Overview
overview
10Static
static
3ae2e1cbf84...23.exe
windows7-x64
1ae2e1cbf84...23.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3UKHook40.dll
windows7-x64
3UKHook40.dll
windows10-2004-x64
3UniKey.exe
windows7-x64
1UniKey.exe
windows10-2004-x64
1ukfaq.htm
windows7-x64
1ukfaq.htm
windows10-2004-x64
1ukmanual.htm
windows7-x64
1ukmanual.htm
windows10-2004-x64
1uninst.exe
windows7-x64
1uninst.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 09:31
Static task
static1
Behavioral task
behavioral1
Sample
ae2e1cbf8477077d682a9e7882e80023.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ae2e1cbf8477077d682a9e7882e80023.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
UKHook40.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
UKHook40.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
UniKey.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
UniKey.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
ukfaq.htm
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
ukfaq.htm
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ukmanual.htm
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
ukmanual.htm
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
uninst.exe
Resource
win7-20240221-en
General
-
Target
uninst.exe
-
Size
115KB
-
MD5
193069df52ef63227279954dc84fa950
-
SHA1
f58b2dad8a53851441f12713db6bbaaf9bc30a5f
-
SHA256
5d361ff49eee93d54b0fbef78fc7caf5f84e76be8e253ab6795a347a05cf2f01
-
SHA512
2a468df39d6c18f8c1edfbf631293659d578412e9915fcda8b3dbd8a4ccda09ed06ebc570245c0dd7f17617e98c67e5b2c49b8234127349f8181fef60430b924
-
SSDEEP
3072:ODRXTx4jCI8JzAI0hq19dKg5DnLpI2YKE2t/0ZXS:Ueh9mKg5TlU2iZXS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uninst.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" uninst.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2584 netsh.exe -
resource yara_rule behavioral14/memory/1240-1-0x0000000002340000-0x0000000003373000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" uninst.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uninst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uninst.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2584 1240 uninst.exe 87 PID 1240 wrote to memory of 2584 1240 uninst.exe 87 PID 1240 wrote to memory of 2584 1240 uninst.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe"1⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
PID:2584
-