Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:20
Static task
static1
Behavioral task
behavioral1
Sample
fe150e03e7787a979bc940cc2d1ea137.exe
Resource
win7-20220812-en
General
-
Target
fe150e03e7787a979bc940cc2d1ea137.exe
-
Size
364KB
-
MD5
fe150e03e7787a979bc940cc2d1ea137
-
SHA1
94be16a3996bc2e211356ded423e4aeb6c8c66d5
-
SHA256
b64b20967c8e765ca3dca96d68758d94ac521008944e73b8e4f077fa3cbb395b
-
SHA512
6b8501d1b9312ac4d2ea3fc8842688f117b25a559038d0256d03910193b992c42350375d05dbba0dd6a673d31ad5428d3c7635e6b50773b56d633e88c4a7b827
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPMpnoRnLaWJYhCf5kycWqIxJ:EagCkDC2nLYkRkipxErZI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" fe150e03e7787a979bc940cc2d1ea137.exe -
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe150e03e7787a979bc940cc2d1ea137.exe -
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exefe150e03e7787a979bc940cc2d1ea137.exesvchost.exepid process 1852 svchost.exe 1348 fe150e03e7787a979bc940cc2d1ea137.exe 1476 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1348-61-0x0000000001DA0000-0x0000000002E5A000-memory.dmp upx behavioral1/memory/1348-65-0x0000000001DA0000-0x0000000002E5A000-memory.dmp upx behavioral1/memory/1348-68-0x0000000001DA0000-0x0000000002E5A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1852 svchost.exe -
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fe150e03e7787a979bc940cc2d1ea137.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fe150e03e7787a979bc940cc2d1ea137.exe -
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe150e03e7787a979bc940cc2d1ea137.exe -
Drops file in Windows directory 3 IoCs
Processes:
fe150e03e7787a979bc940cc2d1ea137.exefe150e03e7787a979bc940cc2d1ea137.exedescription ioc process File created C:\Windows\svchost.exe fe150e03e7787a979bc940cc2d1ea137.exe File created C:\Windows\6c53fb fe150e03e7787a979bc940cc2d1ea137.exe File opened for modification C:\Windows\SYSTEM.INI fe150e03e7787a979bc940cc2d1ea137.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fe150e03e7787a979bc940cc2d1ea137.exepid process 1348 fe150e03e7787a979bc940cc2d1ea137.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription pid process Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe Token: SeDebugPrivilege 1348 fe150e03e7787a979bc940cc2d1ea137.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
fe150e03e7787a979bc940cc2d1ea137.exesvchost.exefe150e03e7787a979bc940cc2d1ea137.exedescription pid process target process PID 1424 wrote to memory of 1852 1424 fe150e03e7787a979bc940cc2d1ea137.exe svchost.exe PID 1424 wrote to memory of 1852 1424 fe150e03e7787a979bc940cc2d1ea137.exe svchost.exe PID 1424 wrote to memory of 1852 1424 fe150e03e7787a979bc940cc2d1ea137.exe svchost.exe PID 1424 wrote to memory of 1852 1424 fe150e03e7787a979bc940cc2d1ea137.exe svchost.exe PID 1852 wrote to memory of 1348 1852 svchost.exe fe150e03e7787a979bc940cc2d1ea137.exe PID 1852 wrote to memory of 1348 1852 svchost.exe fe150e03e7787a979bc940cc2d1ea137.exe PID 1852 wrote to memory of 1348 1852 svchost.exe fe150e03e7787a979bc940cc2d1ea137.exe PID 1852 wrote to memory of 1348 1852 svchost.exe fe150e03e7787a979bc940cc2d1ea137.exe PID 1348 wrote to memory of 1148 1348 fe150e03e7787a979bc940cc2d1ea137.exe taskhost.exe PID 1348 wrote to memory of 1224 1348 fe150e03e7787a979bc940cc2d1ea137.exe Dwm.exe PID 1348 wrote to memory of 1260 1348 fe150e03e7787a979bc940cc2d1ea137.exe Explorer.EXE PID 1348 wrote to memory of 1852 1348 fe150e03e7787a979bc940cc2d1ea137.exe svchost.exe PID 1348 wrote to memory of 1852 1348 fe150e03e7787a979bc940cc2d1ea137.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
fe150e03e7787a979bc940cc2d1ea137.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fe150e03e7787a979bc940cc2d1ea137.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exe"C:\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exe"C:\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exeFilesize
328KB
MD53833b32134de2c71e72078f52ac55a53
SHA12849e619e1dde0bdca743f357646d5d59a967cb3
SHA256b0e58430e06c80fcaadf844e26e990ebed820a92c5487377763568d4db62eef6
SHA512ea47784f1e8f661304f6d6f712fb60b8ce559fb5f3cadb54870f437cf2c42bdb64e44b636e15024603d41eceee538d26ea87081a78c5c1cfcd783d3e29f44977
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\fe150e03e7787a979bc940cc2d1ea137.exeFilesize
328KB
MD53833b32134de2c71e72078f52ac55a53
SHA12849e619e1dde0bdca743f357646d5d59a967cb3
SHA256b0e58430e06c80fcaadf844e26e990ebed820a92c5487377763568d4db62eef6
SHA512ea47784f1e8f661304f6d6f712fb60b8ce559fb5f3cadb54870f437cf2c42bdb64e44b636e15024603d41eceee538d26ea87081a78c5c1cfcd783d3e29f44977
-
memory/1348-60-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1348-61-0x0000000001DA0000-0x0000000002E5A000-memory.dmpFilesize
16.7MB
-
memory/1348-63-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1348-65-0x0000000001DA0000-0x0000000002E5A000-memory.dmpFilesize
16.7MB
-
memory/1348-58-0x0000000000000000-mapping.dmp
-
memory/1348-66-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1348-67-0x0000000000320000-0x0000000000322000-memory.dmpFilesize
8KB
-
memory/1348-68-0x0000000001DA0000-0x0000000002E5A000-memory.dmpFilesize
16.7MB
-
memory/1852-54-0x0000000000000000-mapping.dmp
-
memory/1852-62-0x00000000002A0000-0x00000000002F3000-memory.dmpFilesize
332KB