Analysis
-
max time kernel
38s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 21:19
Static task
static1
Behavioral task
behavioral1
Sample
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe
Resource
win7-20220812-en
General
-
Target
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe
-
Size
181KB
-
MD5
41e056baa1b836250acdbd38038f33e0
-
SHA1
247df66ecc857feff3cd603bcc224199ac3202da
-
SHA256
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271
-
SHA512
fa9729858776c41ac4a7ec36a5d346bc419f7414664a1a31f43b965324b1ad712cd6e2932fee6d76a1e93c3fe46951b82cbdf0373d3be2a37d89180058676936
-
SSDEEP
3072:Gq/oSpAbGTe2Aq/tqiHJqwxgZh5ifl1cOduZE9141A:GqRAbgeSxkhVOduy41A
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 844 takeown.exe 1812 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1644-55-0x0000000001D50000-0x0000000002DDE000-memory.dmp upx behavioral1/memory/1644-63-0x0000000001D50000-0x0000000002DDE000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 844 takeown.exe 1812 icacls.exe -
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process File opened (read-only) \??\E: 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Drops file in Windows directory 1 IoCs
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exepid process 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exetakeown.exedescription pid process Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeDebugPrivilege 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Token: SeTakeOwnershipPrivilege 844 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.execmd.exedescription pid process target process PID 1644 wrote to memory of 1168 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe taskhost.exe PID 1644 wrote to memory of 1256 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Dwm.exe PID 1644 wrote to memory of 1340 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe Explorer.EXE PID 1644 wrote to memory of 1452 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe cmd.exe PID 1644 wrote to memory of 1452 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe cmd.exe PID 1644 wrote to memory of 1452 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe cmd.exe PID 1644 wrote to memory of 1452 1644 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe cmd.exe PID 1452 wrote to memory of 844 1452 cmd.exe takeown.exe PID 1452 wrote to memory of 844 1452 cmd.exe takeown.exe PID 1452 wrote to memory of 844 1452 cmd.exe takeown.exe PID 1452 wrote to memory of 844 1452 cmd.exe takeown.exe PID 1452 wrote to memory of 1812 1452 cmd.exe icacls.exe PID 1452 wrote to memory of 1812 1452 cmd.exe icacls.exe PID 1452 wrote to memory of 1812 1452 cmd.exe icacls.exe PID 1452 wrote to memory of 1812 1452 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe"C:\Users\Admin\AppData\Local\Temp\02bf2115149941d915cf0e8caa9e2c74f095065b0890be40ca4c25823b031271.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1644 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1256
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
memory/844-60-0x0000000000000000-mapping.dmp
-
memory/1452-58-0x0000000000000000-mapping.dmp
-
memory/1644-54-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1644-56-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1644-55-0x0000000001D50000-0x0000000002DDE000-memory.dmpFilesize
16.6MB
-
memory/1644-57-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1644-62-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1644-63-0x0000000001D50000-0x0000000002DDE000-memory.dmpFilesize
16.6MB
-
memory/1812-61-0x0000000000000000-mapping.dmp