Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13/08/2024, 17:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7e4f9b338f634e9818ab8ccb1a12e30N.dll
Resource
win7-20240705-en
windows7-x64
16 signatures
120 seconds
General
-
Target
e7e4f9b338f634e9818ab8ccb1a12e30N.dll
-
Size
120KB
-
MD5
e7e4f9b338f634e9818ab8ccb1a12e30
-
SHA1
e6e0402f372aca08e7fa6552c3e4bebad361f161
-
SHA256
5b2867a6400555f776c50def66004cf71857d35cb3b4d0371f20c2898ba6c68a
-
SHA512
6c4225af7beca3fccb3ec90a6d179836517c8c438c6bae977fb6069d86892b963247db279ef25d7cd32e9d483c3f8ca76d8a79dfcfbc892df3ba84ad44413635
-
SSDEEP
3072:pd34at33rkhErWdQXyTyEdQ5RDaO1PHPUzB:Doa17eEi5wlHPO
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ca32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cbb8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ca32.exe -
Executes dropped EXE 3 IoCs
pid Process 2884 f76ca32.exe 2760 f76cbb8.exe 660 f76e5dc.exe -
Loads dropped DLL 6 IoCs
pid Process 2232 rundll32.exe 2232 rundll32.exe 2232 rundll32.exe 2232 rundll32.exe 2232 rundll32.exe 2232 rundll32.exe -
resource yara_rule behavioral1/memory/2884-12-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-16-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-19-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-22-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-21-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-20-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-18-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-17-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-15-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-14-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-63-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-64-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-65-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-67-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-66-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-69-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-70-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-83-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-86-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-87-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-88-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-127-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2884-151-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2760-165-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2760-189-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cbb8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ca32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cbb8.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: f76ca32.exe File opened (read-only) \??\O: f76ca32.exe File opened (read-only) \??\E: f76ca32.exe File opened (read-only) \??\I: f76ca32.exe File opened (read-only) \??\M: f76ca32.exe File opened (read-only) \??\G: f76ca32.exe File opened (read-only) \??\P: f76ca32.exe File opened (read-only) \??\T: f76ca32.exe File opened (read-only) \??\H: f76ca32.exe File opened (read-only) \??\K: f76ca32.exe File opened (read-only) \??\R: f76ca32.exe File opened (read-only) \??\S: f76ca32.exe File opened (read-only) \??\J: f76ca32.exe File opened (read-only) \??\L: f76ca32.exe File opened (read-only) \??\Q: f76ca32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76ca9f f76ca32.exe File opened for modification C:\Windows\SYSTEM.INI f76ca32.exe File created C:\Windows\f771a83 f76cbb8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cbb8.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2884 f76ca32.exe 2884 f76ca32.exe 2760 f76cbb8.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2884 f76ca32.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe Token: SeDebugPrivilege 2760 f76cbb8.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2368 wrote to memory of 2232 2368 rundll32.exe 30 PID 2232 wrote to memory of 2884 2232 rundll32.exe 31 PID 2232 wrote to memory of 2884 2232 rundll32.exe 31 PID 2232 wrote to memory of 2884 2232 rundll32.exe 31 PID 2232 wrote to memory of 2884 2232 rundll32.exe 31 PID 2884 wrote to memory of 1056 2884 f76ca32.exe 18 PID 2884 wrote to memory of 1120 2884 f76ca32.exe 19 PID 2884 wrote to memory of 1184 2884 f76ca32.exe 21 PID 2884 wrote to memory of 1348 2884 f76ca32.exe 25 PID 2884 wrote to memory of 2368 2884 f76ca32.exe 29 PID 2884 wrote to memory of 2232 2884 f76ca32.exe 30 PID 2884 wrote to memory of 2232 2884 f76ca32.exe 30 PID 2232 wrote to memory of 2760 2232 rundll32.exe 32 PID 2232 wrote to memory of 2760 2232 rundll32.exe 32 PID 2232 wrote to memory of 2760 2232 rundll32.exe 32 PID 2232 wrote to memory of 2760 2232 rundll32.exe 32 PID 2232 wrote to memory of 660 2232 rundll32.exe 34 PID 2232 wrote to memory of 660 2232 rundll32.exe 34 PID 2232 wrote to memory of 660 2232 rundll32.exe 34 PID 2232 wrote to memory of 660 2232 rundll32.exe 34 PID 2884 wrote to memory of 1056 2884 f76ca32.exe 18 PID 2884 wrote to memory of 1120 2884 f76ca32.exe 19 PID 2884 wrote to memory of 1184 2884 f76ca32.exe 21 PID 2884 wrote to memory of 1348 2884 f76ca32.exe 25 PID 2884 wrote to memory of 2760 2884 f76ca32.exe 32 PID 2884 wrote to memory of 2760 2884 f76ca32.exe 32 PID 2884 wrote to memory of 660 2884 f76ca32.exe 34 PID 2884 wrote to memory of 660 2884 f76ca32.exe 34 PID 2760 wrote to memory of 1056 2760 f76cbb8.exe 18 PID 2760 wrote to memory of 1120 2760 f76cbb8.exe 19 PID 2760 wrote to memory of 1184 2760 f76cbb8.exe 21 PID 2760 wrote to memory of 1348 2760 f76cbb8.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ca32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cbb8.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1056
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7e4f9b338f634e9818ab8ccb1a12e30N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7e4f9b338f634e9818ab8ccb1a12e30N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\f76ca32.exeC:\Users\Admin\AppData\Local\Temp\f76ca32.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\f76cbb8.exeC:\Users\Admin\AppData\Local\Temp\f76cbb8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\f76e5dc.exeC:\Users\Admin\AppData\Local\Temp\f76e5dc.exe4⤵
- Executes dropped EXE
PID:660
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD50587e5491eaf9343fc81e9a599ffb233
SHA13a7f119f6e9d2718331df64d06cec0151c48de35
SHA25606c02f067a4f3724256e90ec31d4b98b689927691282ef1a6fc47a0a9a832bfa
SHA512d1b5541f36184c828b0664364d88160d1e217d93af9ff8bba5908f2dcfb611ec4ac6317cd4fa6b5fd79f478bd1f518539caa98274e1286d9b7b3e74cabb8398b
-
Filesize
97KB
MD528a1c2fd7cf3b73f89d6a33e08bcbc41
SHA1f00d3e202579d968db87b8c754fac64d669942db
SHA256fe0ce40c103e736bdeb2557789fa61d86c25030155908b5cc4c62a78294d19d1
SHA5127cd559a2afe4b611f7a424438f4137aa99a065c21c71dd2d74da700c8c6fe5c628dc9edee408dbfa1e0e3faf5a2435ec643f441598faa65b1b51deb3eb5af0bb