Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
586f9bf1c139ce3c0efb35136267bca8.exe
Resource
win7-20220812-en
General
-
Target
586f9bf1c139ce3c0efb35136267bca8.exe
-
Size
360KB
-
MD5
586f9bf1c139ce3c0efb35136267bca8
-
SHA1
11ced437e8a008d39a98ef2b9f79f5d3f493b324
-
SHA256
6c8c33865b9eedbaa85f34cd386f71806652125b359c7ee45f31bffab54c895e
-
SHA512
8c77c6f832f52136b5b9166c7f46758a4a7db8f53d2568d317a2c694a7151e4ee82a3406d776ebd79339faacfcdcdf622bdb4a56d4428ba0c9b3f7f3c19c0080
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPmYYIOf5kswul2e55BurgIiU:EagCkD/sRkyln5ErsI5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 586f9bf1c139ce3c0efb35136267bca8.exe -
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 586f9bf1c139ce3c0efb35136267bca8.exe -
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe586f9bf1c139ce3c0efb35136267bca8.exesvchost.exepid process 5056 svchost.exe 1560 586f9bf1c139ce3c0efb35136267bca8.exe 4588 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1560-138-0x0000000002290000-0x000000000334A000-memory.dmp upx behavioral2/memory/1560-141-0x0000000002290000-0x000000000334A000-memory.dmp upx -
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 586f9bf1c139ce3c0efb35136267bca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 586f9bf1c139ce3c0efb35136267bca8.exe -
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 586f9bf1c139ce3c0efb35136267bca8.exe -
Drops file in Program Files directory 53 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process File created C:\Windows\svchost.exe 586f9bf1c139ce3c0efb35136267bca8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
586f9bf1c139ce3c0efb35136267bca8.exesvchost.exedescription pid process target process PID 1180 wrote to memory of 5056 1180 586f9bf1c139ce3c0efb35136267bca8.exe svchost.exe PID 1180 wrote to memory of 5056 1180 586f9bf1c139ce3c0efb35136267bca8.exe svchost.exe PID 1180 wrote to memory of 5056 1180 586f9bf1c139ce3c0efb35136267bca8.exe svchost.exe PID 5056 wrote to memory of 1560 5056 svchost.exe 586f9bf1c139ce3c0efb35136267bca8.exe PID 5056 wrote to memory of 1560 5056 svchost.exe 586f9bf1c139ce3c0efb35136267bca8.exe PID 5056 wrote to memory of 1560 5056 svchost.exe 586f9bf1c139ce3c0efb35136267bca8.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
586f9bf1c139ce3c0efb35136267bca8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 586f9bf1c139ce3c0efb35136267bca8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\586f9bf1c139ce3c0efb35136267bca8.exe"C:\Users\Admin\AppData\Local\Temp\586f9bf1c139ce3c0efb35136267bca8.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\586f9bf1c139ce3c0efb35136267bca8.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\586f9bf1c139ce3c0efb35136267bca8.exe"C:\Users\Admin\AppData\Local\Temp\586f9bf1c139ce3c0efb35136267bca8.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\586f9bf1c139ce3c0efb35136267bca8.exeFilesize
324KB
MD5c7314ced6df968194612800d67d91129
SHA1d59476db93ffd2f7da527c8da3a3f5521e97d764
SHA256bf39e24fe3edad087e2c9b1fdbef24585032bd31a35bad130cf958cb596ec59d
SHA512fe51d0e03bebbbe36ac798d0e5fdd31786d83cf84d6a83544a865cf0c0c2d1ed46f6aaa4ce3701e979d1cac0e9d09bbd6f1b0ba42bac4f8a5beeaf3492401d82
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/1560-135-0x0000000000000000-mapping.dmp
-
memory/1560-138-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/1560-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1560-140-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1560-141-0x0000000002290000-0x000000000334A000-memory.dmpFilesize
16.7MB
-
memory/5056-132-0x0000000000000000-mapping.dmp