Analysis
-
max time kernel
31s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 11:42
Static task
static1
Behavioral task
behavioral1
Sample
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe
Resource
win7-20220812-en
General
-
Target
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe
-
Size
177KB
-
MD5
22408f36bd6db96d30c5bb149b3050e0
-
SHA1
e184eeb125c465dfa2b1a721ad89b45ce0cf3801
-
SHA256
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95
-
SHA512
743f21a1ee68de71eaf52c0e7d91db9c5826e37ea0c3b98a11d662c2aa536e96e60a859a8abb69683bf87589d903e3e2772000827268270b0cfdb810d5ea2198
-
SSDEEP
3072:Yq/HSpAbGTe2Aq/tqiI09Gp7ifqtTyOWZS7wB7gUkIjr7aF1A:YqQAbge6Gp79Wc7pIjr7aF1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 940 takeown.exe 972 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1348-55-0x0000000001D50000-0x0000000002E0A000-memory.dmp upx behavioral1/memory/1348-57-0x0000000001D50000-0x0000000002E0A000-memory.dmp upx behavioral1/memory/1348-64-0x0000000001D50000-0x0000000002E0A000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 940 takeown.exe 972 icacls.exe -
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Drops file in Windows directory 2 IoCs
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe File created C:\Windows\6c9973 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exepid process 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exetakeown.exedescription pid process Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeDebugPrivilege 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Token: SeTakeOwnershipPrivilege 940 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.execmd.exedescription pid process target process PID 1348 wrote to memory of 1104 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe taskhost.exe PID 1348 wrote to memory of 1164 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Dwm.exe PID 1348 wrote to memory of 1188 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe Explorer.EXE PID 1348 wrote to memory of 732 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe cmd.exe PID 1348 wrote to memory of 732 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe cmd.exe PID 1348 wrote to memory of 732 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe cmd.exe PID 1348 wrote to memory of 732 1348 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe cmd.exe PID 732 wrote to memory of 940 732 cmd.exe takeown.exe PID 732 wrote to memory of 940 732 cmd.exe takeown.exe PID 732 wrote to memory of 940 732 cmd.exe takeown.exe PID 732 wrote to memory of 940 732 cmd.exe takeown.exe PID 732 wrote to memory of 972 732 cmd.exe icacls.exe PID 732 wrote to memory of 972 732 cmd.exe icacls.exe PID 732 wrote to memory of 972 732 cmd.exe icacls.exe PID 732 wrote to memory of 972 732 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe"C:\Users\Admin\AppData\Local\Temp\30ea4cda531ea2ea2a7f2b5494fcc830e623518862c48852a4b1e3b03c071f95.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/732-59-0x0000000000000000-mapping.dmp
-
memory/940-61-0x0000000000000000-mapping.dmp
-
memory/972-62-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB
-
memory/1348-55-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1348-56-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1348-57-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB
-
memory/1348-58-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/1348-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1348-64-0x0000000001D50000-0x0000000002E0A000-memory.dmpFilesize
16.7MB