Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
ea61093d2cd65231daff307e424b0d33.exe
Resource
win7-20220812-en
General
-
Target
ea61093d2cd65231daff307e424b0d33.exe
-
Size
364KB
-
MD5
ea61093d2cd65231daff307e424b0d33
-
SHA1
8b84a6b998daef9b8118639118903b32be699edf
-
SHA256
4a2ebacf7f757a655909dc002158bcca405aa0f07d34c54b81d10b5a90c5b9b1
-
SHA512
c2b54abec62607e76341075005a2a5b3f7006e6d67f800fbf9cc47f3eaef1db8574c9a86acb03cc08d78765809a401bde8cd8c8a2115c63b8570818267906489
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgP70gof5kfj7+Gu1a1BurgIHU:EagCkD+lRk/usErNI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
ea61093d2cd65231daff307e424b0d33.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ea61093d2cd65231daff307e424b0d33.exe -
Processes:
ea61093d2cd65231daff307e424b0d33.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea61093d2cd65231daff307e424b0d33.exe -
Processes:
ea61093d2cd65231daff307e424b0d33.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exeea61093d2cd65231daff307e424b0d33.exesvchost.exepid process 4764 svchost.exe 1924 ea61093d2cd65231daff307e424b0d33.exe 4424 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1924-139-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/1924-140-0x00000000023A0000-0x000000000345A000-memory.dmp upx behavioral2/memory/1924-142-0x00000000023A0000-0x000000000345A000-memory.dmp upx -
Processes:
ea61093d2cd65231daff307e424b0d33.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ea61093d2cd65231daff307e424b0d33.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ea61093d2cd65231daff307e424b0d33.exe -
Processes:
ea61093d2cd65231daff307e424b0d33.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea61093d2cd65231daff307e424b0d33.exe -
Drops file in Program Files directory 26 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\InstallOptimize.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
ea61093d2cd65231daff307e424b0d33.exeea61093d2cd65231daff307e424b0d33.exedescription ioc process File created C:\Windows\svchost.exe ea61093d2cd65231daff307e424b0d33.exe File created C:\Windows\e56fbd9 ea61093d2cd65231daff307e424b0d33.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ea61093d2cd65231daff307e424b0d33.exesvchost.exedescription pid process target process PID 1256 wrote to memory of 4764 1256 ea61093d2cd65231daff307e424b0d33.exe svchost.exe PID 1256 wrote to memory of 4764 1256 ea61093d2cd65231daff307e424b0d33.exe svchost.exe PID 1256 wrote to memory of 4764 1256 ea61093d2cd65231daff307e424b0d33.exe svchost.exe PID 4764 wrote to memory of 1924 4764 svchost.exe ea61093d2cd65231daff307e424b0d33.exe PID 4764 wrote to memory of 1924 4764 svchost.exe ea61093d2cd65231daff307e424b0d33.exe PID 4764 wrote to memory of 1924 4764 svchost.exe ea61093d2cd65231daff307e424b0d33.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
ea61093d2cd65231daff307e424b0d33.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ea61093d2cd65231daff307e424b0d33.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea61093d2cd65231daff307e424b0d33.exe"C:\Users\Admin\AppData\Local\Temp\ea61093d2cd65231daff307e424b0d33.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\ea61093d2cd65231daff307e424b0d33.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea61093d2cd65231daff307e424b0d33.exe"C:\Users\Admin\AppData\Local\Temp\ea61093d2cd65231daff307e424b0d33.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ea61093d2cd65231daff307e424b0d33.exeFilesize
328KB
MD5f56a99fc297dd0c9a57d77d6e547a5d8
SHA169a6bfddfbc61225defac0313969f6211505d5a0
SHA256e1cc54a14ac35248998f6d28b2c87be88c217dbe833d30702fa9196a6b73098b
SHA51203a965a34060964bf425b30242e4d86593d8ff60df1284d8e782ee432b0c0c2818cd34c0fbd8633ae680a30c730bbc4fb3c057a70ec45ad6596a8c86746436ee
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/1924-135-0x0000000000000000-mapping.dmp
-
memory/1924-138-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1924-139-0x00000000023A0000-0x000000000345A000-memory.dmpFilesize
16.7MB
-
memory/1924-140-0x00000000023A0000-0x000000000345A000-memory.dmpFilesize
16.7MB
-
memory/1924-141-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1924-142-0x00000000023A0000-0x000000000345A000-memory.dmpFilesize
16.7MB
-
memory/4764-132-0x0000000000000000-mapping.dmp