Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
a2e67aff208c97035824490f1a05b08a.exe
Resource
win7-20220812-en
General
-
Target
a2e67aff208c97035824490f1a05b08a.exe
-
Size
360KB
-
MD5
a2e67aff208c97035824490f1a05b08a
-
SHA1
924769749166b70206ac25806efa533c6c205971
-
SHA256
77f8db6c624ac83b44dc8fc517eb608b6371271bd6e83d5180e9e4554410c4a3
-
SHA512
3c16c6c03e17a5427ee1bc1acce265457eb32f68c02a9027960cdbceb06000e3944e6a65c89add801ff751ca595aac35a5924a44dace91f98c8042f0a500f17a
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPzFLcfGi4f5kSdm6XrdZBurC:EagCkDDO4RkSddrPErNI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
a2e67aff208c97035824490f1a05b08a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a2e67aff208c97035824490f1a05b08a.exe -
Processes:
a2e67aff208c97035824490f1a05b08a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2e67aff208c97035824490f1a05b08a.exe -
Processes:
a2e67aff208c97035824490f1a05b08a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exea2e67aff208c97035824490f1a05b08a.exesvchost.exepid process 4944 svchost.exe 4812 a2e67aff208c97035824490f1a05b08a.exe 4752 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4812-139-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/4812-140-0x0000000002370000-0x000000000342A000-memory.dmp upx behavioral2/memory/4812-142-0x0000000002370000-0x000000000342A000-memory.dmp upx -
Processes:
a2e67aff208c97035824490f1a05b08a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a2e67aff208c97035824490f1a05b08a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a2e67aff208c97035824490f1a05b08a.exe -
Processes:
a2e67aff208c97035824490f1a05b08a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2e67aff208c97035824490f1a05b08a.exe -
Drops file in Program Files directory 53 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
a2e67aff208c97035824490f1a05b08a.exea2e67aff208c97035824490f1a05b08a.exedescription ioc process File created C:\Windows\e57180c a2e67aff208c97035824490f1a05b08a.exe File opened for modification C:\Windows\SYSTEM.INI a2e67aff208c97035824490f1a05b08a.exe File created C:\Windows\svchost.exe a2e67aff208c97035824490f1a05b08a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a2e67aff208c97035824490f1a05b08a.exepid process 4812 a2e67aff208c97035824490f1a05b08a.exe 4812 a2e67aff208c97035824490f1a05b08a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a2e67aff208c97035824490f1a05b08a.exesvchost.exedescription pid process target process PID 5020 wrote to memory of 4944 5020 a2e67aff208c97035824490f1a05b08a.exe svchost.exe PID 5020 wrote to memory of 4944 5020 a2e67aff208c97035824490f1a05b08a.exe svchost.exe PID 5020 wrote to memory of 4944 5020 a2e67aff208c97035824490f1a05b08a.exe svchost.exe PID 4944 wrote to memory of 4812 4944 svchost.exe a2e67aff208c97035824490f1a05b08a.exe PID 4944 wrote to memory of 4812 4944 svchost.exe a2e67aff208c97035824490f1a05b08a.exe PID 4944 wrote to memory of 4812 4944 svchost.exe a2e67aff208c97035824490f1a05b08a.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
a2e67aff208c97035824490f1a05b08a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a2e67aff208c97035824490f1a05b08a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e67aff208c97035824490f1a05b08a.exe"C:\Users\Admin\AppData\Local\Temp\a2e67aff208c97035824490f1a05b08a.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\a2e67aff208c97035824490f1a05b08a.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2e67aff208c97035824490f1a05b08a.exe"C:\Users\Admin\AppData\Local\Temp\a2e67aff208c97035824490f1a05b08a.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a2e67aff208c97035824490f1a05b08a.exeFilesize
324KB
MD51f280313748eafb7d1de4e0de00c7656
SHA15cda902f2fac9f061b3365c86731b9829c784583
SHA256556a685cf0bef12ca545585058691d334d7576991d46cdf6195dade2510e2729
SHA51231f3157e0a7896d1459bdf59bb47f65f75756a7070eac6214c71194a92013daf7c1f273f2d924c91d91efc61bd0298c1a851464a9d2d97ea27199bdd20f4c773
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/4812-135-0x0000000000000000-mapping.dmp
-
memory/4812-138-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4812-139-0x0000000002370000-0x000000000342A000-memory.dmpFilesize
16.7MB
-
memory/4812-140-0x0000000002370000-0x000000000342A000-memory.dmpFilesize
16.7MB
-
memory/4812-141-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4812-142-0x0000000002370000-0x000000000342A000-memory.dmpFilesize
16.7MB
-
memory/4944-132-0x0000000000000000-mapping.dmp