Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
97f18f170a32e222fe8780ba0b688459.exe
Resource
win7-20220812-en
General
-
Target
97f18f170a32e222fe8780ba0b688459.exe
-
Size
364KB
-
MD5
97f18f170a32e222fe8780ba0b688459
-
SHA1
c922152ce36c876d51f9d23c911492464388c91d
-
SHA256
7f71e0c5c8d731a85f617fad6347376a7a3793133da4ca4d3f1080e8ccb8a243
-
SHA512
7e4645fc4fa0e1e85fcd01e789ff22c3e4543c32347a5c69652c741b669e2ea804f71386c3d0220cf6f3c9717894659a8b9c18f842e10cc2837ef7f921cdf7c8
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPHOsprSR3f5kiJ0+jNKmYrBi:EagCkDJprmRka0LDrEr8I5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 97f18f170a32e222fe8780ba0b688459.exe -
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 97f18f170a32e222fe8780ba0b688459.exe -
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 97f18f170a32e222fe8780ba0b688459.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe97f18f170a32e222fe8780ba0b688459.exesvchost.exepid process 1944 svchost.exe 1684 97f18f170a32e222fe8780ba0b688459.exe 836 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1684-63-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/1684-66-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1944 svchost.exe -
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 97f18f170a32e222fe8780ba0b688459.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 97f18f170a32e222fe8780ba0b688459.exe -
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 97f18f170a32e222fe8780ba0b688459.exe -
Drops file in Windows directory 3 IoCs
Processes:
97f18f170a32e222fe8780ba0b688459.exe97f18f170a32e222fe8780ba0b688459.exedescription ioc process File created C:\Windows\6c388f 97f18f170a32e222fe8780ba0b688459.exe File opened for modification C:\Windows\SYSTEM.INI 97f18f170a32e222fe8780ba0b688459.exe File created C:\Windows\svchost.exe 97f18f170a32e222fe8780ba0b688459.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
97f18f170a32e222fe8780ba0b688459.exepid process 1684 97f18f170a32e222fe8780ba0b688459.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription pid process Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe Token: SeDebugPrivilege 1684 97f18f170a32e222fe8780ba0b688459.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
97f18f170a32e222fe8780ba0b688459.exesvchost.exe97f18f170a32e222fe8780ba0b688459.exedescription pid process target process PID 1816 wrote to memory of 1944 1816 97f18f170a32e222fe8780ba0b688459.exe svchost.exe PID 1816 wrote to memory of 1944 1816 97f18f170a32e222fe8780ba0b688459.exe svchost.exe PID 1816 wrote to memory of 1944 1816 97f18f170a32e222fe8780ba0b688459.exe svchost.exe PID 1816 wrote to memory of 1944 1816 97f18f170a32e222fe8780ba0b688459.exe svchost.exe PID 1944 wrote to memory of 1684 1944 svchost.exe 97f18f170a32e222fe8780ba0b688459.exe PID 1944 wrote to memory of 1684 1944 svchost.exe 97f18f170a32e222fe8780ba0b688459.exe PID 1944 wrote to memory of 1684 1944 svchost.exe 97f18f170a32e222fe8780ba0b688459.exe PID 1944 wrote to memory of 1684 1944 svchost.exe 97f18f170a32e222fe8780ba0b688459.exe PID 1684 wrote to memory of 1196 1684 97f18f170a32e222fe8780ba0b688459.exe taskhost.exe PID 1684 wrote to memory of 1300 1684 97f18f170a32e222fe8780ba0b688459.exe Dwm.exe PID 1684 wrote to memory of 1404 1684 97f18f170a32e222fe8780ba0b688459.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
97f18f170a32e222fe8780ba0b688459.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 97f18f170a32e222fe8780ba0b688459.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exe"C:\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exe"C:\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exeFilesize
328KB
MD5c5e17bf77e4a88c2cfe5a6395523dc29
SHA109ca0f89d0879f3c2e62e24d012d23702eff2954
SHA256ebd0bc67e224215594a1589c3cd07a08a7df7f36eb95b14eb0fe0009aed8a9b8
SHA512bdd155325db6929bd6fa30fa32c17b614a5b1d9c0d5b7c53a8d7011800760fa795cc2669ad984aff04e078a156e91a679b87c28d7c741f053da39a28a8383911
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\97f18f170a32e222fe8780ba0b688459.exeFilesize
328KB
MD5c5e17bf77e4a88c2cfe5a6395523dc29
SHA109ca0f89d0879f3c2e62e24d012d23702eff2954
SHA256ebd0bc67e224215594a1589c3cd07a08a7df7f36eb95b14eb0fe0009aed8a9b8
SHA512bdd155325db6929bd6fa30fa32c17b614a5b1d9c0d5b7c53a8d7011800760fa795cc2669ad984aff04e078a156e91a679b87c28d7c741f053da39a28a8383911
-
memory/1684-60-0x0000000075FA1000-0x0000000075FA3000-memory.dmpFilesize
8KB
-
memory/1684-62-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1684-63-0x0000000001DB0000-0x0000000002E6A000-memory.dmpFilesize
16.7MB
-
memory/1684-65-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1684-58-0x0000000000000000-mapping.dmp
-
memory/1684-66-0x0000000001DB0000-0x0000000002E6A000-memory.dmpFilesize
16.7MB
-
memory/1944-54-0x0000000000000000-mapping.dmp
-
memory/1944-61-0x0000000000120000-0x0000000000173000-memory.dmpFilesize
332KB