Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
10a99155fc6867c67b3f4ae8c6f6923dcad0fa6f9303aa4584f8fec9a079a862N.dll
Resource
win7-20240903-en
General
-
Target
10a99155fc6867c67b3f4ae8c6f6923dcad0fa6f9303aa4584f8fec9a079a862N.dll
-
Size
120KB
-
MD5
8e43f525f78bbf2f969b2aeb63261280
-
SHA1
c0c01a35cef677948bba36d040aa8457c06e2763
-
SHA256
10a99155fc6867c67b3f4ae8c6f6923dcad0fa6f9303aa4584f8fec9a079a862
-
SHA512
077e9471b292dd0101fa9b5056370f4b7ca28fb450452ebdf96d6a95814feb19a867bd70f89d15d64f607686fed461d1bd3d3601c7d9219e5627adfe94d6b7e0
-
SSDEEP
1536:bSN2pVJaC/lyma/GiGtRHkGikYjmWC6tBoGxmH7Qqb5Uq/Sj5JCKLoXQtixr/Hh:WQVJaeYnHGikctxq95t//Ak1
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f325.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f325.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f325.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f325.exe -
Executes dropped EXE 3 IoCs
pid Process 2108 f76d77b.exe 2556 f76d901.exe 2624 f76f325.exe -
Loads dropped DLL 6 IoCs
pid Process 2100 rundll32.exe 2100 rundll32.exe 2100 rundll32.exe 2100 rundll32.exe 2100 rundll32.exe 2100 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f325.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f325.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f325.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d77b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f325.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f76d77b.exe File opened (read-only) \??\K: f76d77b.exe File opened (read-only) \??\T: f76d77b.exe File opened (read-only) \??\E: f76d77b.exe File opened (read-only) \??\H: f76d77b.exe File opened (read-only) \??\P: f76d77b.exe File opened (read-only) \??\G: f76f325.exe File opened (read-only) \??\S: f76d77b.exe File opened (read-only) \??\E: f76f325.exe File opened (read-only) \??\O: f76d77b.exe File opened (read-only) \??\Q: f76d77b.exe File opened (read-only) \??\R: f76d77b.exe File opened (read-only) \??\G: f76d77b.exe File opened (read-only) \??\I: f76d77b.exe File opened (read-only) \??\L: f76d77b.exe File opened (read-only) \??\M: f76d77b.exe File opened (read-only) \??\N: f76d77b.exe -
resource yara_rule behavioral1/memory/2108-15-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-17-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-20-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-14-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-18-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-13-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-19-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-22-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-21-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-16-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-60-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-61-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-62-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-63-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-64-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-66-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-67-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-83-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-85-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-87-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-108-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-109-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2108-151-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2624-168-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2624-208-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76d7d8 f76d77b.exe File opened for modification C:\Windows\SYSTEM.INI f76d77b.exe File created C:\Windows\f77280a f76f325.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f325.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d77b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2108 f76d77b.exe 2108 f76d77b.exe 2624 f76f325.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2108 f76d77b.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe Token: SeDebugPrivilege 2624 f76f325.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 1728 wrote to memory of 2100 1728 rundll32.exe 32 PID 2100 wrote to memory of 2108 2100 rundll32.exe 33 PID 2100 wrote to memory of 2108 2100 rundll32.exe 33 PID 2100 wrote to memory of 2108 2100 rundll32.exe 33 PID 2100 wrote to memory of 2108 2100 rundll32.exe 33 PID 2108 wrote to memory of 1052 2108 f76d77b.exe 17 PID 2108 wrote to memory of 1072 2108 f76d77b.exe 18 PID 2108 wrote to memory of 1148 2108 f76d77b.exe 20 PID 2108 wrote to memory of 1956 2108 f76d77b.exe 23 PID 2108 wrote to memory of 1728 2108 f76d77b.exe 31 PID 2108 wrote to memory of 2100 2108 f76d77b.exe 32 PID 2108 wrote to memory of 2100 2108 f76d77b.exe 32 PID 2100 wrote to memory of 2556 2100 rundll32.exe 34 PID 2100 wrote to memory of 2556 2100 rundll32.exe 34 PID 2100 wrote to memory of 2556 2100 rundll32.exe 34 PID 2100 wrote to memory of 2556 2100 rundll32.exe 34 PID 2100 wrote to memory of 2624 2100 rundll32.exe 35 PID 2100 wrote to memory of 2624 2100 rundll32.exe 35 PID 2100 wrote to memory of 2624 2100 rundll32.exe 35 PID 2100 wrote to memory of 2624 2100 rundll32.exe 35 PID 2108 wrote to memory of 1052 2108 f76d77b.exe 17 PID 2108 wrote to memory of 1072 2108 f76d77b.exe 18 PID 2108 wrote to memory of 1148 2108 f76d77b.exe 20 PID 2108 wrote to memory of 1956 2108 f76d77b.exe 23 PID 2108 wrote to memory of 2556 2108 f76d77b.exe 34 PID 2108 wrote to memory of 2556 2108 f76d77b.exe 34 PID 2108 wrote to memory of 2624 2108 f76d77b.exe 35 PID 2108 wrote to memory of 2624 2108 f76d77b.exe 35 PID 2624 wrote to memory of 1052 2624 f76f325.exe 17 PID 2624 wrote to memory of 1072 2624 f76f325.exe 18 PID 2624 wrote to memory of 1148 2624 f76f325.exe 20 PID 2624 wrote to memory of 1956 2624 f76f325.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d77b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f325.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1052
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1072
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1148
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10a99155fc6867c67b3f4ae8c6f6923dcad0fa6f9303aa4584f8fec9a079a862N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\10a99155fc6867c67b3f4ae8c6f6923dcad0fa6f9303aa4584f8fec9a079a862N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\f76d77b.exeC:\Users\Admin\AppData\Local\Temp\f76d77b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\f76d901.exeC:\Users\Admin\AppData\Local\Temp\f76d901.exe4⤵
- Executes dropped EXE
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\f76f325.exeC:\Users\Admin\AppData\Local\Temp\f76f325.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2624
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1956
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c7652d69e518bac8361159c9ff050423
SHA105c64a2274512d83ae8c8b5f6364f826732f5a74
SHA2564c3f19d03fc4b0fa448f7b3bf8894f439d3097133b746dca6b5fc0d43ae28567
SHA5124713ee58303aae22f3f892f9744655763f88c32a15c60c0b801dadd5640ac913d3d9b3ac75948fe6ecac1f54c62dbc0e832fbe6a3c0b36a0b3115ef2edcd8992
-
Filesize
257B
MD555f794291c7dd048497574b543f33f98
SHA1eccbed741d1fe4b20e95c0fdbd30ceaa41c51d87
SHA2564672cac7d31a3bf69b084348253909666de46ecc1ddafb252f9f299c77149211
SHA512f8678661d0215b4e45d040ba8e3c81ccf407dab80bc31deaeaa1e60a6034847cabe1673f0ba6ebed6a2fcd60c06d36c0d1de3f1a58ad3470f9ed02a9f7916884