Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
a4f58cd887953173b384ab2e7d557198.exe
Resource
win7-20220812-en
General
-
Target
a4f58cd887953173b384ab2e7d557198.exe
-
Size
356KB
-
MD5
a4f58cd887953173b384ab2e7d557198
-
SHA1
a863832f59f5537b26af7e22ce8b1be412308bb2
-
SHA256
1d9bd5fdb3ab06f20d2f247ca4c0c866eda29b5f715c3d080ef8747b9f8c9032
-
SHA512
72741741c11b1faa333081d2a9c6d3fb623d20858fb9d951dabcd6e348439c95af0403d73c67def7a4d1af4d9de46c52089fff453c6ca6b8d9e28f3ee3ca8cc8
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPxyenrYYf5kSbiUXqBurgIXU:EagCkD790YRkSxXqErFI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a4f58cd887953173b384ab2e7d557198.exe -
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a4f58cd887953173b384ab2e7d557198.exe -
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exea4f58cd887953173b384ab2e7d557198.exesvchost.exepid process 4224 svchost.exe 4288 a4f58cd887953173b384ab2e7d557198.exe 5108 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4288-138-0x0000000002240000-0x00000000032FA000-memory.dmp upx behavioral2/memory/4288-140-0x0000000002240000-0x00000000032FA000-memory.dmp upx -
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a4f58cd887953173b384ab2e7d557198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a4f58cd887953173b384ab2e7d557198.exe -
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a4f58cd887953173b384ab2e7d557198.exe -
Drops file in Program Files directory 51 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
a4f58cd887953173b384ab2e7d557198.exea4f58cd887953173b384ab2e7d557198.exedescription ioc process File created C:\Windows\svchost.exe a4f58cd887953173b384ab2e7d557198.exe File created C:\Windows\e56cb73 a4f58cd887953173b384ab2e7d557198.exe File opened for modification C:\Windows\SYSTEM.INI a4f58cd887953173b384ab2e7d557198.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a4f58cd887953173b384ab2e7d557198.exepid process 4288 a4f58cd887953173b384ab2e7d557198.exe 4288 a4f58cd887953173b384ab2e7d557198.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription pid process Token: SeDebugPrivilege 4288 a4f58cd887953173b384ab2e7d557198.exe Token: SeDebugPrivilege 4288 a4f58cd887953173b384ab2e7d557198.exe Token: SeDebugPrivilege 4288 a4f58cd887953173b384ab2e7d557198.exe Token: SeDebugPrivilege 4288 a4f58cd887953173b384ab2e7d557198.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a4f58cd887953173b384ab2e7d557198.exesvchost.exedescription pid process target process PID 3824 wrote to memory of 4224 3824 a4f58cd887953173b384ab2e7d557198.exe svchost.exe PID 3824 wrote to memory of 4224 3824 a4f58cd887953173b384ab2e7d557198.exe svchost.exe PID 3824 wrote to memory of 4224 3824 a4f58cd887953173b384ab2e7d557198.exe svchost.exe PID 4224 wrote to memory of 4288 4224 svchost.exe a4f58cd887953173b384ab2e7d557198.exe PID 4224 wrote to memory of 4288 4224 svchost.exe a4f58cd887953173b384ab2e7d557198.exe PID 4224 wrote to memory of 4288 4224 svchost.exe a4f58cd887953173b384ab2e7d557198.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
a4f58cd887953173b384ab2e7d557198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a4f58cd887953173b384ab2e7d557198.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4f58cd887953173b384ab2e7d557198.exe"C:\Users\Admin\AppData\Local\Temp\a4f58cd887953173b384ab2e7d557198.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\a4f58cd887953173b384ab2e7d557198.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a4f58cd887953173b384ab2e7d557198.exe"C:\Users\Admin\AppData\Local\Temp\a4f58cd887953173b384ab2e7d557198.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a4f58cd887953173b384ab2e7d557198.exeFilesize
320KB
MD5376558be20d6117e16f6668c91de99e6
SHA12e4ff6a438f77bd68c23028dfbbeabc45681a331
SHA2565d268887d43c731a2c5e7d16e6a14d8444c5be51025b9fde95b02962b5e35dea
SHA512fea3d3dede9b543bfba6c9855f0638a7f45c5be6b58b965e8035e05b858af8fc36d3f7f78b1fe9a21dd5619a6f8b6e8d42bff5279cd61dc15f4fa880b4aa37c2
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/4224-132-0x0000000000000000-mapping.dmp
-
memory/4288-135-0x0000000000000000-mapping.dmp
-
memory/4288-138-0x0000000002240000-0x00000000032FA000-memory.dmpFilesize
16.7MB
-
memory/4288-139-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/4288-140-0x0000000002240000-0x00000000032FA000-memory.dmpFilesize
16.7MB