Analysis
-
max time kernel
124s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
ac8d2f29a8aeda66b3e78c9f385bf324.exe
Resource
win7-20240221-en
General
-
Target
ac8d2f29a8aeda66b3e78c9f385bf324.exe
-
Size
100KB
-
MD5
ac8d2f29a8aeda66b3e78c9f385bf324
-
SHA1
96d5a109525d999f97c0c39e3b4f9ea1187a9c0c
-
SHA256
09b1efc7d167638f8ebd2fa0cb61dfb51564d75b7cdaa8b39e545906dae2eedb
-
SHA512
e2601862854a44d2c7e69fed203dd73c5be88cfa50e8c7c3e6c0bb099fd634e12d1c10e5c48de5c88ab24929f9180495cbdfb4d03bdd259d2ceff82ea899c8a6
-
SSDEEP
1536:QWswr6szE6YaDE1YC9zRNW/sThk0fODNa2IjO4La:QPwmCE6YV1YC9zOsODN94L
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ac8d2f29a8aeda66b3e78c9f385bf324.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe -
resource yara_rule behavioral1/memory/2328-2-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-4-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-5-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-8-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-12-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-15-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-20-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-21-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-24-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-25-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-26-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-27-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-31-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-32-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-34-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-35-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-37-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-38-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-40-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-42-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-46-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-47-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-53-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-54-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-55-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-57-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-59-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-62-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-68-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-70-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx behavioral1/memory/2328-71-0x0000000001E00000-0x0000000002E8E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ac8d2f29a8aeda66b3e78c9f385bf324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ac8d2f29a8aeda66b3e78c9f385bf324.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\H: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\O: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\T: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\V: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\S: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\U: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\X: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\I: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\P: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\Q: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\W: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\Y: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\Z: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\E: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\J: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\K: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\L: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\M: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\N: ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened (read-only) \??\R: ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened for modification F:\autorun.inf ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ac8d2f29a8aeda66b3e78c9f385bf324.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe Token: SeDebugPrivilege 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1908 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 8 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 PID 2328 wrote to memory of 1116 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 4 PID 2328 wrote to memory of 1224 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 11 PID 2328 wrote to memory of 1280 2328 ac8d2f29a8aeda66b3e78c9f385bf324.exe 10 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ac8d2f29a8aeda66b3e78c9f385bf324.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1908
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\ac8d2f29a8aeda66b3e78c9f385bf324.exe"C:\Users\Admin\AppData\Local\Temp\ac8d2f29a8aeda66b3e78c9f385bf324.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1224
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD52778a079a1db107063d604b163ba58ec
SHA180105317985668e9ad99abae3c9bc7a7f8495269
SHA25693aa8fa2fbc52afbf556c0369c691417d058577238a0f5681e543fffa4d5c604
SHA512c64c371abad1594fa56a9363902f5d9b10c71842c9c45a58f1a94d0942b70dbbb56f9ef25d95578122dabbc67b27ded88c591744d7f141397b034e818eb79fb8