Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 12:14
Static task
static1
Behavioral task
behavioral1
Sample
5201882e9008a95c8457bca2b1007f5cb9c5011c3037bb226a2c805350a5b4daN.dll
Resource
win7-20240903-en
General
-
Target
5201882e9008a95c8457bca2b1007f5cb9c5011c3037bb226a2c805350a5b4daN.dll
-
Size
120KB
-
MD5
81022d4d423cda25e92813b8c701fb00
-
SHA1
b896410ee121dbdcd6d763ae27416af8fbb1b21b
-
SHA256
5201882e9008a95c8457bca2b1007f5cb9c5011c3037bb226a2c805350a5b4da
-
SHA512
d839bfb5921f421efbcaaa758dcf42ba7aaaa3ba6af57a8aaa04cef872732175da99fd9512bc72a5c0a0cee329a2a5f57b6550fbb870786f61e339cf711afb5f
-
SSDEEP
1536:TiDMiVPJglpj5/LXF5sA3yXoFmwkoTQi8o1Dtp5+pvGjb46:Ti+j1Le4FmFoTQlo1DtupIk
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c294.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c294.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c0df.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c0df.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c0df.exe -
Executes dropped EXE 3 IoCs
pid Process 1984 f76c0df.exe 2188 f76c294.exe 2672 f76dc5b.exe -
Loads dropped DLL 6 IoCs
pid Process 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe 2392 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c0df.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c294.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c294.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c0df.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c294.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76c0df.exe File opened (read-only) \??\K: f76c0df.exe File opened (read-only) \??\N: f76c0df.exe File opened (read-only) \??\O: f76c0df.exe File opened (read-only) \??\S: f76c0df.exe File opened (read-only) \??\H: f76c0df.exe File opened (read-only) \??\P: f76c0df.exe File opened (read-only) \??\G: f76c0df.exe File opened (read-only) \??\J: f76c0df.exe File opened (read-only) \??\Q: f76c0df.exe File opened (read-only) \??\E: f76c0df.exe File opened (read-only) \??\L: f76c0df.exe File opened (read-only) \??\M: f76c0df.exe File opened (read-only) \??\R: f76c0df.exe File opened (read-only) \??\T: f76c0df.exe -
resource yara_rule behavioral1/memory/1984-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-24-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-25-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-23-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-63-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-68-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-69-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-87-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-107-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/1984-151-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2188-159-0x0000000000940000-0x00000000019FA000-memory.dmp upx behavioral1/memory/2188-182-0x0000000000940000-0x00000000019FA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76c15c f76c0df.exe File opened for modification C:\Windows\SYSTEM.INI f76c0df.exe File created C:\Windows\f77117e f76c294.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c0df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c294.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1984 f76c0df.exe 1984 f76c0df.exe 2188 f76c294.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 1984 f76c0df.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe Token: SeDebugPrivilege 2188 f76c294.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2148 wrote to memory of 2392 2148 rundll32.exe 30 PID 2392 wrote to memory of 1984 2392 rundll32.exe 31 PID 2392 wrote to memory of 1984 2392 rundll32.exe 31 PID 2392 wrote to memory of 1984 2392 rundll32.exe 31 PID 2392 wrote to memory of 1984 2392 rundll32.exe 31 PID 1984 wrote to memory of 1112 1984 f76c0df.exe 19 PID 1984 wrote to memory of 1188 1984 f76c0df.exe 20 PID 1984 wrote to memory of 1248 1984 f76c0df.exe 21 PID 1984 wrote to memory of 608 1984 f76c0df.exe 25 PID 1984 wrote to memory of 2148 1984 f76c0df.exe 29 PID 1984 wrote to memory of 2392 1984 f76c0df.exe 30 PID 1984 wrote to memory of 2392 1984 f76c0df.exe 30 PID 2392 wrote to memory of 2188 2392 rundll32.exe 32 PID 2392 wrote to memory of 2188 2392 rundll32.exe 32 PID 2392 wrote to memory of 2188 2392 rundll32.exe 32 PID 2392 wrote to memory of 2188 2392 rundll32.exe 32 PID 2392 wrote to memory of 2672 2392 rundll32.exe 34 PID 2392 wrote to memory of 2672 2392 rundll32.exe 34 PID 2392 wrote to memory of 2672 2392 rundll32.exe 34 PID 2392 wrote to memory of 2672 2392 rundll32.exe 34 PID 1984 wrote to memory of 1112 1984 f76c0df.exe 19 PID 1984 wrote to memory of 1188 1984 f76c0df.exe 20 PID 1984 wrote to memory of 1248 1984 f76c0df.exe 21 PID 1984 wrote to memory of 608 1984 f76c0df.exe 25 PID 1984 wrote to memory of 2188 1984 f76c0df.exe 32 PID 1984 wrote to memory of 2188 1984 f76c0df.exe 32 PID 1984 wrote to memory of 2672 1984 f76c0df.exe 34 PID 1984 wrote to memory of 2672 1984 f76c0df.exe 34 PID 2188 wrote to memory of 1112 2188 f76c294.exe 19 PID 2188 wrote to memory of 1188 2188 f76c294.exe 20 PID 2188 wrote to memory of 1248 2188 f76c294.exe 21 PID 2188 wrote to memory of 608 2188 f76c294.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c294.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c0df.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5201882e9008a95c8457bca2b1007f5cb9c5011c3037bb226a2c805350a5b4daN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5201882e9008a95c8457bca2b1007f5cb9c5011c3037bb226a2c805350a5b4daN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\f76c0df.exeC:\Users\Admin\AppData\Local\Temp\f76c0df.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\f76c294.exeC:\Users\Admin\AppData\Local\Temp\f76c294.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\f76dc5b.exeC:\Users\Admin\AppData\Local\Temp\f76dc5b.exe4⤵
- Executes dropped EXE
PID:2672
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:608
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD56cebff01de9cddb160979b4922116350
SHA1aee87aa2f4b2202b8f712ca18f1a2d7bd49e92e8
SHA256f409de9580dbd3e7b5eb9f1d311ce4e5be1d5dd0a078c75371c91748b30d4e91
SHA512b0cc6e0872961cd7e4a49fd2709f12b3655dfbae16f202d27e3bfbcfd9660174d57bed5143cc792d38ca777e0c1b09ecfce44906cc9708f27097d169f4fa82bf
-
Filesize
97KB
MD50457ad3240f5492d9ed77824665e86a0
SHA1654fdc4b97c6341feb7396268f090451764a1f47
SHA2566eede2bdb627c979c7f6a108f04a59c7509f65e52b73ab1231ed5823e8cbb712
SHA5122c6429af2040cbcc03fb6d537673231e7cf6833260bbe6e85bb9edfb116060702d05881fef935eae9466e1f283e8e68e644f8fac5e69077c1a5160f27841b3b2