Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 18:45
Static task
static1
Behavioral task
behavioral1
Sample
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe
Resource
win7-20220901-en
General
-
Target
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe
-
Size
173KB
-
MD5
0237d30a4893ced532ca226a4446f000
-
SHA1
e8cb61257f42c94743774dc7765ed23f3a89773b
-
SHA256
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3
-
SHA512
2dc244baa1e7854c47fbefe36bcda90fef01991ee7e7a3830909935905f06113b8f841fe91e5ad9abcfefba8ae1b61d8b5abca958d47bcc33a4584b3ad8e1ac2
-
SSDEEP
3072:oq/lSpAbGTe2Aq/tqijXjE91FjaYHLRlH9sVX1A:oqeAbgeETE91xHDOt1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 1332 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1544-55-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/1544-58-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx behavioral1/memory/1544-64-0x0000000001C90000-0x0000000002D1E000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 1332 icacls.exe -
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Drops file in Windows directory 1 IoCs
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exepid process 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exetakeown.exedescription pid process Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeDebugPrivilege 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Token: SeTakeOwnershipPrivilege 1488 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.execmd.exedescription pid process target process PID 1544 wrote to memory of 1132 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe taskhost.exe PID 1544 wrote to memory of 1188 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Dwm.exe PID 1544 wrote to memory of 1220 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe Explorer.EXE PID 1544 wrote to memory of 1076 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe cmd.exe PID 1544 wrote to memory of 1076 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe cmd.exe PID 1544 wrote to memory of 1076 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe cmd.exe PID 1544 wrote to memory of 1076 1544 b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe cmd.exe PID 1076 wrote to memory of 1488 1076 cmd.exe takeown.exe PID 1076 wrote to memory of 1488 1076 cmd.exe takeown.exe PID 1076 wrote to memory of 1488 1076 cmd.exe takeown.exe PID 1076 wrote to memory of 1488 1076 cmd.exe takeown.exe PID 1076 wrote to memory of 1332 1076 cmd.exe icacls.exe PID 1076 wrote to memory of 1332 1076 cmd.exe icacls.exe PID 1076 wrote to memory of 1332 1076 cmd.exe icacls.exe PID 1076 wrote to memory of 1332 1076 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe"C:\Users\Admin\AppData\Local\Temp\b7748212568d612152f46667fa27d3c47ce04aa00dfb89a032d2d8607323bbf3.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/1076-57-0x0000000000000000-mapping.dmp
-
memory/1332-62-0x0000000000000000-mapping.dmp
-
memory/1488-61-0x0000000000000000-mapping.dmp
-
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB
-
memory/1544-55-0x0000000001C90000-0x0000000002D1E000-memory.dmpFilesize
16.6MB
-
memory/1544-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1544-58-0x0000000001C90000-0x0000000002D1E000-memory.dmpFilesize
16.6MB
-
memory/1544-59-0x0000000003F00000-0x0000000003F02000-memory.dmpFilesize
8KB
-
memory/1544-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1544-64-0x0000000001C90000-0x0000000002D1E000-memory.dmpFilesize
16.6MB