Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 02:39
Static task
static1
Behavioral task
behavioral1
Sample
27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll
Resource
win7-20240903-en
General
-
Target
27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll
-
Size
120KB
-
MD5
c980290cb64d969311c0660848a48570
-
SHA1
fb7ba2c165950b9c9c86dfac79417502ff64cacf
-
SHA256
27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9
-
SHA512
ec5e98ad029929fc9e4c7c906ac06736b89626dd65c4c41b42f9493426e8badd64a94ff6d72f7f0e25dcabb416e7d90cd602b0fa8c47dd42a360278f03b17ee8
-
SSDEEP
1536:xSw75ive6oA72hCNIgtr+AZdugMSsw83QlTJPwX54bWmFMHrRI/5HYQnBFLHnT1T:DNiW6vawv+WAgMkrK54bWmfNjB1pT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e3da.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e3da.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e3da.exe -
Executes dropped EXE 3 IoCs
pid Process 372 f76e15a.exe 2648 f76e3da.exe 2584 f76fce5.exe -
Loads dropped DLL 6 IoCs
pid Process 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e3da.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e3da.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e15a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e3da.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e3da.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76e15a.exe File opened (read-only) \??\H: f76e15a.exe File opened (read-only) \??\K: f76e15a.exe File opened (read-only) \??\L: f76e15a.exe File opened (read-only) \??\N: f76e15a.exe File opened (read-only) \??\O: f76e15a.exe File opened (read-only) \??\E: f76e15a.exe File opened (read-only) \??\I: f76e15a.exe File opened (read-only) \??\J: f76e15a.exe File opened (read-only) \??\M: f76e15a.exe -
resource yara_rule behavioral1/memory/372-13-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-15-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-16-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-19-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-26-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-18-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-17-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-14-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-20-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-40-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-61-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-62-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-63-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-64-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-65-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-80-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-81-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-104-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-105-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-107-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/372-142-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2648-162-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2648-169-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76e225 f76e15a.exe File opened for modification C:\Windows\SYSTEM.INI f76e15a.exe File created C:\Windows\f7732a4 f76e3da.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e15a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 372 f76e15a.exe 372 f76e15a.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe Token: SeDebugPrivilege 372 f76e15a.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2948 wrote to memory of 2296 2948 rundll32.exe 31 PID 2296 wrote to memory of 372 2296 rundll32.exe 32 PID 2296 wrote to memory of 372 2296 rundll32.exe 32 PID 2296 wrote to memory of 372 2296 rundll32.exe 32 PID 2296 wrote to memory of 372 2296 rundll32.exe 32 PID 372 wrote to memory of 1048 372 f76e15a.exe 18 PID 372 wrote to memory of 1120 372 f76e15a.exe 20 PID 372 wrote to memory of 1168 372 f76e15a.exe 21 PID 372 wrote to memory of 1984 372 f76e15a.exe 23 PID 372 wrote to memory of 2948 372 f76e15a.exe 30 PID 372 wrote to memory of 2296 372 f76e15a.exe 31 PID 372 wrote to memory of 2296 372 f76e15a.exe 31 PID 2296 wrote to memory of 2648 2296 rundll32.exe 33 PID 2296 wrote to memory of 2648 2296 rundll32.exe 33 PID 2296 wrote to memory of 2648 2296 rundll32.exe 33 PID 2296 wrote to memory of 2648 2296 rundll32.exe 33 PID 2296 wrote to memory of 2584 2296 rundll32.exe 34 PID 2296 wrote to memory of 2584 2296 rundll32.exe 34 PID 2296 wrote to memory of 2584 2296 rundll32.exe 34 PID 2296 wrote to memory of 2584 2296 rundll32.exe 34 PID 372 wrote to memory of 1048 372 f76e15a.exe 18 PID 372 wrote to memory of 1120 372 f76e15a.exe 20 PID 372 wrote to memory of 1168 372 f76e15a.exe 21 PID 372 wrote to memory of 1984 372 f76e15a.exe 23 PID 372 wrote to memory of 2648 372 f76e15a.exe 33 PID 372 wrote to memory of 2648 372 f76e15a.exe 33 PID 372 wrote to memory of 2584 372 f76e15a.exe 34 PID 372 wrote to memory of 2584 372 f76e15a.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e15a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e3da.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1048
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1168
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27f1832257fca01fb31dcb7a4c626558e9109cc3e510ef3ee8103a9081d6dfb9N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\f76e15a.exeC:\Users\Admin\AppData\Local\Temp\f76e15a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:372
-
-
C:\Users\Admin\AppData\Local\Temp\f76e3da.exeC:\Users\Admin\AppData\Local\Temp\f76e3da.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\f76fce5.exeC:\Users\Admin\AppData\Local\Temp\f76fce5.exe4⤵
- Executes dropped EXE
PID:2584
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1984
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5f7b2e5801916fe56cbd7bc1765a44903
SHA19ad9edcf133a812706c7e8d8073794a79e6cba57
SHA2564a1d537a207bfedf8a3b0b192bfccc79c66e66a71a9e50c5fd1260b1a5be2785
SHA5121c216914d4517b832af3923cafac15737f72871bc5bbd236f6ed8aa4db0e00d07c4b9d93d887899de090f8a66ca29e39e59afb98e0b69b22f7cf2a4df877c527
-
Filesize
97KB
MD583159e3fc5788b3155febdb35f297757
SHA14d6f1281f01ba684c8689798a5f9f715be96fb5e
SHA2569633b65b72cda175b870d0e5ae6b56ce0b614e66a79a1a6222eb2619f65f128c
SHA5120699ab629aab53d13725ab4188fe74c4ee60a31df0e71945e092875da936643c01bc543a442ec5e4a61cf6f80bc687b7586375406b30c7c8dbe46278fd3fb45e