Analysis
-
max time kernel
148s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 17:20
Static task
static1
Behavioral task
behavioral1
Sample
02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe
Resource
win7-20220812-en
windows7-x64
15 signatures
150 seconds
General
-
Target
02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe
-
Size
249KB
-
MD5
63b0b0b9a6835bb670405a531366eea0
-
SHA1
a15b87a34c1126d8876ed0b2897153a569eef3c8
-
SHA256
02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed
-
SHA512
9a11c0a8c755ae5a492acc83dab5a3f088e0d86aff106b3915189daf67bab10bf18929d872eefcb6cfd949271d62ad408951cb509dc9aa5c3b62d222098cec69
-
SSDEEP
3072:WsRnhr1zzLvga5yJdu34gOmqqnsZdysdJzTFwf9xgCo4nuotdJavrr:95H7N5t4g7ntsdH41n3gvrr
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
resource yara_rule behavioral1/memory/1184-56-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1184-57-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx behavioral1/memory/1184-60-0x0000000001E40000-0x0000000002ECE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\L: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\O: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\W: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\X: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\Y: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\G: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\J: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\Q: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\R: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\U: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\I: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\S: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\Z: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\T: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\V: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\E: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\F: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\H: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\M: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\N: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened (read-only) \??\P: 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe Token: SeDebugPrivilege 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 PID 1184 wrote to memory of 1256 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 14 PID 1184 wrote to memory of 1340 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 13 PID 1184 wrote to memory of 1412 1184 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe 12 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe"C:\Users\Admin\AppData\Local\Temp\02951a1098930c5f83d5ce4a157378763319467b86f26de57e5e8441cca649ed.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1184
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1340
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1256