Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 08:32
Static task
static1
Behavioral task
behavioral1
Sample
b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe
Resource
win7-20221111-en
windows7-x64
13 signatures
150 seconds
General
-
Target
b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe
-
Size
847KB
-
MD5
122818d2a6828767154fe6451cd532f0
-
SHA1
78f0a915a40e7f253df98b01c74985ed0b47b5a9
-
SHA256
b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746
-
SHA512
0dbcef9532a4392cd0685e8ddb9a4a592039c2d2fde041bc4b00324488db1d6af965eb536497d76e6cc850408ae3fea02dd68f67b17f333e440fb6ab61f1d78b
-
SSDEEP
12288:ynkq1q9o3p3WIS6GBj99VzF6CUoX04ztGQ6Ek4XddqX9K5xVhsqfHRF:yK6G5/rUsftt6Ek4XdVAUHP
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
resource yara_rule behavioral2/memory/4316-132-0x0000000002460000-0x00000000034EE000-memory.dmp upx behavioral2/memory/4316-134-0x0000000002460000-0x00000000034EE000-memory.dmp upx behavioral2/memory/4316-136-0x0000000002460000-0x00000000034EE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe Token: SeDebugPrivilege 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4316 wrote to memory of 772 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 8 PID 4316 wrote to memory of 780 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 14 PID 4316 wrote to memory of 1012 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 10 PID 4316 wrote to memory of 2588 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 23 PID 4316 wrote to memory of 2660 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 22 PID 4316 wrote to memory of 2848 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 20 PID 4316 wrote to memory of 2632 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 19 PID 4316 wrote to memory of 404 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 18 PID 4316 wrote to memory of 3268 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 17 PID 4316 wrote to memory of 3368 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 16 PID 4316 wrote to memory of 3440 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 15 PID 4316 wrote to memory of 3528 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 52 PID 4316 wrote to memory of 3696 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 51 PID 4316 wrote to memory of 856 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 30 PID 4316 wrote to memory of 2044 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 40 PID 4316 wrote to memory of 868 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 38 PID 4316 wrote to memory of 1172 4316 b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe 31 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3440
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3368
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:404
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe"C:\Users\Admin\AppData\Local\Temp\b6c103fc7fa28a5b34bb76966f030e194764d5bfedba4d05a265747ae4860746.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4316
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2588
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:856
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1172
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:868
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3696
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3528