Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 09:03
Static task
static1
Behavioral task
behavioral1
Sample
13b4293f005672968a3a9fb5a13f83bf.exe
Resource
win7-20231129-en
General
-
Target
13b4293f005672968a3a9fb5a13f83bf.exe
-
Size
127KB
-
MD5
13b4293f005672968a3a9fb5a13f83bf
-
SHA1
766c1eff0197143a3541d0cb21f6c7f5aef82a96
-
SHA256
009fd8571caf72728fd6c191043bcb63952afdb9d65cd935637297f542f7218e
-
SHA512
09de181de793cf9982abd84d20f0e2971902e0684b5b29cdba3eac819c578cf92de15a4739a74d79d5eaf75a1dc5d38e43ce3eba7a10a09b9218be173d354b88
-
SSDEEP
3072:/OxfaA2nWJ7hus1J5jlDYF60dZQyf7Cmm0j0K1kEY:/OTdBWY0pf270vkj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 13b4293f005672968a3a9fb5a13f83bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13b4293f005672968a3a9fb5a13f83bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe -
resource yara_rule behavioral1/memory/2924-2-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-4-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-8-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-11-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-14-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-5-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-17-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-20-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-24-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-27-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-28-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-29-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-30-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-31-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-33-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-34-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-35-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-37-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-39-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-47-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-49-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-51-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-53-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-55-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-62-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-64-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-66-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-68-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/2924-70-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 13b4293f005672968a3a9fb5a13f83bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 13b4293f005672968a3a9fb5a13f83bf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13b4293f005672968a3a9fb5a13f83bf.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 13b4293f005672968a3a9fb5a13f83bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2924 13b4293f005672968a3a9fb5a13f83bf.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe Token: SeDebugPrivilege 2924 13b4293f005672968a3a9fb5a13f83bf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2924 wrote to memory of 1128 2924 13b4293f005672968a3a9fb5a13f83bf.exe 9 PID 2924 wrote to memory of 1168 2924 13b4293f005672968a3a9fb5a13f83bf.exe 8 PID 2924 wrote to memory of 1216 2924 13b4293f005672968a3a9fb5a13f83bf.exe 7 PID 2924 wrote to memory of 2196 2924 13b4293f005672968a3a9fb5a13f83bf.exe 5 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13b4293f005672968a3a9fb5a13f83bf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b4293f005672968a3a9fb5a13f83bf.exe"C:\Users\Admin\AppData\Local\Temp\13b4293f005672968a3a9fb5a13f83bf.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2196
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1