Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 14:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc5842609b03cf8fe919fe191f70d870_NEAS.dll
Resource
win7-20240215-en
windows7-x64
15 signatures
150 seconds
General
-
Target
bc5842609b03cf8fe919fe191f70d870_NEAS.dll
-
Size
120KB
-
MD5
bc5842609b03cf8fe919fe191f70d870
-
SHA1
16dc5f52aaaf2386eee9033e31a49116421d1d27
-
SHA256
7c3ee085d90222b6ed4bbf24f0d320636b075d62a9e47acd03b75540ca411c43
-
SHA512
de18b275041e21100ae363d14b75a45e00ff8477640634802368da20d9431fa7dc73ea520c9f7cd7722930f53d8128d6a5891d2057f39a4dd277580ec11256bc
-
SSDEEP
3072:u++LfR6wtBaWMrNnamkdrIYkuYYtLjE9zTu97L:JgfRNWaRdkuXtPEVY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5743fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5743fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5743fe.exe -
Executes dropped EXE 3 IoCs
pid Process 4780 e5743fe.exe 3736 e5744e8.exe 688 e5769f5.exe -
resource yara_rule behavioral2/memory/4780-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-13-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-21-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-34-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-27-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-58-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-59-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-60-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-61-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-64-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-65-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-68-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-69-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-71-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-73-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-74-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/4780-79-0x0000000000780000-0x000000000183A000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5743fe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5743fe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5743fe.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e5743fe.exe File opened (read-only) \??\J: e5743fe.exe File opened (read-only) \??\K: e5743fe.exe File opened (read-only) \??\L: e5743fe.exe File opened (read-only) \??\M: e5743fe.exe File opened (read-only) \??\N: e5743fe.exe File opened (read-only) \??\E: e5743fe.exe File opened (read-only) \??\H: e5743fe.exe File opened (read-only) \??\O: e5743fe.exe File opened (read-only) \??\G: e5743fe.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zFM.exe e5743fe.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e5743fe.exe File opened for modification C:\Program Files\7-Zip\7z.exe e5743fe.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e5743fe.exe File created C:\Windows\e57444c e5743fe.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4780 e5743fe.exe 4780 e5743fe.exe 4780 e5743fe.exe 4780 e5743fe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe Token: SeDebugPrivilege 4780 e5743fe.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 3308 wrote to memory of 3732 3308 rundll32.exe 84 PID 3308 wrote to memory of 3732 3308 rundll32.exe 84 PID 3308 wrote to memory of 3732 3308 rundll32.exe 84 PID 3732 wrote to memory of 4780 3732 rundll32.exe 85 PID 3732 wrote to memory of 4780 3732 rundll32.exe 85 PID 3732 wrote to memory of 4780 3732 rundll32.exe 85 PID 4780 wrote to memory of 784 4780 e5743fe.exe 8 PID 4780 wrote to memory of 792 4780 e5743fe.exe 9 PID 4780 wrote to memory of 316 4780 e5743fe.exe 13 PID 4780 wrote to memory of 2696 4780 e5743fe.exe 44 PID 4780 wrote to memory of 2712 4780 e5743fe.exe 45 PID 4780 wrote to memory of 2844 4780 e5743fe.exe 48 PID 4780 wrote to memory of 3692 4780 e5743fe.exe 56 PID 4780 wrote to memory of 3808 4780 e5743fe.exe 57 PID 4780 wrote to memory of 3996 4780 e5743fe.exe 58 PID 4780 wrote to memory of 4088 4780 e5743fe.exe 59 PID 4780 wrote to memory of 1028 4780 e5743fe.exe 60 PID 4780 wrote to memory of 3824 4780 e5743fe.exe 61 PID 4780 wrote to memory of 4212 4780 e5743fe.exe 62 PID 4780 wrote to memory of 3944 4780 e5743fe.exe 75 PID 4780 wrote to memory of 2936 4780 e5743fe.exe 76 PID 4780 wrote to memory of 3912 4780 e5743fe.exe 81 PID 4780 wrote to memory of 4912 4780 e5743fe.exe 82 PID 4780 wrote to memory of 3308 4780 e5743fe.exe 83 PID 4780 wrote to memory of 3732 4780 e5743fe.exe 84 PID 4780 wrote to memory of 3732 4780 e5743fe.exe 84 PID 3732 wrote to memory of 3736 3732 rundll32.exe 86 PID 3732 wrote to memory of 3736 3732 rundll32.exe 86 PID 3732 wrote to memory of 3736 3732 rundll32.exe 86 PID 3732 wrote to memory of 688 3732 rundll32.exe 90 PID 3732 wrote to memory of 688 3732 rundll32.exe 90 PID 3732 wrote to memory of 688 3732 rundll32.exe 90 PID 4780 wrote to memory of 784 4780 e5743fe.exe 8 PID 4780 wrote to memory of 792 4780 e5743fe.exe 9 PID 4780 wrote to memory of 316 4780 e5743fe.exe 13 PID 4780 wrote to memory of 2696 4780 e5743fe.exe 44 PID 4780 wrote to memory of 2712 4780 e5743fe.exe 45 PID 4780 wrote to memory of 2844 4780 e5743fe.exe 48 PID 4780 wrote to memory of 3692 4780 e5743fe.exe 56 PID 4780 wrote to memory of 3808 4780 e5743fe.exe 57 PID 4780 wrote to memory of 3996 4780 e5743fe.exe 58 PID 4780 wrote to memory of 4088 4780 e5743fe.exe 59 PID 4780 wrote to memory of 1028 4780 e5743fe.exe 60 PID 4780 wrote to memory of 3824 4780 e5743fe.exe 61 PID 4780 wrote to memory of 4212 4780 e5743fe.exe 62 PID 4780 wrote to memory of 3944 4780 e5743fe.exe 75 PID 4780 wrote to memory of 2936 4780 e5743fe.exe 76 PID 4780 wrote to memory of 3912 4780 e5743fe.exe 81 PID 4780 wrote to memory of 4912 4780 e5743fe.exe 82 PID 4780 wrote to memory of 3736 4780 e5743fe.exe 86 PID 4780 wrote to memory of 3736 4780 e5743fe.exe 86 PID 4780 wrote to memory of 2440 4780 e5743fe.exe 88 PID 4780 wrote to memory of 3156 4780 e5743fe.exe 89 PID 4780 wrote to memory of 688 4780 e5743fe.exe 90 PID 4780 wrote to memory of 688 4780 e5743fe.exe 90 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5743fe.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2712
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2844
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3692
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bc5842609b03cf8fe919fe191f70d870_NEAS.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bc5842609b03cf8fe919fe191f70d870_NEAS.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\e5743fe.exeC:\Users\Admin\AppData\Local\Temp\e5743fe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\e5744e8.exeC:\Users\Admin\AppData\Local\Temp\e5744e8.exe4⤵
- Executes dropped EXE
PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\e5769f5.exeC:\Users\Admin\AppData\Local\Temp\e5769f5.exe4⤵
- Executes dropped EXE
PID:688
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3808
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1028
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4212
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2936
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3912
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2440
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3156
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c87a7841c82b82aae7cd312390b5b52a
SHA1a0d8744571f9b5df37a9353a88e05d5231200c80
SHA25697d679fe9cb95b5816ca189207a8b7bd9ee76068b2c9ae34f10dd3538d14df57
SHA512d88c95da5c05f4124009a310c5bc4fd5de527400107fe0d58d5a5b9843d334ffa9d7a16f5af8f6c01cfb06f14a578116808b1f50de9be41e7dec90f2f7bad7da