Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 23:38
Static task
static1
Behavioral task
behavioral1
Sample
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe
Resource
win7-20220812-en
General
-
Target
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe
-
Size
181KB
-
MD5
7d361d4091c567d2df272cedaab75900
-
SHA1
cb25d11cfd5ffb34056f6a16db0391ec2956fceb
-
SHA256
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8
-
SHA512
d8deca9641fa0762d5d6e127c94349934e8169f6c424859984185cdca6f72b86a7934c3fb5223011a1d15090d63924b3e40763d15c702327729a38baadcdb862
-
SSDEEP
3072:nq/fSpAbGTe2Aq/tqiqqim8SZGr3X2IPzHWhAhud9M1g1A:nqoAbgeHrmDKw0uHF1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1564 takeown.exe 1376 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1052-55-0x0000000001F40000-0x0000000002FCE000-memory.dmp upx behavioral1/memory/1052-61-0x0000000001F40000-0x0000000002FCE000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1564 takeown.exe 1376 icacls.exe -
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Drops file in Windows directory 1 IoCs
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exepid process 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exetakeown.exedescription pid process Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeDebugPrivilege 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.execmd.exedescription pid process target process PID 1052 wrote to memory of 1116 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe taskhost.exe PID 1052 wrote to memory of 1176 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Dwm.exe PID 1052 wrote to memory of 1216 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe Explorer.EXE PID 1052 wrote to memory of 1576 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe cmd.exe PID 1052 wrote to memory of 1576 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe cmd.exe PID 1052 wrote to memory of 1576 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe cmd.exe PID 1052 wrote to memory of 1576 1052 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe cmd.exe PID 1576 wrote to memory of 1564 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1564 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1564 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1564 1576 cmd.exe takeown.exe PID 1576 wrote to memory of 1376 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 1376 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 1376 1576 cmd.exe icacls.exe PID 1576 wrote to memory of 1376 1576 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe"C:\Users\Admin\AppData\Local\Temp\1741a5140686cf2234ed0e2734c240aeec8a86923c0a544ce35c2716ef6e0cf8.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/1052-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1052-55-0x0000000001F40000-0x0000000002FCE000-memory.dmpFilesize
16.6MB
-
memory/1052-60-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1052-61-0x0000000001F40000-0x0000000002FCE000-memory.dmpFilesize
16.6MB
-
memory/1376-59-0x0000000000000000-mapping.dmp
-
memory/1564-58-0x0000000000000000-mapping.dmp
-
memory/1576-56-0x0000000000000000-mapping.dmp