Analysis
-
max time kernel
145s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
df4a4e0d9c3a1a259ab41fad6bf45788.exe
Resource
win7-20220812-en
General
-
Target
df4a4e0d9c3a1a259ab41fad6bf45788.exe
-
Size
364KB
-
MD5
df4a4e0d9c3a1a259ab41fad6bf45788
-
SHA1
972ab064c1f8ece604932f9dfb24523ac1f50a68
-
SHA256
b1a5ba0a25000f9ef9796aea25a23f7697501cad3b03db7ad5cf701964d9af4a
-
SHA512
88793bf3a0c034411c18000a4764e5bbc28e3a69da024cb08ce508e223ce76db274603cd1a56f6e0a17429b74d2233e860ac94caec17d077ae09c1c3423b2004
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPbVShf5kkmERgDBurgIH7wrF:EagCkDpVShRkuyDErFI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exedf4a4e0d9c3a1a259ab41fad6bf45788.exesvchost.exepid process 692 svchost.exe 780 df4a4e0d9c3a1a259ab41fad6bf45788.exe 4224 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/780-139-0x0000000002320000-0x00000000033DA000-memory.dmp upx behavioral2/memory/780-140-0x0000000002320000-0x00000000033DA000-memory.dmp upx behavioral2/memory/780-142-0x0000000002320000-0x00000000033DA000-memory.dmp upx -
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" df4a4e0d9c3a1a259ab41fad6bf45788.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedf4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process File created C:\Windows\svchost.exe df4a4e0d9c3a1a259ab41fad6bf45788.exe File created C:\Windows\e56f571 df4a4e0d9c3a1a259ab41fad6bf45788.exe File opened for modification C:\Windows\SYSTEM.INI df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exepid process 780 df4a4e0d9c3a1a259ab41fad6bf45788.exe 780 df4a4e0d9c3a1a259ab41fad6bf45788.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exesvchost.exedescription pid process target process PID 2064 wrote to memory of 692 2064 df4a4e0d9c3a1a259ab41fad6bf45788.exe svchost.exe PID 2064 wrote to memory of 692 2064 df4a4e0d9c3a1a259ab41fad6bf45788.exe svchost.exe PID 2064 wrote to memory of 692 2064 df4a4e0d9c3a1a259ab41fad6bf45788.exe svchost.exe PID 692 wrote to memory of 780 692 svchost.exe df4a4e0d9c3a1a259ab41fad6bf45788.exe PID 692 wrote to memory of 780 692 svchost.exe df4a4e0d9c3a1a259ab41fad6bf45788.exe PID 692 wrote to memory of 780 692 svchost.exe df4a4e0d9c3a1a259ab41fad6bf45788.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
df4a4e0d9c3a1a259ab41fad6bf45788.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" df4a4e0d9c3a1a259ab41fad6bf45788.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df4a4e0d9c3a1a259ab41fad6bf45788.exe"C:\Users\Admin\AppData\Local\Temp\df4a4e0d9c3a1a259ab41fad6bf45788.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\df4a4e0d9c3a1a259ab41fad6bf45788.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\df4a4e0d9c3a1a259ab41fad6bf45788.exe"C:\Users\Admin\AppData\Local\Temp\df4a4e0d9c3a1a259ab41fad6bf45788.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\df4a4e0d9c3a1a259ab41fad6bf45788.exeFilesize
328KB
MD5d0d5716fd8445cdc0b3e105455f1700c
SHA14473314fa7ada0a7ac19dfa1c8b28bb3dc39bb59
SHA2566e8bfb4b731126f2062778cc58f7dd41be8440b131e1f06225945cd440e7fe44
SHA51272b04c821b101c1bb5e724da9801e9af4b31d84fb268115e3b460db52a4d0735aefd2e9be54cf9a7808931586d5acbed42d3acb5bce4e8b603444b21661df4fa
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/692-132-0x0000000000000000-mapping.dmp
-
memory/780-135-0x0000000000000000-mapping.dmp
-
memory/780-138-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/780-139-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/780-140-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB
-
memory/780-141-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/780-142-0x0000000002320000-0x00000000033DA000-memory.dmpFilesize
16.7MB