Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe
Resource
win7-20220812-en
General
-
Target
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe
-
Size
173KB
-
MD5
0b40102a3f7409b7189e91d2ebad4480
-
SHA1
77bf14d71a234326c0168d7042bdb9af68a4ef56
-
SHA256
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7
-
SHA512
7596a6d9d598f726968ad9cddd776264f1393d8eead04b75dcdd6466817345ce5f5cacef935ad4271d17210f8b7616a6e56e394b3a0c532629f4070980333e53
-
SSDEEP
3072:Fq/bSpAbGTe2Aq/tqiBQOFugPY4j5+115fRxuyG/SE9vMd1A:Fq0Abge9OFugPY4215ZHEDyd1A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2012 takeown.exe 1984 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1112-55-0x0000000001CB0000-0x0000000002D3E000-memory.dmp upx behavioral1/memory/1112-57-0x0000000001CB0000-0x0000000002D3E000-memory.dmp upx behavioral1/memory/1112-64-0x0000000001CB0000-0x0000000002D3E000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2012 takeown.exe 1984 icacls.exe -
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Drops file in Windows directory 1 IoCs
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exepid process 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exetakeown.exedescription pid process Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeDebugPrivilege 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Token: SeTakeOwnershipPrivilege 2012 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.execmd.exedescription pid process target process PID 1112 wrote to memory of 1144 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe taskhost.exe PID 1112 wrote to memory of 1240 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Dwm.exe PID 1112 wrote to memory of 1272 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe Explorer.EXE PID 1112 wrote to memory of 1996 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe cmd.exe PID 1112 wrote to memory of 1996 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe cmd.exe PID 1112 wrote to memory of 1996 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe cmd.exe PID 1112 wrote to memory of 1996 1112 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe cmd.exe PID 1996 wrote to memory of 2012 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 2012 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 2012 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 2012 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 1984 1996 cmd.exe icacls.exe PID 1996 wrote to memory of 1984 1996 cmd.exe icacls.exe PID 1996 wrote to memory of 1984 1996 cmd.exe icacls.exe PID 1996 wrote to memory of 1984 1996 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe"C:\Users\Admin\AppData\Local\Temp\4e42e59d7ba81ab8a880aa589c520dea8fcadaeb11569f2612e89e2e53c00ec7.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1112 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1984
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1240
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/1112-55-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/1112-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1112-57-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/1112-58-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1112-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1112-64-0x0000000001CB0000-0x0000000002D3E000-memory.dmpFilesize
16.6MB
-
memory/1984-62-0x0000000000000000-mapping.dmp
-
memory/1996-59-0x0000000000000000-mapping.dmp
-
memory/2012-61-0x0000000000000000-mapping.dmp