Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe
Resource
win7-20240221-en
General
-
Target
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe
-
Size
128KB
-
MD5
21e9a4adbf70b295fb6b81f7998e9c39
-
SHA1
2f6b14983570185fa111ca30a2848a7cae32792e
-
SHA256
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293
-
SHA512
ab67f371ae40645de366052359b94fd28feefdda6afcfb794407f0460905a68375af5eeb1e9c7453509450d68b165c7a46af76b893bf611fb5243a5dfa65ff91
-
SSDEEP
3072:uftffjmNmcoa3b9OBFhfY6XHNNTGkZm1MOTLjAimC:WVfjmNm+BOBbfY6XHjSkZmGgjAiF
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Executes dropped EXE 1 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exepid process 4172 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Processes:
resource yara_rule behavioral2/memory/4192-1-0x00000000007A0000-0x000000000182E000-memory.dmp upx behavioral2/memory/4192-15-0x00000000007A0000-0x000000000182E000-memory.dmp upx behavioral2/memory/4192-14-0x00000000007A0000-0x000000000182E000-memory.dmp upx behavioral2/memory/4192-11-0x00000000007A0000-0x000000000182E000-memory.dmp upx behavioral2/memory/4192-9-0x00000000007A0000-0x000000000182E000-memory.dmp upx behavioral2/memory/4192-10-0x00000000007A0000-0x000000000182E000-memory.dmp upx -
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Drops file in Windows directory 3 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe File created C:\Windows\rundl132.exe 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe File created C:\Windows\Logo1_.exe 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exepid process 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription pid process Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe Token: SeDebugPrivilege 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.execmd.exedescription pid process target process PID 4192 wrote to memory of 780 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe fontdrvhost.exe PID 4192 wrote to memory of 784 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe fontdrvhost.exe PID 4192 wrote to memory of 336 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe dwm.exe PID 4192 wrote to memory of 4704 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe cmd.exe PID 4192 wrote to memory of 4704 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe cmd.exe PID 4192 wrote to memory of 4704 4192 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe cmd.exe PID 4704 wrote to memory of 4172 4704 cmd.exe 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe PID 4704 wrote to memory of 4172 4704 cmd.exe 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe"C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E9D.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe"C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe"3⤵
- Executes dropped EXE
PID:4172
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$$a4E9D.batFilesize
722B
MD56f83ffd26026e70245c70cace09743a0
SHA155337d3a33cfb12e03567829557a2daa6effdb6d
SHA25664f4c55958cc975b7f0a81d256f016b1f9a1751e9a2b7bb8360462cde1d92621
SHA512c990160c378be1a2ebad92af629636985a50941bc9c9287805ae2f76809da99b49728d0fb4af11de8f55940242e77f65ed4867aa03c46b068e6602f2888601c4
-
C:\Users\Admin\AppData\Local\Temp\5a7c45218b50cee54d32131695d55f385af24c37d0b9a788de9ea6c465005293.exe.exeFilesize
102KB
MD5d042a1b8aec96fa4b7f90aa94efd8933
SHA1a222c4bc14d3b59d11d2100b038ab478f02b3fca
SHA256e38f132e21d0cd2fbae0ca84531c4d69a1b7a6d72cf476039428e56c8e3b1640
SHA5120f8f5574459e36b63d13aba54a908384d9e3cc23a522e272c034b4b5d5f9e2eed73972b5d0348a5d2ad855fb429815a0678561f61df42922e8e72d0f49c40e7a
-
memory/4192-0-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4192-1-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/4192-15-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/4192-19-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/4192-14-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/4192-11-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/4192-9-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB
-
memory/4192-10-0x00000000007A0000-0x000000000182E000-memory.dmpFilesize
16.6MB