Analysis
-
max time kernel
125s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 20:16
Static task
static1
Behavioral task
behavioral1
Sample
acc104b0d02c136dd53cde28c62925f2.exe
Resource
win7-20240220-en
General
-
Target
acc104b0d02c136dd53cde28c62925f2.exe
-
Size
100KB
-
MD5
acc104b0d02c136dd53cde28c62925f2
-
SHA1
1037b9926f072deb1f5b1b79bcd3660694ed56a2
-
SHA256
d6bdc655e8ac85d60704d336f8deb777bfb7c893da8a810ccce0aed1e888d0b9
-
SHA512
d3c531945ca49da98ecd24ef151553f08cdf4f747fdaf30a8f6636ed7abfc96bb53fcd1bcde5f83b558600741d4d46e7176a8b20101d57a7561299cf0e5c4a2a
-
SSDEEP
3072:NGfhrEC5n4N2G1CRNDEpcR+doE4B9NYH:N0hrEC54N2G1CLDE+IdoE43CH
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" acc104b0d02c136dd53cde28c62925f2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acc104b0d02c136dd53cde28c62925f2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe -
resource yara_rule behavioral1/memory/1684-1-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-3-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-4-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-6-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-8-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-11-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-20-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-15-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-22-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-23-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-24-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-25-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-26-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-27-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-29-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-30-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-31-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-33-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-35-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-41-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-43-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-45-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-47-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-49-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-51-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-53-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-55-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-57-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-59-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx behavioral1/memory/1684-70-0x0000000001D30000-0x0000000002DBE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" acc104b0d02c136dd53cde28c62925f2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" acc104b0d02c136dd53cde28c62925f2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acc104b0d02c136dd53cde28c62925f2.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\X: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\U: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\L: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\N: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\R: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\T: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\I: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\M: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\O: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\Q: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\Z: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\H: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\G: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\J: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\K: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\P: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\S: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\W: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\Y: acc104b0d02c136dd53cde28c62925f2.exe File opened (read-only) \??\E: acc104b0d02c136dd53cde28c62925f2.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf acc104b0d02c136dd53cde28c62925f2.exe File opened for modification F:\autorun.inf acc104b0d02c136dd53cde28c62925f2.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe acc104b0d02c136dd53cde28c62925f2.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe acc104b0d02c136dd53cde28c62925f2.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI acc104b0d02c136dd53cde28c62925f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe 1684 acc104b0d02c136dd53cde28c62925f2.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe Token: SeDebugPrivilege 1684 acc104b0d02c136dd53cde28c62925f2.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1976 1684 acc104b0d02c136dd53cde28c62925f2.exe 9 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 PID 1684 wrote to memory of 1108 1684 acc104b0d02c136dd53cde28c62925f2.exe 16 PID 1684 wrote to memory of 1188 1684 acc104b0d02c136dd53cde28c62925f2.exe 15 PID 1684 wrote to memory of 1220 1684 acc104b0d02c136dd53cde28c62925f2.exe 14 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acc104b0d02c136dd53cde28c62925f2.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1976
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\acc104b0d02c136dd53cde28c62925f2.exe"C:\Users\Admin\AppData\Local\Temp\acc104b0d02c136dd53cde28c62925f2.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1684
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5d3ed5bd88e0f5b65235d6c9b557f252f
SHA1887826cb9f50cbf42cabf5a7f3624d4bae684b76
SHA25607c0dd6b592525916a32e6d2f56d2090d76b01ddba0c2fc88ace6e9544456900
SHA5120b487c558e243f640f76dd9f732dc5f86f26c753d2a39bbd41ace595a3e878e6bf928da03f2e904584e5c73f0d233113c0ff1d0586d8d2c88cfd83ec346c7dfa