Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 04:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1369ec294667a73390265d981f648d6797630dfa94fdcfd8ee8a9c7c367891b.dll
Resource
win7-20240704-en
windows7-x64
16 signatures
150 seconds
General
-
Target
f1369ec294667a73390265d981f648d6797630dfa94fdcfd8ee8a9c7c367891b.dll
-
Size
120KB
-
MD5
ddf5a3cb33c7032338657142e46f913c
-
SHA1
36692908cfcb572c5f56e4b5a790116e770979df
-
SHA256
f1369ec294667a73390265d981f648d6797630dfa94fdcfd8ee8a9c7c367891b
-
SHA512
dbb96c22bdd90aa1f406f98b67a80fa3c46263569a573fbeab2666f41578015a35e8a25ddbd0201a2ef0ea189a507114102145a19bad73ae9f7ada2c826e24ec
-
SSDEEP
3072:Co/EeDBLybZPZy09nILXO3esCitqJFCi:ObZP85SOwt89
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f766a09.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f766a09.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7685b3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7685b3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766a09.exe -
Executes dropped EXE 3 IoCs
pid Process 2876 f766a09.exe 596 f766c2b.exe 2536 f7685b3.exe -
Loads dropped DLL 6 IoCs
pid Process 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe -
resource yara_rule behavioral1/memory/2876-12-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-16-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-14-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-15-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-22-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-20-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-17-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-21-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-19-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-18-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-62-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-63-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-64-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-66-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-65-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-68-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-69-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-83-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-86-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-88-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-109-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2876-151-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2536-162-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2536-209-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7685b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7685b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7685b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766a09.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7685b3.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f766a09.exe File opened (read-only) \??\I: f766a09.exe File opened (read-only) \??\P: f766a09.exe File opened (read-only) \??\Q: f766a09.exe File opened (read-only) \??\E: f7685b3.exe File opened (read-only) \??\G: f7685b3.exe File opened (read-only) \??\E: f766a09.exe File opened (read-only) \??\G: f766a09.exe File opened (read-only) \??\L: f766a09.exe File opened (read-only) \??\S: f766a09.exe File opened (read-only) \??\T: f766a09.exe File opened (read-only) \??\R: f766a09.exe File opened (read-only) \??\H: f766a09.exe File opened (read-only) \??\J: f766a09.exe File opened (read-only) \??\K: f766a09.exe File opened (read-only) \??\M: f766a09.exe File opened (read-only) \??\N: f766a09.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f766a09.exe File created C:\Windows\f76baf6 f7685b3.exe File created C:\Windows\f766a95 f766a09.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f766a09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7685b3.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2876 f766a09.exe 2876 f766a09.exe 2536 f7685b3.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2876 f766a09.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe Token: SeDebugPrivilege 2536 f7685b3.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2808 wrote to memory of 2796 2808 rundll32.exe 30 PID 2796 wrote to memory of 2876 2796 rundll32.exe 31 PID 2796 wrote to memory of 2876 2796 rundll32.exe 31 PID 2796 wrote to memory of 2876 2796 rundll32.exe 31 PID 2796 wrote to memory of 2876 2796 rundll32.exe 31 PID 2876 wrote to memory of 1104 2876 f766a09.exe 19 PID 2876 wrote to memory of 1164 2876 f766a09.exe 20 PID 2876 wrote to memory of 1200 2876 f766a09.exe 21 PID 2876 wrote to memory of 1496 2876 f766a09.exe 25 PID 2876 wrote to memory of 2808 2876 f766a09.exe 29 PID 2876 wrote to memory of 2796 2876 f766a09.exe 30 PID 2876 wrote to memory of 2796 2876 f766a09.exe 30 PID 2796 wrote to memory of 596 2796 rundll32.exe 32 PID 2796 wrote to memory of 596 2796 rundll32.exe 32 PID 2796 wrote to memory of 596 2796 rundll32.exe 32 PID 2796 wrote to memory of 596 2796 rundll32.exe 32 PID 2796 wrote to memory of 2536 2796 rundll32.exe 33 PID 2796 wrote to memory of 2536 2796 rundll32.exe 33 PID 2796 wrote to memory of 2536 2796 rundll32.exe 33 PID 2796 wrote to memory of 2536 2796 rundll32.exe 33 PID 2876 wrote to memory of 1104 2876 f766a09.exe 19 PID 2876 wrote to memory of 1164 2876 f766a09.exe 20 PID 2876 wrote to memory of 1200 2876 f766a09.exe 21 PID 2876 wrote to memory of 1496 2876 f766a09.exe 25 PID 2876 wrote to memory of 596 2876 f766a09.exe 32 PID 2876 wrote to memory of 596 2876 f766a09.exe 32 PID 2876 wrote to memory of 2536 2876 f766a09.exe 33 PID 2876 wrote to memory of 2536 2876 f766a09.exe 33 PID 2536 wrote to memory of 1104 2536 f7685b3.exe 19 PID 2536 wrote to memory of 1164 2536 f7685b3.exe 20 PID 2536 wrote to memory of 1200 2536 f7685b3.exe 21 PID 2536 wrote to memory of 1496 2536 f7685b3.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766a09.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7685b3.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1369ec294667a73390265d981f648d6797630dfa94fdcfd8ee8a9c7c367891b.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1369ec294667a73390265d981f648d6797630dfa94fdcfd8ee8a9c7c367891b.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\f766a09.exeC:\Users\Admin\AppData\Local\Temp\f766a09.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\f766c2b.exeC:\Users\Admin\AppData\Local\Temp\f766c2b.exe4⤵
- Executes dropped EXE
PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\f7685b3.exeC:\Users\Admin\AppData\Local\Temp\f7685b3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD51da062fca976f307bbab872801541c3d
SHA1ed3becc81cb5144f917a40ee480a45a44a0ee084
SHA256b09c3798c99ac6cac81feca6a04fddf8f08d13cb801d4f57f5f93c1a4252cb76
SHA51220a4be104516ddf675f41060c598577693f8091ed86a1e69ed64cf597404631d30103ab87b7dbe2fdf9a2f438b5b0c0ca7912e94672a7a18af939ff5c0e909a3
-
Filesize
97KB
MD533d95a527741870c8286973a571341f2
SHA1cc5b1f084e2535f5b14181ebb4d663c925a4d94c
SHA2568570462d917a620098a2093fb29f3c74b53d10237559b0477f08c28413236a33
SHA512ef324de6ab9a8402ddbff3b662e7eec207273e09707908fa88835f2fc3cfbc12bf90fb7c976676889b23f172ad67cd9661e945dd26aa6e535f00045380e7aecc