d05d58be94ff13ed7662c66312d.exe
-
Size
360KB
-
MD5
932c3d05d58be94ff13ed7662c66312d
-
SHA1
056d537f248599a70dd69e0277a74024bda22b56
-
SHA256
963c70f2fbe8821e389c3b26f53fd2bec42f747120a2deed54f684912490156a
-
SHA512
a0c264024f4f070095191b5efa356ff7b5bed85bde8861da8e1a6337ca2f8955ca8d01d9bbe3cdd97e90eef66475fa3cad08fe32621757945edf0ece4843dc52
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPyT/0OgUf5kU2CGe16yBurgn:EagCkDwTlRkUaQ6yErHI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 932c3d05d58be94ff13ed7662c66312d.exe -
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 932c3d05d58be94ff13ed7662c66312d.exe -
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe932c3d05d58be94ff13ed7662c66312d.exesvchost.exepid process 5012 svchost.exe 1260 932c3d05d58be94ff13ed7662c66312d.exe 1288 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1260-138-0x0000000002400000-0x00000000034BA000-memory.dmp upx behavioral2/memory/1260-140-0x0000000002400000-0x00000000034BA000-memory.dmp upx behavioral2/memory/1260-142-0x0000000002400000-0x00000000034BA000-memory.dmp upx -
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 932c3d05d58be94ff13ed7662c66312d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 932c3d05d58be94ff13ed7662c66312d.exe -
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 932c3d05d58be94ff13ed7662c66312d.exe -
Drops file in Program Files directory 51 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
932c3d05d58be94ff13ed7662c66312d.exe932c3d05d58be94ff13ed7662c66312d.exedescription ioc process File created C:\Windows\svchost.exe 932c3d05d58be94ff13ed7662c66312d.exe File created C:\Windows\e56f300 932c3d05d58be94ff13ed7662c66312d.exe File opened for modification C:\Windows\SYSTEM.INI 932c3d05d58be94ff13ed7662c66312d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
932c3d05d58be94ff13ed7662c66312d.exepid process 1260 932c3d05d58be94ff13ed7662c66312d.exe 1260 932c3d05d58be94ff13ed7662c66312d.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription pid process Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe Token: SeDebugPrivilege 1260 932c3d05d58be94ff13ed7662c66312d.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
932c3d05d58be94ff13ed7662c66312d.exesvchost.exe932c3d05d58be94ff13ed7662c66312d.exedescription pid process target process PID 4980 wrote to memory of 5012 4980 932c3d05d58be94ff13ed7662c66312d.exe svchost.exe PID 4980 wrote to memory of 5012 4980 932c3d05d58be94ff13ed7662c66312d.exe svchost.exe PID 4980 wrote to memory of 5012 4980 932c3d05d58be94ff13ed7662c66312d.exe svchost.exe PID 5012 wrote to memory of 1260 5012 svchost.exe 932c3d05d58be94ff13ed7662c66312d.exe PID 5012 wrote to memory of 1260 5012 svchost.exe 932c3d05d58be94ff13ed7662c66312d.exe PID 5012 wrote to memory of 1260 5012 svchost.exe 932c3d05d58be94ff13ed7662c66312d.exe PID 1260 wrote to memory of 796 1260 932c3d05d58be94ff13ed7662c66312d.exe fontdrvhost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
932c3d05d58be94ff13ed7662c66312d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 932c3d05d58be94ff13ed7662c66312d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Users\Admin\AppData\Local\Temp\932c3d05d58be94ff13ed7662c66312d.exe"C:\Users\Admin\AppData\Local\Temp\932c3d05d58be94ff13ed7662c66312d.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\932c3d05d58be94ff13ed7662c66312d.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\932c3d05d58be94ff13ed7662c66312d.exe"C:\Users\Admin\AppData\Local\Temp\932c3d05d58be94ff13ed7662c66312d.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\932c3d05d58be94ff13ed7662c66312d.exeFilesize
324KB
MD5a6f0d6c5bde42b40ae033eb3eeb15f78
SHA16e4839187de749f1b774be05948939df2d6d461b
SHA256156af8849db2e586c32c634d378d379530d04567873a6beca84f0260b8df07e9
SHA51219245943e4dfab1466ad60198be94edf5b4fad0b45fb514197f6f537dcea5b28502ca10a726779634a9f975783ab0c4273aa26df51fedbd33e2972ec799ece6f
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/1260-135-0x0000000000000000-mapping.dmp
-
memory/1260-138-0x0000000002400000-0x00000000034BA000-memory.dmpFilesize
16.7MB
-
memory/1260-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1260-140-0x0000000002400000-0x00000000034BA000-memory.dmpFilesize
16.7MB
-
memory/1260-141-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1260-142-0x0000000002400000-0x00000000034BA000-memory.dmpFilesize
16.7MB
-
memory/5012-132-0x0000000000000000-mapping.dmp