Analysis
-
max time kernel
90s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
7fae69824ad72fb14531e265392862a9c709a26ca8b1c512b57a4e7e4ffb27a6.dll
Resource
win7-20220812-en
windows7-x64
15 signatures
150 seconds
General
-
Target
7fae69824ad72fb14531e265392862a9c709a26ca8b1c512b57a4e7e4ffb27a6.dll
-
Size
120KB
-
MD5
4c2d57c66fed8326773184f02bb28acb
-
SHA1
66f1abc5a4c44d3db313fb925361f3bfa6a68991
-
SHA256
7fae69824ad72fb14531e265392862a9c709a26ca8b1c512b57a4e7e4ffb27a6
-
SHA512
c2ba7afa77bda3c322c6c184e53721f41d8e23bd0799a22d0484355c33eabf7d5ac0d5f07a87e474fd653736224d889aa02540c97b2a49c9f64962062679d5bd
-
SSDEEP
1536:ClQVp4hnLydTzNm4F0atSl97dWMrnF3+YbSzp5Vp78WUJDUBEu:gI0nLYNm4FtmnoBNDGlJwEu
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56c50a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56c50a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56c50a.exe -
Executes dropped EXE 3 IoCs
pid Process 3068 e56c50a.exe 4980 e56c808.exe 1296 e56dbde.exe -
resource yara_rule behavioral2/memory/3068-136-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3068-140-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3068-148-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3068-149-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4980-150-0x0000000000B50000-0x0000000001C0A000-memory.dmp upx behavioral2/memory/1296-153-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56c50a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56c50a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56c50a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56c50a.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e56c50a.exe File opened (read-only) \??\N: e56c50a.exe File opened (read-only) \??\O: e56c50a.exe File opened (read-only) \??\S: e56c50a.exe File opened (read-only) \??\G: e56c50a.exe File opened (read-only) \??\H: e56c50a.exe File opened (read-only) \??\I: e56c50a.exe File opened (read-only) \??\K: e56c50a.exe File opened (read-only) \??\Q: e56c50a.exe File opened (read-only) \??\E: e56c50a.exe File opened (read-only) \??\J: e56c50a.exe File opened (read-only) \??\L: e56c50a.exe File opened (read-only) \??\P: e56c50a.exe File opened (read-only) \??\F: e56c50a.exe File opened (read-only) \??\R: e56c50a.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe e56c50a.exe File opened for modification C:\Program Files\7-Zip\7z.exe e56c50a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e56c50a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e56c6cf e56c50a.exe File opened for modification C:\Windows\SYSTEM.INI e56c50a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3068 e56c50a.exe 3068 e56c50a.exe 3068 e56c50a.exe 3068 e56c50a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe Token: SeDebugPrivilege 3068 e56c50a.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 428 wrote to memory of 4560 428 rundll32.exe 80 PID 428 wrote to memory of 4560 428 rundll32.exe 80 PID 428 wrote to memory of 4560 428 rundll32.exe 80 PID 4560 wrote to memory of 3068 4560 rundll32.exe 81 PID 4560 wrote to memory of 3068 4560 rundll32.exe 81 PID 4560 wrote to memory of 3068 4560 rundll32.exe 81 PID 3068 wrote to memory of 784 3068 e56c50a.exe 13 PID 3068 wrote to memory of 792 3068 e56c50a.exe 12 PID 3068 wrote to memory of 312 3068 e56c50a.exe 9 PID 3068 wrote to memory of 2388 3068 e56c50a.exe 58 PID 3068 wrote to memory of 2400 3068 e56c50a.exe 57 PID 3068 wrote to memory of 2624 3068 e56c50a.exe 52 PID 3068 wrote to memory of 1076 3068 e56c50a.exe 26 PID 3068 wrote to memory of 2032 3068 e56c50a.exe 25 PID 3068 wrote to memory of 3264 3068 e56c50a.exe 24 PID 3068 wrote to memory of 3356 3068 e56c50a.exe 22 PID 3068 wrote to memory of 3432 3068 e56c50a.exe 23 PID 3068 wrote to memory of 3516 3068 e56c50a.exe 47 PID 3068 wrote to memory of 3776 3068 e56c50a.exe 46 PID 3068 wrote to memory of 4860 3068 e56c50a.exe 43 PID 3068 wrote to memory of 428 3068 e56c50a.exe 42 PID 3068 wrote to memory of 4560 3068 e56c50a.exe 80 PID 3068 wrote to memory of 4560 3068 e56c50a.exe 80 PID 4560 wrote to memory of 4980 4560 rundll32.exe 82 PID 4560 wrote to memory