Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
ac287ce5d3b1ab3e0a5849cea18c94b18405b7e4fbca8ab54bfc7f0fdf5d41edN.dll
Resource
win7-20240903-en
General
-
Target
ac287ce5d3b1ab3e0a5849cea18c94b18405b7e4fbca8ab54bfc7f0fdf5d41edN.dll
-
Size
120KB
-
MD5
2b81d539bf2999905b2f078159b60b50
-
SHA1
c75a7f4976b566bae810b8e0242ccf3a5fbb1e71
-
SHA256
ac287ce5d3b1ab3e0a5849cea18c94b18405b7e4fbca8ab54bfc7f0fdf5d41ed
-
SHA512
fd02617215ab2a87714cfe3741f3e97caac4e2159534f70653d6fdfcb3e60781e54fe158d29aa2f3de9208f4e75dd2588d73e638f97e3bd73b7d7963b250ed85
-
SSDEEP
3072:vKu8S8NeoQqnCZtQ21syk4SjOdRkLmF7DVyiEy:vKumQqb2iaSjMmyF7DVyit
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76df76.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76df76.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76df76.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76df76.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c39d.exe -
Executes dropped EXE 3 IoCs
pid Process 2056 f76c39d.exe 2844 f76c948.exe 2592 f76df76.exe -
Loads dropped DLL 6 IoCs
pid Process 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c39d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76df76.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c39d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c39d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76df76.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f76c39d.exe File opened (read-only) \??\R: f76c39d.exe File opened (read-only) \??\E: f76c39d.exe File opened (read-only) \??\I: f76c39d.exe File opened (read-only) \??\J: f76c39d.exe File opened (read-only) \??\E: f76df76.exe File opened (read-only) \??\G: f76c39d.exe File opened (read-only) \??\M: f76c39d.exe File opened (read-only) \??\N: f76c39d.exe File opened (read-only) \??\P: f76c39d.exe File opened (read-only) \??\K: f76c39d.exe File opened (read-only) \??\L: f76c39d.exe File opened (read-only) \??\O: f76c39d.exe File opened (read-only) \??\Q: f76c39d.exe -
resource yara_rule behavioral1/memory/2056-19-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-15-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-14-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-17-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-22-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-16-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-21-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-20-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-18-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-13-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-50-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-53-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-65-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-66-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-67-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2368-79-0x00000000002C0000-0x00000000002D2000-memory.dmp upx behavioral1/memory/2056-84-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-86-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-87-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-89-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-90-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2056-158-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2592-189-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2592-215-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76c40a f76c39d.exe File opened for modification C:\Windows\SYSTEM.INI f76c39d.exe File created C:\Windows\f77189f f76df76.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c39d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76df76.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2056 f76c39d.exe 2056 f76c39d.exe 2592 f76df76.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2056 f76c39d.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe Token: SeDebugPrivilege 2592 f76df76.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2340 wrote to memory of 2368 2340 rundll32.exe 30 PID 2368 wrote to memory of 2056 2368 rundll32.exe 31 PID 2368 wrote to memory of 2056 2368 rundll32.exe 31 PID 2368 wrote to memory of 2056 2368 rundll32.exe 31 PID 2368 wrote to memory of 2056 2368 rundll32.exe 31 PID 2056 wrote to memory of 1116 2056 f76c39d.exe 19 PID 2056 wrote to memory of 1180 2056 f76c39d.exe 20 PID 2056 wrote to memory of 1256 2056 f76c39d.exe 21 PID 2056 wrote to memory of 1328 2056 f76c39d.exe 23 PID 2056 wrote to memory of 2340 2056 f76c39d.exe 29 PID 2056 wrote to memory of 2368 2056 f76c39d.exe 30 PID 2056 wrote to memory of 2368 2056 f76c39d.exe 30 PID 2368 wrote to memory of 2844 2368 rundll32.exe 32 PID 2368 wrote to memory of 2844 2368 rundll32.exe 32 PID 2368 wrote to memory of 2844 2368 rundll32.exe 32 PID 2368 wrote to memory of 2844 2368 rundll32.exe 32 PID 2368 wrote to memory of 2592 2368 rundll32.exe 34 PID 2368 wrote to memory of 2592 2368 rundll32.exe 34 PID 2368 wrote to memory of 2592 2368 rundll32.exe 34 PID 2368 wrote to memory of 2592 2368 rundll32.exe 34 PID 2056 wrote to memory of 1116 2056 f76c39d.exe 19 PID 2056 wrote to memory of 1180 2056 f76c39d.exe 20 PID 2056 wrote to memory of 1256 2056 f76c39d.exe 21 PID 2056 wrote to memory of 1328 2056 f76c39d.exe 23 PID 2056 wrote to memory of 2844 2056 f76c39d.exe 32 PID 2056 wrote to memory of 2844 2056 f76c39d.exe 32 PID 2056 wrote to memory of 2592 2056 f76c39d.exe 34 PID 2056 wrote to memory of 2592 2056 f76c39d.exe 34 PID 2592 wrote to memory of 1116 2592 f76df76.exe 19 PID 2592 wrote to memory of 1180 2592 f76df76.exe 20 PID 2592 wrote to memory of 1256 2592 f76df76.exe 21 PID 2592 wrote to memory of 1328 2592 f76df76.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c39d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76df76.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac287ce5d3b1ab3e0a5849cea18c94b18405b7e4fbca8ab54bfc7f0fdf5d41edN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac287ce5d3b1ab3e0a5849cea18c94b18405b7e4fbca8ab54bfc7f0fdf5d41edN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\f76c39d.exeC:\Users\Admin\AppData\Local\Temp\f76c39d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\f76c948.exeC:\Users\Admin\AppData\Local\Temp\f76c948.exe4⤵
- Executes dropped EXE
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\f76df76.exeC:\Users\Admin\AppData\Local\Temp\f76df76.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2592
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1328
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5ef12d3e8a6497f39758698927b4e5923
SHA1f4178987a21f73b3577e6dea3bcabcbda5f5927c
SHA256e83e6f4c004ad1fbf7977a859753f121d1a462079cb7952ba33947739f076b33
SHA51279f29c442c41c464da94bcd8f079b61dc533917886bea9c5c707c23dc96212bd5ccd4fafa55c904cf325425962c8f8ab0750c065bfbcd8182972a9ffe72962f5
-
Filesize
257B
MD5f4067fa178e8e0568675e65141cdd52c
SHA1d15a78cf559296b8b807c7a3ebe5322461dbf135
SHA2566fc2c9d7047a730764d9949d879ac5c2053dd2db60015af1fd1fe884ea504970
SHA5121bf2bf08a0c7e0fac42c609819b1082ca05b71124f75d862ee39a769ed4f7f16b7734ec0384aed29c6a0cd0d23fa0e30b394aeb5cd330fd172c77312023c6b3b