Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:18
Static task
static1
Behavioral task
behavioral1
Sample
1d8c70fa002a4e437ec4f8150d466e9c.exe
Resource
win7-20220812-en
General
-
Target
1d8c70fa002a4e437ec4f8150d466e9c.exe
-
Size
360KB
-
MD5
1d8c70fa002a4e437ec4f8150d466e9c
-
SHA1
d0b66be8a701c1cc4e1c0ac5126a1c6f4b81d0ea
-
SHA256
005723b349a3f97cded2935a289fff7f58e6d417ecc9772f865a89939a79d45f
-
SHA512
051220b4f56d103e56d484e68a92b68cdd5611a5226a5be8c2e521630874be04234cf02c2af6e636f03d5b78286e5ef9c5dd131cf8d9ba3e369f4105fe194f09
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPf9X8wVQTf5kkVHAauBurgIC:EagCkDDVQTRkkHwErPI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe1d8c70fa002a4e437ec4f8150d466e9c.exesvchost.exepid process 1980 svchost.exe 916 1d8c70fa002a4e437ec4f8150d466e9c.exe 1380 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/916-61-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/916-65-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1980 svchost.exe -
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Drops file in Windows directory 3 IoCs
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exe1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process File created C:\Windows\svchost.exe 1d8c70fa002a4e437ec4f8150d466e9c.exe File created C:\Windows\6bfdd0 1d8c70fa002a4e437ec4f8150d466e9c.exe File opened for modification C:\Windows\SYSTEM.INI 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exepid process 916 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription pid process Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Token: SeDebugPrivilege 916 1d8c70fa002a4e437ec4f8150d466e9c.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exesvchost.exe1d8c70fa002a4e437ec4f8150d466e9c.exedescription pid process target process PID 2004 wrote to memory of 1980 2004 1d8c70fa002a4e437ec4f8150d466e9c.exe svchost.exe PID 2004 wrote to memory of 1980 2004 1d8c70fa002a4e437ec4f8150d466e9c.exe svchost.exe PID 2004 wrote to memory of 1980 2004 1d8c70fa002a4e437ec4f8150d466e9c.exe svchost.exe PID 2004 wrote to memory of 1980 2004 1d8c70fa002a4e437ec4f8150d466e9c.exe svchost.exe PID 1980 wrote to memory of 916 1980 svchost.exe 1d8c70fa002a4e437ec4f8150d466e9c.exe PID 1980 wrote to memory of 916 1980 svchost.exe 1d8c70fa002a4e437ec4f8150d466e9c.exe PID 1980 wrote to memory of 916 1980 svchost.exe 1d8c70fa002a4e437ec4f8150d466e9c.exe PID 1980 wrote to memory of 916 1980 svchost.exe 1d8c70fa002a4e437ec4f8150d466e9c.exe PID 916 wrote to memory of 1192 916 1d8c70fa002a4e437ec4f8150d466e9c.exe taskhost.exe PID 916 wrote to memory of 1220 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Dwm.exe PID 916 wrote to memory of 1284 916 1d8c70fa002a4e437ec4f8150d466e9c.exe Explorer.EXE PID 916 wrote to memory of 1980 916 1d8c70fa002a4e437ec4f8150d466e9c.exe svchost.exe PID 916 wrote to memory of 1980 916 1d8c70fa002a4e437ec4f8150d466e9c.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1d8c70fa002a4e437ec4f8150d466e9c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1d8c70fa002a4e437ec4f8150d466e9c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exe"C:\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exe"C:\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exeFilesize
324KB
MD527907c761fb34a993f609f40dcbf3b53
SHA1fb52a31a3bf07bea60582599fb6e6c3150a9a5e1
SHA256fdd813daea45ae72f83b8d6eff069e0b686597d9026eb5625d99913229d3fe6b
SHA5128a18bbc844ebba84c190216d3db7c07b1a90a5a24062b69e5a79681844a2e611ae40b1b0abb3aded31964172e55ca06ce3ed905cbcd3c1174fe7934c69a78ec9
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\1d8c70fa002a4e437ec4f8150d466e9c.exeFilesize
324KB
MD527907c761fb34a993f609f40dcbf3b53
SHA1fb52a31a3bf07bea60582599fb6e6c3150a9a5e1
SHA256fdd813daea45ae72f83b8d6eff069e0b686597d9026eb5625d99913229d3fe6b
SHA5128a18bbc844ebba84c190216d3db7c07b1a90a5a24062b69e5a79681844a2e611ae40b1b0abb3aded31964172e55ca06ce3ed905cbcd3c1174fe7934c69a78ec9
-
memory/916-60-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/916-58-0x0000000000000000-mapping.dmp
-
memory/916-61-0x0000000001DB0000-0x0000000002E6A000-memory.dmpFilesize
16.7MB
-
memory/916-64-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/916-63-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/916-65-0x0000000001DB0000-0x0000000002E6A000-memory.dmpFilesize
16.7MB
-
memory/916-66-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1980-54-0x0000000000000000-mapping.dmp