Analysis
-
max time kernel
124s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
096eb0c725070338126410d5eff1f88a.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
096eb0c725070338126410d5eff1f88a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
096eb0c725070338126410d5eff1f88a.exe
-
Size
97KB
-
MD5
096eb0c725070338126410d5eff1f88a
-
SHA1
428bfe9af07890ce1ee343781b23171226b20879
-
SHA256
6c4d432e43117c4ddcb3809378666ab80cf0a4072bd8ff338537d43fd2ad3670
-
SHA512
7896e9f19d57d3fd00749f55ff7930980a36e5e3ec09bded14abf19c53ac2f604b1d71af5f82374d2ddfc12ddee83a9105cfefd26bdbae8f943be4935545a5de
-
SSDEEP
1536:d0yZhWt3yApzMC7lQsmSh0ZVgeBcRcm2l3bdIQIF2uskYju4vkBLob1JUa3z:d0yjUyIIC7lQsmTXnO+3TCBatbbU
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 096eb0c725070338126410d5eff1f88a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 096eb0c725070338126410d5eff1f88a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe -
resource yara_rule behavioral1/memory/1204-1-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-3-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-4-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-5-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-6-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-8-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-13-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-30-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-31-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-32-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-33-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-34-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-36-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-37-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-38-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-40-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-46-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-48-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-50-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-52-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-56-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-60-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-69-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-71-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-77-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1204-79-0x0000000000590000-0x000000000164A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 096eb0c725070338126410d5eff1f88a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 096eb0c725070338126410d5eff1f88a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 096eb0c725070338126410d5eff1f88a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\Y: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\Z: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\E: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\J: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\L: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\T: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\U: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\N: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\S: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\W: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\G: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\O: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\P: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\R: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\X: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\H: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\I: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\K: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\M: 096eb0c725070338126410d5eff1f88a.exe File opened (read-only) \??\Q: 096eb0c725070338126410d5eff1f88a.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 096eb0c725070338126410d5eff1f88a.exe File opened for modification F:\autorun.inf 096eb0c725070338126410d5eff1f88a.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe 096eb0c725070338126410d5eff1f88a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 096eb0c725070338126410d5eff1f88a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 096eb0c725070338126410d5eff1f88a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 096eb0c725070338126410d5eff1f88a.exe File opened for modification C:\Program Files\7-Zip\7z.exe 096eb0c725070338126410d5eff1f88a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\f769f8a 096eb0c725070338126410d5eff1f88a.exe File opened for modification C:\Windows\SYSTEM.INI 096eb0c725070338126410d5eff1f88a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe 1204 096eb0c725070338126410d5eff1f88a.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe Token: SeDebugPrivilege 1204 096eb0c725070338126410d5eff1f88a.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1072 1204 096eb0c725070338126410d5eff1f88a.exe 6 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 PID 1204 wrote to memory of 1124 1204 096eb0c725070338126410d5eff1f88a.exe 10 PID 1204 wrote to memory of 1220 1204 096eb0c725070338126410d5eff1f88a.exe 9 PID 1204 wrote to memory of 1284 1204 096eb0c725070338126410d5eff1f88a.exe 8 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 096eb0c725070338126410d5eff1f88a.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1072
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\096eb0c725070338126410d5eff1f88a.exe"C:\Users\Admin\AppData\Local\Temp\096eb0c725070338126410d5eff1f88a.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1204
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1220
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5d50eee6b1fac5b8bbdb32d9313ecb3fd
SHA109638e65e94d0535db9c10ef50c3535a16faf238
SHA2568017c724640b0d6427e38b4589cc72456b598b91f6e2e6ffa20edca99f30578c
SHA5129c8ff7d30803f52aa46912963124c88a80ca3a8654185069e21cf654e2ce7342f9ce9fff809854b1cb8ca38d473c01fb478e46ac75ed481ca263c6d2fb5efc64