of 4980 4560 rundll32.exe 82 PID 4560 wrote to memory of 4980 4560 rundll32.exe 82 PID 4560 wrote to memory of 1296 4560 rundll32.exe 83 PID 4560 wrote to memory of 1296 4560 rundll32.exe 83 PID 4560 wrote to memory of 1296 4560 rundll32.exe 83 PID 3068 wrote to memory of 784 3068 e56c50a.exe 13 PID 3068 wrote to memory of 792 3068 e56c50a.exe 12 PID 3068 wrote to memory of 312 3068 e56c50a.exe 9 PID 3068 wrote to memory of 2388 3068 e56c50a.exe 58 PID 3068 wrote to memory of 2400 3068 e56c50a.exe 57 PID 3068 wrote to memory of 2624 3068 e56c50a.exe 52 PID 3068 wrote to memory of 1076 3068 e56c50a.exe 26 PID 3068 wrote to memory of 2032 3068 e56c50a.exe 25 PID 3068 wrote to memory of 3264 3068 e56c50a.exe 24 PID 3068 wrote to memory of 3356 3068 e56c50a.exe 22 PID 3068 wrote to memory of 3432 3068 e56c50a.exe 23 PID 3068 wrote to memory of 3516 3068 e56c50a.exe 47 PID 3068 wrote to memory of 3776 3068 e56c50a.exe 46 PID 3068 wrote to memory of 4860 3068 e56c50a.exe 43 PID 3068 wrote to memory of 4980 3068 e56c50a.exe 82 PID 3068 wrote to memory of 4980 3068 e56c50a.exe 82 PID 3068 wrote to memory of 1296 3068 e56c50a.exe 83 PID 3068 wrote to memory of 1296 3068 e56c50a.exe 83 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56c50a.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:312
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3356
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3432
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2032
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1076
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fae69824ad72fb14531e265392862a9c709a26ca8b1c512b57a4e7e4ffb27a6.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fae69824ad72fb14531e265392862a9c709a26ca8b1c512b57a4e7e4ffb27a6.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\e56c50a.exeC:\Users\Admin\AppData\Local\Temp\e56c50a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\e56c808.exeC:\Users\Admin\AppData\Local\Temp\e56c808.exe4⤵
- Executes dropped EXE
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\e56dbde.exeC:\Users\Admin\AppData\Local\Temp\e56dbde.exe4⤵
- Executes dropped EXE
PID:1296
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3516
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2400
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5aa5d091df485ff233a18edc1e49f40f8
SHA119617ebae08c7106d9e8a7683d09e3d95be86a19
SHA25677c1f423454cae7562d74728227d91b9edb4133fc8e55eb957aeb3a4a2bb06f1
SHA51220b80d7919304f1e12b19a01d2d1a497b30e47492790df727fbcbaf7281eb10871c0dba8f22613ecbb196db88b7eb378f92890968af0d215d87d6ffc36736b7e
-
Filesize
97KB
MD5aa5d091df485ff233a18edc1e49f40f8
SHA119617ebae08c7106d9e8a7683d09e3d95be86a19
SHA25677c1f423454cae7562d74728227d91b9edb4133fc8e55eb957aeb3a4a2bb06f1
SHA51220b80d7919304f1e12b19a01d2d1a497b30e47492790df727fbcbaf7281eb10871c0dba8f22613ecbb196db88b7eb378f92890968af0d215d87d6ffc36736b7e
-
Filesize
97KB
MD5aa5d091df485ff233a18edc1e49f40f8
SHA119617ebae08c7106d9e8a7683d09e3d95be86a19
SHA25677c1f423454cae7562d74728227d91b9edb4133fc8e55eb957aeb3a4a2bb06f1
SHA51220b80d7919304f1e12b19a01d2d1a497b30e47492790df727fbcbaf7281eb10871c0dba8f22613ecbb196db88b7eb378f92890968af0d215d87d6ffc36736b7e
-
Filesize
97KB
MD5aa5d091df485ff233a18edc1e49f40f8
SHA119617ebae08c7106d9e8a7683d09e3d95be86a19
SHA25677c1f423454cae7562d74728227d91b9edb4133fc8e55eb957aeb3a4a2bb06f1
SHA51220b80d7919304f1e12b19a01d2d1a497b30e47492790df727fbcbaf7281eb10871c0dba8f22613ecbb196db88b7eb378f92890968af0d215d87d6ffc36736b7e
-
Filesize
97KB
MD5aa5d091df485ff233a18edc1e49f40f8
SHA119617ebae08c7106d9e8a7683d09e3d95be86a19
SHA25677c1f423454cae7562d74728227d91b9edb4133fc8e55eb957aeb3a4a2bb06f1
SHA51220b80d7919304f1e12b19a01d2d1a497b30e47492790df727fbcbaf7281eb10871c0dba8f22613ecbb196db88b7eb378f92890968af0d215d87d6ffc36736b7e
-
Filesize
97KB
MD5aa5d091df485ff233a18edc1e49f40f8
SHA119617ebae08c7106d9e8a7683d09e3d95be86a19
SHA25677c1f423454cae7562d74728227d91b9edb4133fc8e55eb957aeb3a4a2bb06f1
SHA51220b80d7919304f1e12b19a01d2d1a497b30e47492790df727fbcbaf7281eb10871c0dba8f22613ecbb196db88b7eb378f92890968af0d215d87d6ffc36736b7e