Analysis
-
max time kernel
109s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 15:47
Static task
static1
Behavioral task
behavioral1
Sample
27ce8081843077b6e9c559267cb19f80N.exe
Resource
win7-20240705-en
General
-
Target
27ce8081843077b6e9c559267cb19f80N.exe
-
Size
165KB
-
MD5
27ce8081843077b6e9c559267cb19f80
-
SHA1
7811a1be5df65d6179147050a251fa8d3e2f63d4
-
SHA256
f142ef7a4027554cb455a6de9b44b312ba34b9b4188ee45259ba1f4238180a67
-
SHA512
bffe3125653f8c7db4ce2e797cbc068577a13c51dfa0eb1fd838740a91f9235c6c72eb1514c8729961fbec90550c0e19a8375afee41b6b8774f6d936c320ea27
-
SSDEEP
3072:QZSlI/HUOjSiToj7CEqfqg27mx/t3CnM9ga7ECfVeB1P0Yal7gz8PrVG:Qv/HFjSdfCZ47mx/t3Cn3a4CfUB1Cl7a
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 27ce8081843077b6e9c559267cb19f80N.exe -
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 27ce8081843077b6e9c559267cb19f80N.exe -
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 27ce8081843077b6e9c559267cb19f80N.exe -
Disables Task Manager via registry modification
-
Loads dropped DLL 1 IoCs
Processes:
27ce8081843077b6e9c559267cb19f80N.exepid process 3700 27ce8081843077b6e9c559267cb19f80N.exe -
Processes:
resource yara_rule behavioral2/memory/3700-9-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-14-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/3700-10-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-7-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-15-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-8-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-3-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-1-0x00000000023D0000-0x000000000345E000-memory.dmp upx behavioral2/memory/3700-16-0x00000000023D0000-0x000000000345E000-memory.dmp upx -
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 27ce8081843077b6e9c559267cb19f80N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 27ce8081843077b6e9c559267cb19f80N.exe -
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 27ce8081843077b6e9c559267cb19f80N.exe -
Drops file in Windows directory 1 IoCs
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 27ce8081843077b6e9c559267cb19f80N.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1716 3700 WerFault.exe 27ce8081843077b6e9c559267cb19f80N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27ce8081843077b6e9c559267cb19f80N.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
27ce8081843077b6e9c559267cb19f80N.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 27ce8081843077b6e9c559267cb19f80N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27ce8081843077b6e9c559267cb19f80N.exe"C:\Users\Admin\AppData\Local\Temp\27ce8081843077b6e9c559267cb19f80N.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:3700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 62482⤵
- Program crash
PID:1716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 37001⤵PID:2752
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219