Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 00:31
Static task
static1
Behavioral task
behavioral1
Sample
ad3e354c17e6be495f9830bb8f37b582.exe
Resource
win7-20240221-en
General
-
Target
ad3e354c17e6be495f9830bb8f37b582.exe
-
Size
116KB
-
MD5
ad3e354c17e6be495f9830bb8f37b582
-
SHA1
25436edb7618d26fd62b4a04b3e684fe107595e5
-
SHA256
797a03028fb5f9ea40e28ab3c54931c29ffeb604d4f2c50878351876cc382647
-
SHA512
9a5c904f7bcc9c9c3d983ed6eb72146bdedd709dd2a36a8859346c11ec51cb64c9a946482367392c5ca085a6c7ed801f6a2e15ca2bcc6ce29976c14115eedd4e
-
SSDEEP
3072:JMxXB31BcWgPlyq9iJ/lXx76Md2W1VUaXc:qxx3ckqcTd2GVUr
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad3e354c17e6be495f9830bb8f37b582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2444 ad3e354c17e6be495f9830bb8f37b582.exe -
Loads dropped DLL 1 IoCs
pid Process 2196 ad3e354c17e6be495f9830bb8f37b582.exe -
resource yara_rule behavioral1/memory/2196-2-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-6-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-8-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-12-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-14-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-17-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-24-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-25-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-26-0x00000000006E0000-0x000000000176E000-memory.dmp upx behavioral1/memory/2196-35-0x00000000006E0000-0x000000000176E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ad3e354c17e6be495f9830bb8f37b582.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad3e354c17e6be495f9830bb8f37b582.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2196 set thread context of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 set thread context of 0 2196 ad3e354c17e6be495f9830bb8f37b582.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2196 ad3e354c17e6be495f9830bb8f37b582.exe 2444 ad3e354c17e6be495f9830bb8f37b582.exe 2444 ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe Token: SeDebugPrivilege 2196 ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2196 ad3e354c17e6be495f9830bb8f37b582.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1120 2196 ad3e354c17e6be495f9830bb8f37b582.exe 12 PID 2196 wrote to memory of 1176 2196 ad3e354c17e6be495f9830bb8f37b582.exe 19 PID 2196 wrote to memory of 1212 2196 ad3e354c17e6be495f9830bb8f37b582.exe 13 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 2444 2196 ad3e354c17e6be495f9830bb8f37b582.exe 28 PID 2196 wrote to memory of 0 2196 ad3e354c17e6be495f9830bb8f37b582.exe PID 2196 wrote to memory of 0 2196 ad3e354c17e6be495f9830bb8f37b582.exe PID 2196 wrote to memory of 0 2196 ad3e354c17e6be495f9830bb8f37b582.exe PID 2196 wrote to memory of 0 2196 ad3e354c17e6be495f9830bb8f37b582.exe PID 2444 wrote to memory of 1212 2444 ad3e354c17e6be495f9830bb8f37b582.exe 13 PID 2444 wrote to memory of 1212 2444 ad3e354c17e6be495f9830bb8f37b582.exe 13 PID 2444 wrote to memory of 1212 2444 ad3e354c17e6be495f9830bb8f37b582.exe 13 PID 2444 wrote to memory of 1212 2444 ad3e354c17e6be495f9830bb8f37b582.exe 13 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad3e354c17e6be495f9830bb8f37b582.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"C:\Users\Admin\AppData\Local\Temp\ad3e354c17e6be495f9830bb8f37b582.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5ad3e354c17e6be495f9830bb8f37b582
SHA125436edb7618d26fd62b4a04b3e684fe107595e5
SHA256797a03028fb5f9ea40e28ab3c54931c29ffeb604d4f2c50878351876cc382647
SHA5129a5c904f7bcc9c9c3d983ed6eb72146bdedd709dd2a36a8859346c11ec51cb64c9a946482367392c5ca085a6c7ed801f6a2e15ca2bcc6ce29976c14115eedd4e