Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 06:18
Static task
static1
Behavioral task
behavioral1
Sample
ade2a2059d92f988de05067fd44491ef.exe
Resource
win7-20240221-en
General
-
Target
ade2a2059d92f988de05067fd44491ef.exe
-
Size
248KB
-
MD5
ade2a2059d92f988de05067fd44491ef
-
SHA1
6d393613db4d16a60d9d9478cc7fb21142229284
-
SHA256
75074c9368cf924de049bcc3e4a3cce7bbc7a2b721aa66a353a68528abba9fb0
-
SHA512
5b97929997037497700b15a9a44fce02a228ec49539e7f69a222239877de6342f2ed7ad6927e82556005125982abaf4ee18b5ed9faa260c200e5ffda2838f464
-
SSDEEP
3072:bIdcFLEdskgrt05bnwhVh6PTPlcfaPHVZxSf/2eYuhhleDbjc5jAZtGMTevwpTR4:UWjZ0xCVh659JSjREDbI5jwtX3z4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" idemoodp0cetka.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" idemoodp0cetka.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" idemoodp0cetka.exe -
Executes dropped EXE 2 IoCs
pid Process 2616 idemoodp0cetka.exe 2764 idemoodp0cetka.exe -
Loads dropped DLL 3 IoCs
pid Process 2440 ade2a2059d92f988de05067fd44491ef.exe 2440 ade2a2059d92f988de05067fd44491ef.exe 2616 idemoodp0cetka.exe -
resource yara_rule behavioral1/memory/2756-2-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-3-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-6-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-7-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-10-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-14-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-18-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2756-33-0x0000000002550000-0x00000000035DE000-memory.dmp upx behavioral1/memory/2616-52-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2616-59-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2616-60-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2616-64-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2616-68-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2616-73-0x0000000002670000-0x00000000036FE000-memory.dmp upx behavioral1/memory/2616-85-0x0000000002670000-0x00000000036FE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" idemoodp0cetka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" idemoodp0cetka.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ade2a2059d92f988de05067fd44491ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" idemoodp0cetka.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe" ade2a2059d92f988de05067fd44491ef.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Service Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\idemoodp0cetka.exe" ade2a2059d92f988de05067fd44491ef.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" idemoodp0cetka.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2756 set thread context of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2616 set thread context of 2764 2616 idemoodp0cetka.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ade2a2059d92f988de05067fd44491ef.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2756 ade2a2059d92f988de05067fd44491ef.exe 2616 idemoodp0cetka.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2756 ade2a2059d92f988de05067fd44491ef.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe Token: SeDebugPrivilege 2616 idemoodp0cetka.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2756 ade2a2059d92f988de05067fd44491ef.exe 2616 idemoodp0cetka.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2756 wrote to memory of 1256 2756 ade2a2059d92f988de05067fd44491ef.exe 13 PID 2756 wrote to memory of 1352 2756 ade2a2059d92f988de05067fd44491ef.exe 12 PID 2756 wrote to memory of 1396 2756 ade2a2059d92f988de05067fd44491ef.exe 11 PID 2756 wrote to memory of 2180 2756 ade2a2059d92f988de05067fd44491ef.exe 9 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2756 wrote to memory of 2440 2756 ade2a2059d92f988de05067fd44491ef.exe 28 PID 2440 wrote to memory of 2616 2440 ade2a2059d92f988de05067fd44491ef.exe 29 PID 2440 wrote to memory of 2616 2440 ade2a2059d92f988de05067fd44491ef.exe 29 PID 2440 wrote to memory of 2616 2440 ade2a2059d92f988de05067fd44491ef.exe 29 PID 2440 wrote to memory of 2616 2440 ade2a2059d92f988de05067fd44491ef.exe 29 PID 2616 wrote to memory of 1256 2616 idemoodp0cetka.exe 13 PID 2616 wrote to memory of 1352 2616 idemoodp0cetka.exe 12 PID 2616 wrote to memory of 1396 2616 idemoodp0cetka.exe 11 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 PID 2616 wrote to memory of 2764 2616 idemoodp0cetka.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ade2a2059d92f988de05067fd44491ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" idemoodp0cetka.exe
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"C:\Users\Admin\AppData\Local\Temp\ade2a2059d92f988de05067fd44491ef.exe"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"C:\Users\Admin\AppData\Local\Temp\idemoodp0cetka.exe"5⤵
- Executes dropped EXE
PID:2764
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1352
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1256
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5ade2a2059d92f988de05067fd44491ef
SHA16d393613db4d16a60d9d9478cc7fb21142229284
SHA25675074c9368cf924de049bcc3e4a3cce7bbc7a2b721aa66a353a68528abba9fb0
SHA5125b97929997037497700b15a9a44fce02a228ec49539e7f69a222239877de6342f2ed7ad6927e82556005125982abaf4ee18b5ed9faa260c200e5ffda2838f464
-
Filesize
256B
MD52aa1355a23d33cebb4a949316b95e78e
SHA1dc39812b16d55041b346c5e2d19928880aa487e4
SHA2563fe0b4e96d0f8772ed84d89e13778a35d31745fd794331e395b5989c15ed3075
SHA512e37cebeba02ba909912d695368edfa66702a59fd56e6aaa37953e41865deca1ea301933b0075bf6e639f5b8f22fea8e12afe6f8cc9e7d8023120fe70ae81facb