Analysis
-
max time kernel
28s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll
Resource
win7-20240729-en
General
-
Target
a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll
-
Size
120KB
-
MD5
377cbdad1a91a649c2706f3a78712a10
-
SHA1
864451098f5858effbff0e0844b799633d907f7f
-
SHA256
a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9
-
SHA512
f774388415fe1e6c02b39678eb6d0cdeaa556deb61f37d3420c98eaacf9d77ff63a860af77824ad185ae175f3977ee2450c91f973e49047e8c5ff53ef5cdfb23
-
SSDEEP
3072:yvHADPcH9T2DrjRE7HsgblHKKHOt8TL8v:sATO2fjm7Mgbl5+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
f76cfec.exef76b2bc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cfec.exe -
Sality family
-
Processes:
f76b2bc.exef76cfec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cfec.exe -
Processes:
f76b2bc.exef76cfec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cfec.exe -
Executes dropped EXE 3 IoCs
Processes:
f76b2bc.exef76b461.exef76cfec.exepid process 2120 f76b2bc.exe 2876 f76b461.exe 1664 f76cfec.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exepid process 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe -
Processes:
f76b2bc.exef76cfec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b2bc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cfec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cfec.exe -
Processes:
f76b2bc.exef76cfec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b2bc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cfec.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f76b2bc.exef76cfec.exedescription ioc process File opened (read-only) \??\K: f76b2bc.exe File opened (read-only) \??\O: f76b2bc.exe File opened (read-only) \??\M: f76b2bc.exe File opened (read-only) \??\N: f76b2bc.exe File opened (read-only) \??\E: f76b2bc.exe File opened (read-only) \??\G: f76b2bc.exe File opened (read-only) \??\H: f76b2bc.exe File opened (read-only) \??\I: f76b2bc.exe File opened (read-only) \??\J: f76b2bc.exe File opened (read-only) \??\L: f76b2bc.exe File opened (read-only) \??\E: f76cfec.exe File opened (read-only) \??\G: f76cfec.exe -
Processes:
resource yara_rule behavioral1/memory/2120-13-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-22-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-15-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-18-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-17-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-16-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-21-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-20-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-14-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-19-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-62-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-63-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-64-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-65-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-78-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-79-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-81-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-101-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-102-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-105-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-106-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2120-143-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/1664-159-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/1664-196-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
Processes:
f76b2bc.exef76cfec.exedescription ioc process File created C:\Windows\f76b319 f76b2bc.exe File opened for modification C:\Windows\SYSTEM.INI f76b2bc.exe File created C:\Windows\f77037a f76cfec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exef76b2bc.exef76cfec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b2bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cfec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f76b2bc.exef76cfec.exepid process 2120 f76b2bc.exe 2120 f76b2bc.exe 1664 f76cfec.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
f76b2bc.exef76cfec.exedescription pid process Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 2120 f76b2bc.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe Token: SeDebugPrivilege 1664 f76cfec.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
rundll32.exerundll32.exef76b2bc.exef76cfec.exedescription pid process target process PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2888 1508 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2120 2888 rundll32.exe f76b2bc.exe PID 2888 wrote to memory of 2120 2888 rundll32.exe f76b2bc.exe PID 2888 wrote to memory of 2120 2888 rundll32.exe f76b2bc.exe PID 2888 wrote to memory of 2120 2888 rundll32.exe f76b2bc.exe PID 2120 wrote to memory of 1076 2120 f76b2bc.exe taskhost.exe PID 2120 wrote to memory of 1168 2120 f76b2bc.exe Dwm.exe PID 2120 wrote to memory of 1208 2120 f76b2bc.exe Explorer.EXE PID 2120 wrote to memory of 1800 2120 f76b2bc.exe DllHost.exe PID 2120 wrote to memory of 1508 2120 f76b2bc.exe rundll32.exe PID 2120 wrote to memory of 2888 2120 f76b2bc.exe rundll32.exe PID 2120 wrote to memory of 2888 2120 f76b2bc.exe rundll32.exe PID 2888 wrote to memory of 2876 2888 rundll32.exe f76b461.exe PID 2888 wrote to memory of 2876 2888 rundll32.exe f76b461.exe PID 2888 wrote to memory of 2876 2888 rundll32.exe f76b461.exe PID 2888 wrote to memory of 2876 2888 rundll32.exe f76b461.exe PID 2888 wrote to memory of 1664 2888 rundll32.exe f76cfec.exe PID 2888 wrote to memory of 1664 2888 rundll32.exe f76cfec.exe PID 2888 wrote to memory of 1664 2888 rundll32.exe f76cfec.exe PID 2888 wrote to memory of 1664 2888 rundll32.exe f76cfec.exe PID 2120 wrote to memory of 1076 2120 f76b2bc.exe taskhost.exe PID 2120 wrote to memory of 1168 2120 f76b2bc.exe Dwm.exe PID 2120 wrote to memory of 1208 2120 f76b2bc.exe Explorer.EXE PID 2120 wrote to memory of 1800 2120 f76b2bc.exe DllHost.exe PID 2120 wrote to memory of 2876 2120 f76b2bc.exe f76b461.exe PID 2120 wrote to memory of 2876 2120 f76b2bc.exe f76b461.exe PID 2120 wrote to memory of 1664 2120 f76b2bc.exe f76cfec.exe PID 2120 wrote to memory of 1664 2120 f76b2bc.exe f76cfec.exe PID 1664 wrote to memory of 1076 1664 f76cfec.exe taskhost.exe PID 1664 wrote to memory of 1168 1664 f76cfec.exe Dwm.exe PID 1664 wrote to memory of 1208 1664 f76cfec.exe Explorer.EXE PID 1664 wrote to memory of 1800 1664 f76cfec.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
f76cfec.exef76b2bc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cfec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b2bc.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1076
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a112039b1f1bd63ac5c036b468f7828632b56b2a467567e87451cb55d8c1b0b9N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\f76b2bc.exeC:\Users\Admin\AppData\Local\Temp\f76b2bc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\f76b461.exeC:\Users\Admin\AppData\Local\Temp\f76b461.exe4⤵
- Executes dropped EXE
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\f76cfec.exeC:\Users\Admin\AppData\Local\Temp\f76cfec.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5d8572d2c338ee676ea4e24023ecaf190
SHA1b1829cba55268b18ccfa5453a6c3ae30115e65a6
SHA256615913f8501645651948a56911a9e233955346f8677da608ea4496d29dffc3f6
SHA5120d432099819c861deba7d9f846c7e7dd2637558dfb4ce32c5b21ac94fb4e2eed0e0d39a06f12f4fbdc0fb0eb1a47ce448ae2cb872c23d21d13f0dd89c373ffe7
-
Filesize
97KB
MD536aa817e00460cb4855674cfc7024421
SHA190b0faf056f2754e83cdf28e9bda519cbdbb1953
SHA256e02ac9c540c662b6e3597d030c524ef35bc12e7202ac8971e299de48aeebbb23
SHA512ec4b06b0c6f8b0aa99bd82da95731d712daa52398a2b759dd2998af506b5aadf901cdfb6cbdbff3e67871d3baf2a95dbebaa26e9213b7a4d38bde39ff644d9e1