Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
30fc94fb1f9ab5273746539d316d3399.exe
Resource
win7-20220812-en
General
-
Target
30fc94fb1f9ab5273746539d316d3399.exe
-
Size
356KB
-
MD5
30fc94fb1f9ab5273746539d316d3399
-
SHA1
031d36dcf4f7fa777cbeda2e13a538c97c075e11
-
SHA256
a40394e67969d92cf910879064a5d01b9da9015425462db4f057428680dc3e86
-
SHA512
3ec6cb6bbd336aaad943e4c005b0783d1784e7a8ab660a12a1c4cbb17b9bcfc5c60afb94324c401f4d7b0deb8fd00294a261a8d8e303a1347cac0e7374958325
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPS/AOrf5k0pm+6GX3BurgI3U:EagCkDWAOrRk0IS3ErZI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 30fc94fb1f9ab5273746539d316d3399.exe -
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30fc94fb1f9ab5273746539d316d3399.exe -
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe30fc94fb1f9ab5273746539d316d3399.exesvchost.exepid process 1992 svchost.exe 1028 30fc94fb1f9ab5273746539d316d3399.exe 1764 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1028-61-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/1028-64-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx behavioral1/memory/1028-68-0x0000000001DF0000-0x0000000002EAA000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1992 svchost.exe -
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30fc94fb1f9ab5273746539d316d3399.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 30fc94fb1f9ab5273746539d316d3399.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30fc94fb1f9ab5273746539d316d3399.exe -
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30fc94fb1f9ab5273746539d316d3399.exe -
Drops file in Windows directory 3 IoCs
Processes:
30fc94fb1f9ab5273746539d316d3399.exe30fc94fb1f9ab5273746539d316d3399.exedescription ioc process File created C:\Windows\6c0ee0 30fc94fb1f9ab5273746539d316d3399.exe File opened for modification C:\Windows\SYSTEM.INI 30fc94fb1f9ab5273746539d316d3399.exe File created C:\Windows\svchost.exe 30fc94fb1f9ab5273746539d316d3399.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
30fc94fb1f9ab5273746539d316d3399.exepid process 1028 30fc94fb1f9ab5273746539d316d3399.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription pid process Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe Token: SeDebugPrivilege 1028 30fc94fb1f9ab5273746539d316d3399.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
30fc94fb1f9ab5273746539d316d3399.exesvchost.exe30fc94fb1f9ab5273746539d316d3399.exedescription pid process target process PID 1740 wrote to memory of 1992 1740 30fc94fb1f9ab5273746539d316d3399.exe svchost.exe PID 1740 wrote to memory of 1992 1740 30fc94fb1f9ab5273746539d316d3399.exe svchost.exe PID 1740 wrote to memory of 1992 1740 30fc94fb1f9ab5273746539d316d3399.exe svchost.exe PID 1740 wrote to memory of 1992 1740 30fc94fb1f9ab5273746539d316d3399.exe svchost.exe PID 1992 wrote to memory of 1028 1992 svchost.exe 30fc94fb1f9ab5273746539d316d3399.exe PID 1992 wrote to memory of 1028 1992 svchost.exe 30fc94fb1f9ab5273746539d316d3399.exe PID 1992 wrote to memory of 1028 1992 svchost.exe 30fc94fb1f9ab5273746539d316d3399.exe PID 1992 wrote to memory of 1028 1992 svchost.exe 30fc94fb1f9ab5273746539d316d3399.exe PID 1028 wrote to memory of 1128 1028 30fc94fb1f9ab5273746539d316d3399.exe taskhost.exe PID 1028 wrote to memory of 1172 1028 30fc94fb1f9ab5273746539d316d3399.exe Dwm.exe PID 1028 wrote to memory of 1196 1028 30fc94fb1f9ab5273746539d316d3399.exe Explorer.EXE PID 1028 wrote to memory of 1992 1028 30fc94fb1f9ab5273746539d316d3399.exe svchost.exe PID 1028 wrote to memory of 1992 1028 30fc94fb1f9ab5273746539d316d3399.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
30fc94fb1f9ab5273746539d316d3399.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30fc94fb1f9ab5273746539d316d3399.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exe"C:\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exe"C:\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exeFilesize
320KB
MD560ada1df2c87416d0a537c525a92168b
SHA1d6d08774706aafddcbe4d0497f6a64a33029f958
SHA2566dc79aa4a8c2edefef23e7baca0ec75e4dc9ecc6a69223aa5413cfbda973380b
SHA512ba59e9cbad1dcc4661004da170610298098df1d69803bcde45200cebdc004cea0fcd4ffa6c48318aeaae85602d1f1d62fd2dc1cb5c78c470d6d90eae2cd290b8
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\30fc94fb1f9ab5273746539d316d3399.exeFilesize
320KB
MD560ada1df2c87416d0a537c525a92168b
SHA1d6d08774706aafddcbe4d0497f6a64a33029f958
SHA2566dc79aa4a8c2edefef23e7baca0ec75e4dc9ecc6a69223aa5413cfbda973380b
SHA512ba59e9cbad1dcc4661004da170610298098df1d69803bcde45200cebdc004cea0fcd4ffa6c48318aeaae85602d1f1d62fd2dc1cb5c78c470d6d90eae2cd290b8
-
memory/1028-60-0x0000000075481000-0x0000000075483000-memory.dmpFilesize
8KB
-
memory/1028-61-0x0000000001DF0000-0x0000000002EAA000-memory.dmpFilesize
16.7MB
-
memory/1028-63-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1028-64-0x0000000001DF0000-0x0000000002EAA000-memory.dmpFilesize
16.7MB
-
memory/1028-65-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1028-58-0x0000000000000000-mapping.dmp
-
memory/1028-68-0x0000000001DF0000-0x0000000002EAA000-memory.dmpFilesize
16.7MB
-
memory/1028-67-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1992-54-0x0000000000000000-mapping.dmp
-
memory/1992-62-0x00000000003A0000-0x00000000003F1000-memory.dmpFilesize
324KB