Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
9266d671e223e5d1a66f921d6deec546.exe
Resource
win7-20220812-en
General
-
Target
9266d671e223e5d1a66f921d6deec546.exe
-
Size
360KB
-
MD5
9266d671e223e5d1a66f921d6deec546
-
SHA1
01bf65d1ca26eee48d81d4a16f3bedfb83ffd426
-
SHA256
9e148bd184f130b3f2a9a60f3367f6af7feffdd00c768070949d5d311837cb53
-
SHA512
1360221a1f4da77bc117c0f97928e9d218f4cad1d1642f3a0c7bdc62c2745254baa29b03a273cec4b1aa799c0cb73f4b8960c5c7903fea315361e79cc80b3950
-
SSDEEP
6144:EyH7xOc6H5c6HcT66vlml/SI01Jq3ggxDDwCkTTgPYSfkeQsFnyf5ku8hSasBurL:EagCkDW9eQs0RkHhSasEr+I5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 9266d671e223e5d1a66f921d6deec546.exe -
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9266d671e223e5d1a66f921d6deec546.exe -
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exe9266d671e223e5d1a66f921d6deec546.exesvchost.exepid process 2032 svchost.exe 612 9266d671e223e5d1a66f921d6deec546.exe 4468 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/612-139-0x0000000002360000-0x000000000341A000-memory.dmp upx behavioral2/memory/612-141-0x0000000002360000-0x000000000341A000-memory.dmp upx -
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9266d671e223e5d1a66f921d6deec546.exe -
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9266d671e223e5d1a66f921d6deec546.exe -
Drops file in Program Files directory 51 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process File created C:\Windows\svchost.exe 9266d671e223e5d1a66f921d6deec546.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9266d671e223e5d1a66f921d6deec546.exesvchost.exedescription pid process target process PID 1648 wrote to memory of 2032 1648 9266d671e223e5d1a66f921d6deec546.exe svchost.exe PID 1648 wrote to memory of 2032 1648 9266d671e223e5d1a66f921d6deec546.exe svchost.exe PID 1648 wrote to memory of 2032 1648 9266d671e223e5d1a66f921d6deec546.exe svchost.exe PID 2032 wrote to memory of 612 2032 svchost.exe 9266d671e223e5d1a66f921d6deec546.exe PID 2032 wrote to memory of 612 2032 svchost.exe 9266d671e223e5d1a66f921d6deec546.exe PID 2032 wrote to memory of 612 2032 svchost.exe 9266d671e223e5d1a66f921d6deec546.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
9266d671e223e5d1a66f921d6deec546.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9266d671e223e5d1a66f921d6deec546.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9266d671e223e5d1a66f921d6deec546.exe"C:\Users\Admin\AppData\Local\Temp\9266d671e223e5d1a66f921d6deec546.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\9266d671e223e5d1a66f921d6deec546.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9266d671e223e5d1a66f921d6deec546.exe"C:\Users\Admin\AppData\Local\Temp\9266d671e223e5d1a66f921d6deec546.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9266d671e223e5d1a66f921d6deec546.exeFilesize
324KB
MD547a8375cb600cc7f1a2cc56a4b9830ea
SHA18c49aa96d0fd0de4d72a841695bd13137565a9b8
SHA2569afe48270df7737249a5a4ab53bff693b616c963b9f7511d8df07b88aad538fa
SHA512a4e4c00cac0329e6bf94eec5ead77a1c11d57b38ece2552426bcb20ff9a26c10217263ca98e5cc96960dcab04575fa4668e968583a1476518f95776cbecde9e8
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
C:\Windows\svchost.exeFilesize
35KB
MD583b4da0c5e91e676c355a34ad0fe73da
SHA109322303503ed0a70613110ca72e1bc790348882
SHA2565ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110
SHA51220183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08
-
memory/612-135-0x0000000000000000-mapping.dmp
-
memory/612-138-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/612-139-0x0000000002360000-0x000000000341A000-memory.dmpFilesize
16.7MB
-
memory/612-140-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/612-141-0x0000000002360000-0x000000000341A000-memory.dmpFilesize
16.7MB
-
memory/2032-132-0x0000000000000000-mapping.dmp