Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll
Resource
win7-20241010-en
General
-
Target
22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll
-
Size
120KB
-
MD5
867dfa4e0a3ae2ee075e6fe2c0d2dfb0
-
SHA1
eb5a96db57e6573bf0d8e3f4ea16497a7c1968f3
-
SHA256
22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117e
-
SHA512
42b57335372ff9acef5420c499a972d1716e48cc37fde0f005e19ec384ee982fdb8bb055840922b5f6ae1d79105ff6a839a74ddbab02fedd502b5c577b729d95
-
SSDEEP
3072:EULqrS26yqT6mSRC0MYn8DYj7fkaunHQNlVk:EOFF70/DpunHQz2
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f773a42.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f773a42.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f773a42.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f773a42.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f773a42.exe -
Executes dropped EXE 3 IoCs
pid Process 2756 f771ed6.exe 1640 f7720ca.exe 2632 f773a42.exe -
Loads dropped DLL 6 IoCs
pid Process 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe 2528 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f771ed6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f773a42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f773a42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f773a42.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f773a42.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f771ed6.exe File opened (read-only) \??\Q: f771ed6.exe File opened (read-only) \??\H: f771ed6.exe File opened (read-only) \??\N: f771ed6.exe File opened (read-only) \??\O: f771ed6.exe File opened (read-only) \??\R: f771ed6.exe File opened (read-only) \??\E: f771ed6.exe File opened (read-only) \??\G: f771ed6.exe File opened (read-only) \??\J: f771ed6.exe File opened (read-only) \??\L: f771ed6.exe File opened (read-only) \??\S: f771ed6.exe File opened (read-only) \??\T: f771ed6.exe File opened (read-only) \??\E: f773a42.exe File opened (read-only) \??\I: f771ed6.exe File opened (read-only) \??\K: f771ed6.exe File opened (read-only) \??\M: f771ed6.exe -
resource yara_rule behavioral1/memory/2756-12-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-17-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-21-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-65-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-26-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-22-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-20-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-19-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-18-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-16-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-15-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-14-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-67-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-66-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-68-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-69-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-71-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-72-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-85-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-86-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-88-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-93-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-90-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2756-151-0x0000000000960000-0x0000000001A1A000-memory.dmp upx behavioral1/memory/2632-169-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/1640-158-0x0000000000950000-0x0000000001A0A000-memory.dmp upx behavioral1/memory/2632-208-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f771f44 f771ed6.exe File opened for modification C:\Windows\SYSTEM.INI f771ed6.exe File created C:\Windows\f777002 f773a42.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f771ed6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f773a42.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2756 f771ed6.exe 2756 f771ed6.exe 2632 f773a42.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2756 f771ed6.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe Token: SeDebugPrivilege 2632 f773a42.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2744 wrote to memory of 2528 2744 rundll32.exe 30 PID 2528 wrote to memory of 2756 2528 rundll32.exe 31 PID 2528 wrote to memory of 2756 2528 rundll32.exe 31 PID 2528 wrote to memory of 2756 2528 rundll32.exe 31 PID 2528 wrote to memory of 2756 2528 rundll32.exe 31 PID 2756 wrote to memory of 1108 2756 f771ed6.exe 19 PID 2756 wrote to memory of 1160 2756 f771ed6.exe 20 PID 2756 wrote to memory of 1188 2756 f771ed6.exe 21 PID 2756 wrote to memory of 1432 2756 f771ed6.exe 25 PID 2756 wrote to memory of 2744 2756 f771ed6.exe 29 PID 2756 wrote to memory of 2528 2756 f771ed6.exe 30 PID 2756 wrote to memory of 2528 2756 f771ed6.exe 30 PID 2528 wrote to memory of 1640 2528 rundll32.exe 32 PID 2528 wrote to memory of 1640 2528 rundll32.exe 32 PID 2528 wrote to memory of 1640 2528 rundll32.exe 32 PID 2528 wrote to memory of 1640 2528 rundll32.exe 32 PID 2528 wrote to memory of 2632 2528 rundll32.exe 33 PID 2528 wrote to memory of 2632 2528 rundll32.exe 33 PID 2528 wrote to memory of 2632 2528 rundll32.exe 33 PID 2528 wrote to memory of 2632 2528 rundll32.exe 33 PID 2756 wrote to memory of 1108 2756 f771ed6.exe 19 PID 2756 wrote to memory of 1160 2756 f771ed6.exe 20 PID 2756 wrote to memory of 1188 2756 f771ed6.exe 21 PID 2756 wrote to memory of 1432 2756 f771ed6.exe 25 PID 2756 wrote to memory of 1640 2756 f771ed6.exe 32 PID 2756 wrote to memory of 1640 2756 f771ed6.exe 32 PID 2756 wrote to memory of 2632 2756 f771ed6.exe 33 PID 2756 wrote to memory of 2632 2756 f771ed6.exe 33 PID 2632 wrote to memory of 1108 2632 f773a42.exe 19 PID 2632 wrote to memory of 1160 2632 f773a42.exe 20 PID 2632 wrote to memory of 1188 2632 f773a42.exe 21 PID 2632 wrote to memory of 1432 2632 f773a42.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f771ed6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f773a42.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22204ae218b80ffd3971864c0264807bed0704485695ffd00832e593fb73117eN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\f771ed6.exeC:\Users\Admin\AppData\Local\Temp\f771ed6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\f7720ca.exeC:\Users\Admin\AppData\Local\Temp\f7720ca.exe4⤵
- Executes dropped EXE
PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\f773a42.exeC:\Users\Admin\AppData\Local\Temp\f773a42.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2632
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1432
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5499f97fc98461047215d56f8bb476033
SHA1ea38447742bdab0c7666db91bc262881d1ab222d
SHA2568e9644423cdcb4031e4165600c9f22d8be2d8f4bf0629ed99f959febef59d1ec
SHA51205f3a1ae91cf58073766cce535e8727ad431cdf70df26f790b05271a70483529e94e8237da852f6e34adcb58941aacd9cc759348dbf2f33fc12a953435e046dc
-
Filesize
257B
MD5a1faf23194e79da1dba8616de23710d1
SHA1a15158e663eb5722fff5daf0a184fd44e2411f6c
SHA256b612e5aa3afcdb8fda25c7bde31648936567db347d3dcf994fac397adb053d73
SHA512aa2b7c9dbba7e739b174cd4014ab9f68fadfa922682b8a405c3390cb25e3bd303a894552434eff30e0337c6036d4b5413580f5825d98b9a3bae3149d1a5ed0cc