Analysis
-
max time kernel
37s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
2b563951339033c058772ebc364bcbde.exe
Resource
win7-20220812-en
General
-
Target
2b563951339033c058772ebc364bcbde.exe
-
Size
356KB
-
MD5
2b563951339033c058772ebc364bcbde
-
SHA1
a17bc228a5ebfd0716e9f500ad575175b1cb9897
-
SHA256
ef7783fb9b3895a4bda50e03a1fbb326ee7cbc7bc9ab42882c72ef6fdf35afb8
-
SHA512
25f2bb6ab57bad44a20ec415b8ed70b3441329e7e0fd45274857e3c17ac8913376cd6311528c9f238d1dd4a48563d9f07bf71af7c771ebe85016227ea8c255cb
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgP+YuOjSyf5k2gCBurgIZr7w5:EagCkDsOjlRkmErrI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
2b563951339033c058772ebc364bcbde.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2b563951339033c058772ebc364bcbde.exe -
Processes:
2b563951339033c058772ebc364bcbde.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2b563951339033c058772ebc364bcbde.exe -
Processes:
2b563951339033c058772ebc364bcbde.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe2b563951339033c058772ebc364bcbde.exesvchost.exepid process 1664 svchost.exe 1432 2b563951339033c058772ebc364bcbde.exe 1988 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1432-61-0x0000000001E40000-0x0000000002EFA000-memory.dmp upx behavioral1/memory/1432-64-0x0000000001E40000-0x0000000002EFA000-memory.dmp upx behavioral1/memory/1432-67-0x0000000001E40000-0x0000000002EFA000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 1664 svchost.exe -
Processes:
2b563951339033c058772ebc364bcbde.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2b563951339033c058772ebc364bcbde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2b563951339033c058772ebc364bcbde.exe -
Processes:
2b563951339033c058772ebc364bcbde.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2b563951339033c058772ebc364bcbde.exe -
Drops file in Windows directory 3 IoCs
Processes:
2b563951339033c058772ebc364bcbde.exe2b563951339033c058772ebc364bcbde.exedescription ioc process File created C:\Windows\6c10f2 2b563951339033c058772ebc364bcbde.exe File opened for modification C:\Windows\SYSTEM.INI 2b563951339033c058772ebc364bcbde.exe File created C:\Windows\svchost.exe 2b563951339033c058772ebc364bcbde.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2b563951339033c058772ebc364bcbde.exepid process 1432 2b563951339033c058772ebc364bcbde.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
2b563951339033c058772ebc364bcbde.exedescription pid process Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe Token: SeDebugPrivilege 1432 2b563951339033c058772ebc364bcbde.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
2b563951339033c058772ebc364bcbde.exesvchost.exe2b563951339033c058772ebc364bcbde.exedescription pid process target process PID 1132 wrote to memory of 1664 1132 2b563951339033c058772ebc364bcbde.exe svchost.exe PID 1132 wrote to memory of 1664 1132 2b563951339033c058772ebc364bcbde.exe svchost.exe PID 1132 wrote to memory of 1664 1132 2b563951339033c058772ebc364bcbde.exe svchost.exe PID 1132 wrote to memory of 1664 1132 2b563951339033c058772ebc364bcbde.exe svchost.exe PID 1664 wrote to memory of 1432 1664 svchost.exe 2b563951339033c058772ebc364bcbde.exe PID 1664 wrote to memory of 1432 1664 svchost.exe 2b563951339033c058772ebc364bcbde.exe PID 1664 wrote to memory of 1432 1664 svchost.exe 2b563951339033c058772ebc364bcbde.exe PID 1664 wrote to memory of 1432 1664 svchost.exe 2b563951339033c058772ebc364bcbde.exe PID 1432 wrote to memory of 1216 1432 2b563951339033c058772ebc364bcbde.exe taskhost.exe PID 1432 wrote to memory of 1296 1432 2b563951339033c058772ebc364bcbde.exe Dwm.exe PID 1432 wrote to memory of 1376 1432 2b563951339033c058772ebc364bcbde.exe Explorer.EXE PID 1432 wrote to memory of 1664 1432 2b563951339033c058772ebc364bcbde.exe svchost.exe PID 1432 wrote to memory of 1664 1432 2b563951339033c058772ebc364bcbde.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2b563951339033c058772ebc364bcbde.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2b563951339033c058772ebc364bcbde.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exe"C:\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exe"C:\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exeFilesize
320KB
MD5722284b2ae94ff42c431a7934c0f6457
SHA1ec7ed508814fd9ecad83c9e5b8a0bd699c1845ff
SHA25680eb6144430eaaf4a679e20fd641ea6e9b7e1e38f9a330d14052d1a299f1e96f
SHA5125b7ff2b81a78491bf7d733adb67c7452d5a011e6bcc96c9f2b0688368fdd31ec43be818c9e41930354fa4214f9c0f82f55116766d385f84851663c70384d10da
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
\Users\Admin\AppData\Local\Temp\2b563951339033c058772ebc364bcbde.exeFilesize
320KB
MD5722284b2ae94ff42c431a7934c0f6457
SHA1ec7ed508814fd9ecad83c9e5b8a0bd699c1845ff
SHA25680eb6144430eaaf4a679e20fd641ea6e9b7e1e38f9a330d14052d1a299f1e96f
SHA5125b7ff2b81a78491bf7d733adb67c7452d5a011e6bcc96c9f2b0688368fdd31ec43be818c9e41930354fa4214f9c0f82f55116766d385f84851663c70384d10da
-
memory/1432-60-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1432-61-0x0000000001E40000-0x0000000002EFA000-memory.dmpFilesize
16.7MB
-
memory/1432-63-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1432-64-0x0000000001E40000-0x0000000002EFA000-memory.dmpFilesize
16.7MB
-
memory/1432-65-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/1432-58-0x0000000000000000-mapping.dmp
-
memory/1432-67-0x0000000001E40000-0x0000000002EFA000-memory.dmpFilesize
16.7MB
-
memory/1664-54-0x0000000000000000-mapping.dmp
-
memory/1664-62-0x0000000000120000-0x0000000000171000-memory.dmpFilesize
324KB