Analysis
-
max time kernel
28s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
630030987c99d569d87b1f3046da91c923d52daf5bd48395f48775ebfbc384dfN.dll
Resource
win7-20240903-en
General
-
Target
630030987c99d569d87b1f3046da91c923d52daf5bd48395f48775ebfbc384dfN.dll
-
Size
120KB
-
MD5
db75d1d0e742e727f50e4edc9610c5a0
-
SHA1
0133cd858e4c4bd160309d5377c2560e2c03c0c1
-
SHA256
630030987c99d569d87b1f3046da91c923d52daf5bd48395f48775ebfbc384df
-
SHA512
06f08e1464beac05595fb22662a33c32824cdad1b418bf89e68ada38098307ed7b9180c3923fcfaa49ce5a69d3a85888df1d64c1a9c903511960501cd8e36cd2
-
SSDEEP
3072:ainrsVpOzQmXuxF4H0VtOUudsuNbmhfIUYcomU:dnLzQ2ux+H0zNukWU5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f771610.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f771610.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76fb9e.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771610.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f771610.exe -
Executes dropped EXE 3 IoCs
pid Process 2700 f76fb9e.exe 3064 f76fed8.exe 2964 f771610.exe -
Loads dropped DLL 6 IoCs
pid Process 2272 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fb9e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fb9e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76fb9e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fb9e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771610.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76fb9e.exe File opened (read-only) \??\G: f76fb9e.exe File opened (read-only) \??\H: f76fb9e.exe File opened (read-only) \??\E: f771610.exe -
resource yara_rule behavioral1/memory/2700-22-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-19-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-17-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-18-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-21-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-25-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-24-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-23-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-20-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-26-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-78-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-79-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-77-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-98-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-100-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-101-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-103-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-104-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-105-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2700-127-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2964-134-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2964-178-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f774e4f f771610.exe File created C:\Windows\f76fc88 f76fb9e.exe File opened for modification C:\Windows\SYSTEM.INI f76fb9e.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76fb9e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f771610.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2700 f76fb9e.exe 2700 f76fb9e.exe 2964 f771610.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2700 f76fb9e.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe Token: SeDebugPrivilege 2964 f771610.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2648 wrote to memory of 2272 2648 rundll32.exe 30 PID 2272 wrote to memory of 2700 2272 rundll32.exe 31 PID 2272 wrote to memory of 2700 2272 rundll32.exe 31 PID 2272 wrote to memory of 2700 2272 rundll32.exe 31 PID 2272 wrote to memory of 2700 2272 rundll32.exe 31 PID 2700 wrote to memory of 1108 2700 f76fb9e.exe 19 PID 2700 wrote to memory of 1168 2700 f76fb9e.exe 20 PID 2700 wrote to memory of 1200 2700 f76fb9e.exe 21 PID 2700 wrote to memory of 1864 2700 f76fb9e.exe 25 PID 2700 wrote to memory of 2648 2700 f76fb9e.exe 29 PID 2700 wrote to memory of 2272 2700 f76fb9e.exe 30 PID 2700 wrote to memory of 2272 2700 f76fb9e.exe 30 PID 2272 wrote to memory of 3064 2272 rundll32.exe 32 PID 2272 wrote to memory of 3064 2272 rundll32.exe 32 PID 2272 wrote to memory of 3064 2272 rundll32.exe 32 PID 2272 wrote to memory of 3064 2272 rundll32.exe 32 PID 2272 wrote to memory of 2964 2272 rundll32.exe 33 PID 2272 wrote to memory of 2964 2272 rundll32.exe 33 PID 2272 wrote to memory of 2964 2272 rundll32.exe 33 PID 2272 wrote to memory of 2964 2272 rundll32.exe 33 PID 2700 wrote to memory of 1108 2700 f76fb9e.exe 19 PID 2700 wrote to memory of 1168 2700 f76fb9e.exe 20 PID 2700 wrote to memory of 1200 2700 f76fb9e.exe 21 PID 2700 wrote to memory of 1864 2700 f76fb9e.exe 25 PID 2700 wrote to memory of 3064 2700 f76fb9e.exe 32 PID 2700 wrote to memory of 3064 2700 f76fb9e.exe 32 PID 2700 wrote to memory of 2964 2700 f76fb9e.exe 33 PID 2700 wrote to memory of 2964 2700 f76fb9e.exe 33 PID 2964 wrote to memory of 1108 2964 f771610.exe 19 PID 2964 wrote to memory of 1168 2964 f771610.exe 20 PID 2964 wrote to memory of 1200 2964 f771610.exe 21 PID 2964 wrote to memory of 1864 2964 f771610.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771610.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fb9e.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\630030987c99d569d87b1f3046da91c923d52daf5bd48395f48775ebfbc384dfN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\630030987c99d569d87b1f3046da91c923d52daf5bd48395f48775ebfbc384dfN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\f76fb9e.exeC:\Users\Admin\AppData\Local\Temp\f76fb9e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\f76fed8.exeC:\Users\Admin\AppData\Local\Temp\f76fed8.exe4⤵
- Executes dropped EXE
PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\f771610.exeC:\Users\Admin\AppData\Local\Temp\f771610.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2964
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51166d45e99dc0fb5ffcacf4764c45cae
SHA16c0ecd73a25210ef3f86cd5afbb2f46a32a12fe9
SHA256a2ba7b3676c31f32b1ba058b1f0a6a5d04d81ec472ae12733796b59917ba6fb1
SHA51227d62372758d7c3165be842f45bbb93cc231f5336b786aca3c05a782d03e2188bac7247ef02a574a584e5bc2fdaf6f0fac57a4b6bf53b7d85cadb7405b8ca9f1
-
Filesize
257B
MD5aafc38be04b0ba90ea48f29c00f0ec04
SHA1f8bdfd3e4637f0d7f20f25017e3ed0f8f260da4f
SHA256a47c36fd29bf0f67463bd79a08705ff93415043fafc33bf488aecb8201e1cc62
SHA512fbd2764580ccdbf40c959e62767bc9002d1f88c207eb7bb476af5e851a31999806b069cef0a1b1b481b369a9879d92d1f1473e0ef4beae10683830f35405abf4