Analysis
-
max time kernel
28s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
19518d76155fb5fe8ea0606827cf741c.exe
Resource
win7-20220812-en
General
-
Target
19518d76155fb5fe8ea0606827cf741c.exe
-
Size
364KB
-
MD5
19518d76155fb5fe8ea0606827cf741c
-
SHA1
7e01f8fa4ed081ee15af86015ea18c969be989d0
-
SHA256
01907045935d069b48d2707a6cf467f0d9d3c1b6bf2e4f7a83f1e83dad3c5490
-
SHA512
8c36d41435100f1c7153555ab2a30da3aa6a8174d385e7e8d6cb1b72b23343e00db8f12e54ef9891fe01eaafc5a70598f667afb561e0e4a172e717608ecb4764
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgP8sw8f5kKk9hBurgIh7wrYs5:EagCkDGB8RkK6hErfI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
19518d76155fb5fe8ea0606827cf741c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 19518d76155fb5fe8ea0606827cf741c.exe -
Processes:
19518d76155fb5fe8ea0606827cf741c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19518d76155fb5fe8ea0606827cf741c.exe -
Processes:
19518d76155fb5fe8ea0606827cf741c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe19518d76155fb5fe8ea0606827cf741c.exesvchost.exepid process 2008 svchost.exe 1972 19518d76155fb5fe8ea0606827cf741c.exe 1364 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1972-61-0x0000000001DE0000-0x0000000002E9A000-memory.dmp upx behavioral1/memory/1972-65-0x0000000001DE0000-0x0000000002E9A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2008 svchost.exe -
Processes:
19518d76155fb5fe8ea0606827cf741c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 19518d76155fb5fe8ea0606827cf741c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 19518d76155fb5fe8ea0606827cf741c.exe -
Processes:
19518d76155fb5fe8ea0606827cf741c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19518d76155fb5fe8ea0606827cf741c.exe -
Drops file in Windows directory 2 IoCs
Processes:
19518d76155fb5fe8ea0606827cf741c.exe19518d76155fb5fe8ea0606827cf741c.exedescription ioc process File created C:\Windows\svchost.exe 19518d76155fb5fe8ea0606827cf741c.exe File created C:\Windows\6c30c2 19518d76155fb5fe8ea0606827cf741c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
19518d76155fb5fe8ea0606827cf741c.exesvchost.exedescription pid process target process PID 1932 wrote to memory of 2008 1932 19518d76155fb5fe8ea0606827cf741c.exe svchost.exe PID 1932 wrote to memory of 2008 1932 19518d76155fb5fe8ea0606827cf741c.exe svchost.exe PID 1932 wrote to memory of 2008 1932 19518d76155fb5fe8ea0606827cf741c.exe svchost.exe PID 1932 wrote to memory of 2008 1932 19518d76155fb5fe8ea0606827cf741c.exe svchost.exe PID 2008 wrote to memory of 1972 2008 svchost.exe 19518d76155fb5fe8ea0606827cf741c.exe PID 2008 wrote to memory of 1972 2008 svchost.exe 19518d76155fb5fe8ea0606827cf741c.exe PID 2008 wrote to memory of 1972 2008 svchost.exe 19518d76155fb5fe8ea0606827cf741c.exe PID 2008 wrote to memory of 1972 2008 svchost.exe 19518d76155fb5fe8ea0606827cf741c.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
19518d76155fb5fe8ea0606827cf741c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 19518d76155fb5fe8ea0606827cf741c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exe"C:\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exe"C:\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exeFilesize
328KB
MD53e2d8e688a53071307816568674c9f52
SHA12fa6d076950a843c71a0391f19585992f603381b
SHA2568272e0459816bff609161ead97b9177941eda19909fd75b4521e5a3495f8a5df
SHA512d1651706f71bd1418cd44f9fe4577887fa12ae4ea75d74566e7d048c700a89ad40714f52a4fbd757e3b470b4668db01bcf6b2e9e5f197ae1a5b6811bceaa57f0
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\19518d76155fb5fe8ea0606827cf741c.exeFilesize
328KB
MD53e2d8e688a53071307816568674c9f52
SHA12fa6d076950a843c71a0391f19585992f603381b
SHA2568272e0459816bff609161ead97b9177941eda19909fd75b4521e5a3495f8a5df
SHA512d1651706f71bd1418cd44f9fe4577887fa12ae4ea75d74566e7d048c700a89ad40714f52a4fbd757e3b470b4668db01bcf6b2e9e5f197ae1a5b6811bceaa57f0
-
memory/1972-60-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1972-63-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1972-61-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/1972-64-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/1972-65-0x0000000001DE0000-0x0000000002E9A000-memory.dmpFilesize
16.7MB
-
memory/1972-58-0x0000000000000000-mapping.dmp
-
memory/2008-54-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x0000000000230000-0x0000000000283000-memory.dmpFilesize
332KB