Analysis
-
max time kernel
43s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
15dc24479d7702bcfad920152777d902.exe
Resource
win7-20220812-en
General
-
Target
15dc24479d7702bcfad920152777d902.exe
-
Size
356KB
-
MD5
15dc24479d7702bcfad920152777d902
-
SHA1
651533cbf31eb1b36f9594e4ad75d4c3c7b0ecd3
-
SHA256
47b3817091fe9396c6bc021d6b277cbcc68d671f1c090e169ce4690c4ff485c3
-
SHA512
a2543b0ce3579b0f9abbbc23aa8e257028b0f903a5af824ea51df7a02de0f709620aedec6d2ecb57e1824b3508ae0e2530ef96c3bdc6fab4175399181e03a8b2
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPnpTjf5ku3mlZiBurgIu7wrF:EagCkDJpTjRkugiErwI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
15dc24479d7702bcfad920152777d902.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 15dc24479d7702bcfad920152777d902.exe -
Processes:
15dc24479d7702bcfad920152777d902.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 15dc24479d7702bcfad920152777d902.exe -
Processes:
15dc24479d7702bcfad920152777d902.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 15dc24479d7702bcfad920152777d902.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe15dc24479d7702bcfad920152777d902.exesvchost.exepid process 2044 svchost.exe 1168 15dc24479d7702bcfad920152777d902.exe 1540 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1168-61-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx behavioral1/memory/1168-64-0x0000000001DB0000-0x0000000002E6A000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 2044 svchost.exe -
Processes:
15dc24479d7702bcfad920152777d902.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 15dc24479d7702bcfad920152777d902.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 15dc24479d7702bcfad920152777d902.exe -
Processes:
15dc24479d7702bcfad920152777d902.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 15dc24479d7702bcfad920152777d902.exe -
Drops file in Windows directory 3 IoCs
Processes:
15dc24479d7702bcfad920152777d902.exe15dc24479d7702bcfad920152777d902.exedescription ioc process File created C:\Windows\svchost.exe 15dc24479d7702bcfad920152777d902.exe File created C:\Windows\6c1d42 15dc24479d7702bcfad920152777d902.exe File opened for modification C:\Windows\SYSTEM.INI 15dc24479d7702bcfad920152777d902.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
15dc24479d7702bcfad920152777d902.exepid process 1168 15dc24479d7702bcfad920152777d902.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
15dc24479d7702bcfad920152777d902.exedescription pid process Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe Token: SeDebugPrivilege 1168 15dc24479d7702bcfad920152777d902.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
15dc24479d7702bcfad920152777d902.exesvchost.exe15dc24479d7702bcfad920152777d902.exedescription pid process target process PID 1996 wrote to memory of 2044 1996 15dc24479d7702bcfad920152777d902.exe svchost.exe PID 1996 wrote to memory of 2044 1996 15dc24479d7702bcfad920152777d902.exe svchost.exe PID 1996 wrote to memory of 2044 1996 15dc24479d7702bcfad920152777d902.exe svchost.exe PID 1996 wrote to memory of 2044 1996 15dc24479d7702bcfad920152777d902.exe svchost.exe PID 2044 wrote to memory of 1168 2044 svchost.exe 15dc24479d7702bcfad920152777d902.exe PID 2044 wrote to memory of 1168 2044 svchost.exe 15dc24479d7702bcfad920152777d902.exe PID 2044 wrote to memory of 1168 2044 svchost.exe 15dc24479d7702bcfad920152777d902.exe PID 2044 wrote to memory of 1168 2044 svchost.exe 15dc24479d7702bcfad920152777d902.exe PID 1168 wrote to memory of 1268 1168 15dc24479d7702bcfad920152777d902.exe taskhost.exe PID 1168 wrote to memory of 1368 1168 15dc24479d7702bcfad920152777d902.exe Dwm.exe PID 1168 wrote to memory of 1416 1168 15dc24479d7702bcfad920152777d902.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
15dc24479d7702bcfad920152777d902.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 15dc24479d7702bcfad920152777d902.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exe"C:\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exe"C:\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exeFilesize
320KB
MD590fcb8d817c93eb0e8cf9f04832fec71
SHA110856992d853f5769fadadec4006e0cb0378c67b
SHA256732d9c295e5c1053c390899726253d1aabac30b16b8c4a90d7ef0ba77cb60aed
SHA5122ae5f0fc1eee52303f951f306f203eaabec84d0f6bf32f08a4a5703ab0f1ca98a487e1275dc44723fe2362ae2c2e681e892e97b28b19b9c46de24a3f4c787766
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\15dc24479d7702bcfad920152777d902.exeFilesize
320KB
MD590fcb8d817c93eb0e8cf9f04832fec71
SHA110856992d853f5769fadadec4006e0cb0378c67b
SHA256732d9c295e5c1053c390899726253d1aabac30b16b8c4a90d7ef0ba77cb60aed
SHA5122ae5f0fc1eee52303f951f306f203eaabec84d0f6bf32f08a4a5703ab0f1ca98a487e1275dc44723fe2362ae2c2e681e892e97b28b19b9c46de24a3f4c787766
-
memory/1168-58-0x0000000000000000-mapping.dmp
-
memory/1168-60-0x0000000075A81000-0x0000000075A83000-memory.dmpFilesize
8KB
-
memory/1168-61-0x0000000001DB0000-0x0000000002E6A000-memory.dmpFilesize
16.7MB
-
memory/1168-63-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1168-64-0x0000000001DB0000-0x0000000002E6A000-memory.dmpFilesize
16.7MB
-
memory/2044-54-0x0000000000000000-mapping.dmp