Analysis
-
max time kernel
33s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
d80f4cfcb622041a877784f201eb9404.exe
Resource
win7-20220812-en
General
-
Target
d80f4cfcb622041a877784f201eb9404.exe
-
Size
356KB
-
MD5
d80f4cfcb622041a877784f201eb9404
-
SHA1
69d4ed428a7a0781b73aed25c101e5c0295f08a4
-
SHA256
462f69f20beb53073f7ecb3da3830067ca7281e03eaa2f05a4cfa9562fc67f34
-
SHA512
f7e1a802e65118a39d5c4c248ebc308a4b97455c99cf4e5630aae2e9a4e5e3fc2ed84b858da8a9b1ff1689dd72ab35c9cf306d632b8a3a86a66e7ec36d290051
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPC0GmEi4af5k4IXBurgIO7w5:EagCkDGuRkRErkI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d80f4cfcb622041a877784f201eb9404.exe -
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80f4cfcb622041a877784f201eb9404.exe -
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exed80f4cfcb622041a877784f201eb9404.exesvchost.exepid process 744 svchost.exe 1900 d80f4cfcb622041a877784f201eb9404.exe 772 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1900-61-0x0000000001D50000-0x0000000002E0A000-memory.dmp upx behavioral1/memory/1900-65-0x0000000001D50000-0x0000000002E0A000-memory.dmp upx behavioral1/memory/1900-66-0x0000000001D50000-0x0000000002E0A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 744 svchost.exe -
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" d80f4cfcb622041a877784f201eb9404.exe -
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80f4cfcb622041a877784f201eb9404.exe -
Drops file in Windows directory 3 IoCs
Processes:
d80f4cfcb622041a877784f201eb9404.exed80f4cfcb622041a877784f201eb9404.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI d80f4cfcb622041a877784f201eb9404.exe File created C:\Windows\svchost.exe d80f4cfcb622041a877784f201eb9404.exe File created C:\Windows\6c9cec d80f4cfcb622041a877784f201eb9404.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d80f4cfcb622041a877784f201eb9404.exepid process 1900 d80f4cfcb622041a877784f201eb9404.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription pid process Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe Token: SeDebugPrivilege 1900 d80f4cfcb622041a877784f201eb9404.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d80f4cfcb622041a877784f201eb9404.exesvchost.exed80f4cfcb622041a877784f201eb9404.exedescription pid process target process PID 2032 wrote to memory of 744 2032 d80f4cfcb622041a877784f201eb9404.exe svchost.exe PID 2032 wrote to memory of 744 2032 d80f4cfcb622041a877784f201eb9404.exe svchost.exe PID 2032 wrote to memory of 744 2032 d80f4cfcb622041a877784f201eb9404.exe svchost.exe PID 2032 wrote to memory of 744 2032 d80f4cfcb622041a877784f201eb9404.exe svchost.exe PID 744 wrote to memory of 1900 744 svchost.exe d80f4cfcb622041a877784f201eb9404.exe PID 744 wrote to memory of 1900 744 svchost.exe d80f4cfcb622041a877784f201eb9404.exe PID 744 wrote to memory of 1900 744 svchost.exe d80f4cfcb622041a877784f201eb9404.exe PID 744 wrote to memory of 1900 744 svchost.exe d80f4cfcb622041a877784f201eb9404.exe PID 1900 wrote to memory of 1272 1900 d80f4cfcb622041a877784f201eb9404.exe taskhost.exe PID 1900 wrote to memory of 1364 1900 d80f4cfcb622041a877784f201eb9404.exe Dwm.exe PID 1900 wrote to memory of 1412 1900 d80f4cfcb622041a877784f201eb9404.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
d80f4cfcb622041a877784f201eb9404.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d80f4cfcb622041a877784f201eb9404.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exe"C:\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exe"C:\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exeFilesize
320KB
MD5fc77c43663d0b42bff871e28d2c9d3c2
SHA11be3ec177095ef100b684406c5012639cb653958
SHA256d2775e6f388baa6839acb1be2a77fa93f2793f56db7b2738c16ac0e5e5acd63e
SHA51210a0a03df08766d635dd4df1fa97a6e92b6272db5bf998c09bd2c5832219c6af6e64eb9ab157fecd3df1b7c50f43d187dca5cc80c7929d2721efbdf8606f288f
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\d80f4cfcb622041a877784f201eb9404.exeFilesize
320KB
MD5fc77c43663d0b42bff871e28d2c9d3c2
SHA11be3ec177095ef100b684406c5012639cb653958
SHA256d2775e6f388baa6839acb1be2a77fa93f2793f56db7b2738c16ac0e5e5acd63e
SHA51210a0a03df08766d635dd4df1fa97a6e92b6272db5bf998c09bd2c5832219c6af6e64eb9ab157fecd3df1b7c50f43d187dca5cc80c7929d2721efbdf8606f288f
-
memory/744-62-0x0000000002410000-0x0000000002461000-memory.dmpFilesize
324KB
-
memory/744-54-0x0000000000000000-mapping.dmp
-
memory/1900-60-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1900-61-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1900-63-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1900-58-0x0000000000000000-mapping.dmp
-
memory/1900-65-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1900-66-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1900-67-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB