Analysis
-
max time kernel
42s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
7dd12114b95c0f5bd6b9ded7168451eb.exe
Resource
win7-20220812-en
General
-
Target
7dd12114b95c0f5bd6b9ded7168451eb.exe
-
Size
356KB
-
MD5
7dd12114b95c0f5bd6b9ded7168451eb
-
SHA1
01a2063de23d90b7229640d3c44b22ada1f3377b
-
SHA256
5df93923c52fa35d631be8908aee33a36cfca98640442ae9033fe4d57ad959ab
-
SHA512
176933a876c3bf66cfa87960d129c7781a55e20fd9aa9d7deb53be49d8d9345353c0dd2cef845883b0f97180f6e0ed9978fbc9bb0d31fd2b70f9d02ffdbd5d05
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPY+ZJn84f5kYtTdwB89Burgf:EagCkDV84RkYHwBwErbI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe7dd12114b95c0f5bd6b9ded7168451eb.exesvchost.exepid process 1876 svchost.exe 1160 7dd12114b95c0f5bd6b9ded7168451eb.exe 1632 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1160-63-0x0000000001E40000-0x0000000002EFA000-memory.dmp upx behavioral1/memory/1160-64-0x0000000001E40000-0x0000000002EFA000-memory.dmp upx behavioral1/memory/1160-67-0x0000000001E40000-0x0000000002EFA000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1876 svchost.exe -
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Drops file in Windows directory 3 IoCs
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exe7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process File created C:\Windows\svchost.exe 7dd12114b95c0f5bd6b9ded7168451eb.exe File created C:\Windows\6c5458 7dd12114b95c0f5bd6b9ded7168451eb.exe File opened for modification C:\Windows\SYSTEM.INI 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exepid process 1160 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription pid process Token: SeDebugPrivilege 1160 7dd12114b95c0f5bd6b9ded7168451eb.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exesvchost.exedescription pid process target process PID 1316 wrote to memory of 1876 1316 7dd12114b95c0f5bd6b9ded7168451eb.exe svchost.exe PID 1316 wrote to memory of 1876 1316 7dd12114b95c0f5bd6b9ded7168451eb.exe svchost.exe PID 1316 wrote to memory of 1876 1316 7dd12114b95c0f5bd6b9ded7168451eb.exe svchost.exe PID 1316 wrote to memory of 1876 1316 7dd12114b95c0f5bd6b9ded7168451eb.exe svchost.exe PID 1876 wrote to memory of 1160 1876 svchost.exe 7dd12114b95c0f5bd6b9ded7168451eb.exe PID 1876 wrote to memory of 1160 1876 svchost.exe 7dd12114b95c0f5bd6b9ded7168451eb.exe PID 1876 wrote to memory of 1160 1876 svchost.exe 7dd12114b95c0f5bd6b9ded7168451eb.exe PID 1876 wrote to memory of 1160 1876 svchost.exe 7dd12114b95c0f5bd6b9ded7168451eb.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
7dd12114b95c0f5bd6b9ded7168451eb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7dd12114b95c0f5bd6b9ded7168451eb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exe"C:\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exe"C:\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exeFilesize
320KB
MD51d01fa09e3f4c85ef6640a22fbff26d0
SHA1af882eaa68c708a869bd85eee077829b6bece3e9
SHA25668a690cd13b1d2f7ca8765600d200b18ed58ef17ee3c8fe51caeda01009cfa2c
SHA512974c0ca678ff0c4f74f7d59e551da65c42e224b85ba84df416aecc1d74ea6bf93f096ce0bb577c35b872cfa689a8f829c84f6207271531171e146effee500e2e
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\7dd12114b95c0f5bd6b9ded7168451eb.exeFilesize
320KB
MD51d01fa09e3f4c85ef6640a22fbff26d0
SHA1af882eaa68c708a869bd85eee077829b6bece3e9
SHA25668a690cd13b1d2f7ca8765600d200b18ed58ef17ee3c8fe51caeda01009cfa2c
SHA512974c0ca678ff0c4f74f7d59e551da65c42e224b85ba84df416aecc1d74ea6bf93f096ce0bb577c35b872cfa689a8f829c84f6207271531171e146effee500e2e
-
memory/1160-60-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1160-62-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1160-63-0x0000000001E40000-0x0000000002EFA000-memory.dmpFilesize
16.7MB
-
memory/1160-64-0x0000000001E40000-0x0000000002EFA000-memory.dmpFilesize
16.7MB
-
memory/1160-65-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1160-58-0x0000000000000000-mapping.dmp
-
memory/1160-67-0x0000000001E40000-0x0000000002EFA000-memory.dmpFilesize
16.7MB
-
memory/1876-54-0x0000000000000000-mapping.dmp
-
memory/1876-61-0x0000000000320000-0x0000000000371000-memory.dmpFilesize
324KB