Analysis
-
max time kernel
42s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 11:25
Static task
static1
Behavioral task
behavioral1
Sample
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe
Resource
win7-20220812-en
General
-
Target
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe
-
Size
173KB
-
MD5
10b704217cde743100df3fe10f6403a0
-
SHA1
b346bd15bebac1c98d27d541646f8f575b4ca441
-
SHA256
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040
-
SHA512
c0de87a5a0f59ecea6856a4e878e46130a522bec59e09ecbc038cc26085965423e9a846ffbd725f5c5fa59bdf749569d2f3112541e375b84f8fd1c6b35e66ded
-
SSDEEP
3072:Yq/ISpAbGTe2Aq/tqiqZ/4YTi3wJSyjX2F5aOHGRS+mxeSP1A:YqRAbgeFZAdIT65aO8S+zSP1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 660 icacls.exe 268 takeown.exe -
Processes:
resource yara_rule behavioral1/memory/904-55-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/904-57-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx behavioral1/memory/904-64-0x0000000001DA0000-0x0000000002E2E000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 268 takeown.exe 660 icacls.exe -
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Drops file in Windows directory 1 IoCs
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exepid process 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exetakeown.exedescription pid process Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeDebugPrivilege 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Token: SeTakeOwnershipPrivilege 268 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.execmd.exedescription pid process target process PID 904 wrote to memory of 1120 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe taskhost.exe PID 904 wrote to memory of 1176 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Dwm.exe PID 904 wrote to memory of 1208 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe Explorer.EXE PID 904 wrote to memory of 1292 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe cmd.exe PID 904 wrote to memory of 1292 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe cmd.exe PID 904 wrote to memory of 1292 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe cmd.exe PID 904 wrote to memory of 1292 904 c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe cmd.exe PID 1292 wrote to memory of 268 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 268 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 268 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 268 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 660 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 660 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 660 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 660 1292 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe"C:\Users\Admin\AppData\Local\Temp\c1d823192f4a0b05cb6c11b65f02c20421fdaa9acd98568269784c7f23be0040.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/268-61-0x0000000000000000-mapping.dmp
-
memory/660-62-0x0000000000000000-mapping.dmp
-
memory/904-54-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/904-55-0x0000000001DA0000-0x0000000002E2E000-memory.dmpFilesize
16.6MB
-
memory/904-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/904-57-0x0000000001DA0000-0x0000000002E2E000-memory.dmpFilesize
16.6MB
-
memory/904-58-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/904-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/904-64-0x0000000001DA0000-0x0000000002E2E000-memory.dmpFilesize
16.6MB
-
memory/1292-59-0x0000000000000000-mapping.dmp