Analysis
-
max time kernel
40s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
229441a87fc526cd213093982f923e58.exe
Resource
win7-20220812-en
General
-
Target
229441a87fc526cd213093982f923e58.exe
-
Size
368KB
-
MD5
229441a87fc526cd213093982f923e58
-
SHA1
629de35848e312bcca189891967142ff9a5bda0d
-
SHA256
964fceb4b1d128fe2c290ab638eac85f8fa83e33d5fe55e44644b9aea42618bd
-
SHA512
b4ec3b58db21e5c0e5c1acceb7812beba453a5a9395ed201c96fac8aebff41c5c81ce58d9bdfd4e9b3abe248c5be533689d8a7175bb2739aad87f22417051a0a
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPF2lamf5k3Yyl113pa/JBurc:EagCkDoRkK/JErDI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
229441a87fc526cd213093982f923e58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 229441a87fc526cd213093982f923e58.exe -
Processes:
229441a87fc526cd213093982f923e58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 229441a87fc526cd213093982f923e58.exe -
Processes:
229441a87fc526cd213093982f923e58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe229441a87fc526cd213093982f923e58.exesvchost.exepid process 856 svchost.exe 1720 229441a87fc526cd213093982f923e58.exe 1416 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1720-61-0x0000000001EB0000-0x0000000002F6A000-memory.dmp upx behavioral1/memory/1720-64-0x0000000001EB0000-0x0000000002F6A000-memory.dmp upx behavioral1/memory/1720-67-0x0000000001EB0000-0x0000000002F6A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 856 svchost.exe -
Processes:
229441a87fc526cd213093982f923e58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 229441a87fc526cd213093982f923e58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 229441a87fc526cd213093982f923e58.exe -
Processes:
229441a87fc526cd213093982f923e58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 229441a87fc526cd213093982f923e58.exe -
Drops file in Windows directory 3 IoCs
Processes:
229441a87fc526cd213093982f923e58.exe229441a87fc526cd213093982f923e58.exedescription ioc process File created C:\Windows\svchost.exe 229441a87fc526cd213093982f923e58.exe File created C:\Windows\6c0188 229441a87fc526cd213093982f923e58.exe File opened for modification C:\Windows\SYSTEM.INI 229441a87fc526cd213093982f923e58.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
229441a87fc526cd213093982f923e58.exepid process 1720 229441a87fc526cd213093982f923e58.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
229441a87fc526cd213093982f923e58.exedescription pid process Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe Token: SeDebugPrivilege 1720 229441a87fc526cd213093982f923e58.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
229441a87fc526cd213093982f923e58.exesvchost.exe229441a87fc526cd213093982f923e58.exedescription pid process target process PID 1132 wrote to memory of 856 1132 229441a87fc526cd213093982f923e58.exe svchost.exe PID 1132 wrote to memory of 856 1132 229441a87fc526cd213093982f923e58.exe svchost.exe PID 1132 wrote to memory of 856 1132 229441a87fc526cd213093982f923e58.exe svchost.exe PID 1132 wrote to memory of 856 1132 229441a87fc526cd213093982f923e58.exe svchost.exe PID 856 wrote to memory of 1720 856 svchost.exe 229441a87fc526cd213093982f923e58.exe PID 856 wrote to memory of 1720 856 svchost.exe 229441a87fc526cd213093982f923e58.exe PID 856 wrote to memory of 1720 856 svchost.exe 229441a87fc526cd213093982f923e58.exe PID 856 wrote to memory of 1720 856 svchost.exe 229441a87fc526cd213093982f923e58.exe PID 1720 wrote to memory of 1116 1720 229441a87fc526cd213093982f923e58.exe taskhost.exe PID 1720 wrote to memory of 1176 1720 229441a87fc526cd213093982f923e58.exe Dwm.exe PID 1720 wrote to memory of 1216 1720 229441a87fc526cd213093982f923e58.exe Explorer.EXE PID 1720 wrote to memory of 856 1720 229441a87fc526cd213093982f923e58.exe svchost.exe PID 1720 wrote to memory of 856 1720 229441a87fc526cd213093982f923e58.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
229441a87fc526cd213093982f923e58.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 229441a87fc526cd213093982f923e58.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exe"C:\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exe"C:\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exeFilesize
332KB
MD5bfcfef6fc78c10ff3cc871a28853f00b
SHA129773622ae8b2aff2d9d1e26bb4736fdf23976d0
SHA256e1515e5c52bb82ca7e5f757e36fe50115e077ba7c191c9af227068898bd37acf
SHA5126e6e84dd1a067d332a2200b297035711032103a518d4789fe6503dd0a901901518c5f9cec8da62e4b0cc09af906bef6380f7b401873e5bd38df7c3194992cf2a
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\229441a87fc526cd213093982f923e58.exeFilesize
332KB
MD5bfcfef6fc78c10ff3cc871a28853f00b
SHA129773622ae8b2aff2d9d1e26bb4736fdf23976d0
SHA256e1515e5c52bb82ca7e5f757e36fe50115e077ba7c191c9af227068898bd37acf
SHA5126e6e84dd1a067d332a2200b297035711032103a518d4789fe6503dd0a901901518c5f9cec8da62e4b0cc09af906bef6380f7b401873e5bd38df7c3194992cf2a
-
memory/856-62-0x00000000002E0000-0x0000000000334000-memory.dmpFilesize
336KB
-
memory/856-54-0x0000000000000000-mapping.dmp
-
memory/1720-60-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1720-61-0x0000000001EB0000-0x0000000002F6A000-memory.dmpFilesize
16.7MB
-
memory/1720-63-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/1720-64-0x0000000001EB0000-0x0000000002F6A000-memory.dmpFilesize
16.7MB
-
memory/1720-65-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/1720-58-0x0000000000000000-mapping.dmp
-
memory/1720-67-0x0000000001EB0000-0x0000000002F6A000-memory.dmpFilesize
16.7MB