Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-03-2024 21:50
Static task
static1
Behavioral task
behavioral1
Sample
a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll
Resource
win7-20240221-en
General
-
Target
a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll
-
Size
120KB
-
MD5
eec03e1997f379a4768ef7099d0e75d5
-
SHA1
06ecdb2a2a9f52fd69ac64d3d66115e158bf873b
-
SHA256
a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49
-
SHA512
08c21cfea32d78be99a5340627c11cd27fdd5a95ab9296f111272b35740f5e949528913931df4ce4efd2fc03f7f867930d3178928aa1d3d038fc1d88a71bf88b
-
SSDEEP
3072:nEdVHx0zCVf1A+xJ3O5rLXCJdmPzWO+M:nYwChxIEuz9
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
f762923.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f762923.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f762923.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f762923.exe -
Processes:
f762923.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f762923.exe -
Processes:
f762923.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f762923.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 25 IoCs
Processes:
resource yara_rule behavioral1/memory/1564-12-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-16-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-15-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-14-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-18-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-19-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-21-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-24-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-23-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-25-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-32-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-34-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-33-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-35-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-36-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-37-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-39-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-40-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-41-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-43-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-45-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-47-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-49-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-53-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/1564-57-0x0000000000680000-0x000000000173A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 26 IoCs
Processes:
resource yara_rule behavioral1/memory/1564-12-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/1564-16-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-15-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-14-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-18-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-19-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-21-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-24-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-23-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-25-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-32-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-34-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-33-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-35-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-36-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-37-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-39-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-40-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-41-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-43-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-45-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-47-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-49-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-53-0x0000000000680000-0x000000000173A000-memory.dmp UPX behavioral1/memory/1564-57-0x0000000000680000-0x000000000173A000-memory.dmp UPX -
Executes dropped EXE 1 IoCs
Processes:
f762923.exepid process 1564 f762923.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 3040 rundll32.exe 3040 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/1564-12-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-16-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-15-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-14-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-18-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-19-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-21-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-24-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-23-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-25-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-32-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-34-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-33-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-35-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-36-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-37-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-39-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-40-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-41-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-43-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-45-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-47-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-49-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-53-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1564-57-0x0000000000680000-0x000000000173A000-memory.dmp upx -
Processes:
f762923.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f762923.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f762923.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f762923.exe -
Processes:
f762923.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f762923.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f762923.exedescription ioc process File opened (read-only) \??\E: f762923.exe File opened (read-only) \??\G: f762923.exe File opened (read-only) \??\H: f762923.exe File opened (read-only) \??\I: f762923.exe File opened (read-only) \??\J: f762923.exe File opened (read-only) \??\K: f762923.exe File opened (read-only) \??\L: f762923.exe File opened (read-only) \??\M: f762923.exe -
Drops file in Windows directory 2 IoCs
Processes:
f762923.exedescription ioc process File created C:\Windows\f762ac8 f762923.exe File opened for modification C:\Windows\SYSTEM.INI f762923.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f762923.exepid process 1564 f762923.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
f762923.exedescription pid process Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe Token: SeDebugPrivilege 1564 f762923.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exerundll32.exef762923.exedescription pid process target process PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 2584 wrote to memory of 3040 2584 rundll32.exe rundll32.exe PID 3040 wrote to memory of 1564 3040 rundll32.exe f762923.exe PID 3040 wrote to memory of 1564 3040 rundll32.exe f762923.exe PID 3040 wrote to memory of 1564 3040 rundll32.exe f762923.exe PID 3040 wrote to memory of 1564 3040 rundll32.exe f762923.exe PID 1564 wrote to memory of 1080 1564 f762923.exe taskhost.exe PID 1564 wrote to memory of 1180 1564 f762923.exe Dwm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
f762923.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f762923.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a058aa45df8dda140abf624b99e1c779a4a932519471a8d7b1485e9314b41a49.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f762923.exeC:\Users\Admin\AppData\Local\Temp\f762923.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f762923.exeFilesize
97KB
MD556b0dfc4786e7907e6a0e85e1bf5d5e6
SHA18bcaca893406d53ab2054dc60a0533c92615bec0
SHA2561e960b4b457a7c00d09768761a921b3b47ca8cba55d27dab2271c25cc9dc35e6
SHA5123319d07181b4a988b0f89141e6904dda545f0be0e8115edd7beca06cd5c69e468d47ac6bf41bb46733147296c611721c5858e4d57529f46a30dddbf348c729c7
-
memory/1080-17-0x0000000000320000-0x0000000000322000-memory.dmpFilesize
8KB
-
memory/1564-23-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-16-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-32-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1564-34-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-15-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-14-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-18-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-19-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-57-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-21-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-33-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-53-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-25-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-12-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-49-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-24-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-35-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-36-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-37-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-39-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-40-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-41-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-43-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-45-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/1564-47-0x0000000000680000-0x000000000173A000-memory.dmpFilesize
16.7MB
-
memory/3040-10-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB
-
memory/3040-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3040-8-0x0000000000180000-0x0000000000192000-memory.dmpFilesize
72KB