Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
426fd8d69e2b050bb41877f9cb30b8626e6a6f8cab6e42c4d987ebb0c2d89d5bN.dll
Resource
win7-20240903-en
General
-
Target
426fd8d69e2b050bb41877f9cb30b8626e6a6f8cab6e42c4d987ebb0c2d89d5bN.dll
-
Size
120KB
-
MD5
c48eb80cc3b77e39c07ae36d8199abe0
-
SHA1
965d423feab916f28bc5e004b2736fcfd809765c
-
SHA256
426fd8d69e2b050bb41877f9cb30b8626e6a6f8cab6e42c4d987ebb0c2d89d5b
-
SHA512
986fdbbec6519b00e874962d87ba88b64fdc0a9530c0b8e6cb9951c10b924c2503927fa651d5efc316e3e0a8e96f05b5eca4d99290a5b5db4a2fbcc36eff36a0
-
SSDEEP
3072:cF/KH+36hN/AHqA/uV1QyqY5GREZ5GGAL0sA:j+CNyqAm175Fzex
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767964.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f765de8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f765de8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767964.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767964.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767964.exe -
Executes dropped EXE 3 IoCs
pid Process 2672 f765de8.exe 1268 f765fdc.exe 2148 f767964.exe -
Loads dropped DLL 6 IoCs
pid Process 2980 rundll32.exe 2980 rundll32.exe 2980 rundll32.exe 2980 rundll32.exe 2980 rundll32.exe 2980 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767964.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f765de8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767964.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f765de8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767964.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f765de8.exe File opened (read-only) \??\G: f765de8.exe File opened (read-only) \??\H: f765de8.exe File opened (read-only) \??\K: f765de8.exe File opened (read-only) \??\O: f765de8.exe File opened (read-only) \??\J: f765de8.exe File opened (read-only) \??\Q: f765de8.exe File opened (read-only) \??\E: f767964.exe File opened (read-only) \??\G: f767964.exe File opened (read-only) \??\I: f765de8.exe File opened (read-only) \??\N: f765de8.exe File opened (read-only) \??\P: f765de8.exe File opened (read-only) \??\R: f765de8.exe File opened (read-only) \??\L: f765de8.exe File opened (read-only) \??\M: f765de8.exe File opened (read-only) \??\S: f765de8.exe File opened (read-only) \??\T: f765de8.exe -
resource yara_rule behavioral1/memory/2672-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-26-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-23-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-22-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-25-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-24-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-66-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-67-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-68-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-69-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-70-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-72-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-73-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-85-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-88-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-91-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-92-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2672-156-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2148-169-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2148-212-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f765e65 f765de8.exe File opened for modification C:\Windows\SYSTEM.INI f765de8.exe File created C:\Windows\f76aee5 f767964.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f765de8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767964.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2672 f765de8.exe 2672 f765de8.exe 2148 f767964.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2672 f765de8.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe Token: SeDebugPrivilege 2148 f767964.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2764 wrote to memory of 2980 2764 rundll32.exe 30 PID 2980 wrote to memory of 2672 2980 rundll32.exe 31 PID 2980 wrote to memory of 2672 2980 rundll32.exe 31 PID 2980 wrote to memory of 2672 2980 rundll32.exe 31 PID 2980 wrote to memory of 2672 2980 rundll32.exe 31 PID 2672 wrote to memory of 1076 2672 f765de8.exe 18 PID 2672 wrote to memory of 1168 2672 f765de8.exe 20 PID 2672 wrote to memory of 1200 2672 f765de8.exe 21 PID 2672 wrote to memory of 1476 2672 f765de8.exe 23 PID 2672 wrote to memory of 2764 2672 f765de8.exe 29 PID 2672 wrote to memory of 2980 2672 f765de8.exe 30 PID 2672 wrote to memory of 2980 2672 f765de8.exe 30 PID 2980 wrote to memory of 1268 2980 rundll32.exe 32 PID 2980 wrote to memory of 1268 2980 rundll32.exe 32 PID 2980 wrote to memory of 1268 2980 rundll32.exe 32 PID 2980 wrote to memory of 1268 2980 rundll32.exe 32 PID 2980 wrote to memory of 2148 2980 rundll32.exe 33 PID 2980 wrote to memory of 2148 2980 rundll32.exe 33 PID 2980 wrote to memory of 2148 2980 rundll32.exe 33 PID 2980 wrote to memory of 2148 2980 rundll32.exe 33 PID 2672 wrote to memory of 1076 2672 f765de8.exe 18 PID 2672 wrote to memory of 1168 2672 f765de8.exe 20 PID 2672 wrote to memory of 1200 2672 f765de8.exe 21 PID 2672 wrote to memory of 1476 2672 f765de8.exe 23 PID 2672 wrote to memory of 1268 2672 f765de8.exe 32 PID 2672 wrote to memory of 1268 2672 f765de8.exe 32 PID 2672 wrote to memory of 2148 2672 f765de8.exe 33 PID 2672 wrote to memory of 2148 2672 f765de8.exe 33 PID 2148 wrote to memory of 1076 2148 f767964.exe 18 PID 2148 wrote to memory of 1168 2148 f767964.exe 20 PID 2148 wrote to memory of 1200 2148 f767964.exe 21 PID 2148 wrote to memory of 1476 2148 f767964.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767964.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f765de8.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1076
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\426fd8d69e2b050bb41877f9cb30b8626e6a6f8cab6e42c4d987ebb0c2d89d5bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\426fd8d69e2b050bb41877f9cb30b8626e6a6f8cab6e42c4d987ebb0c2d89d5bN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\f765de8.exeC:\Users\Admin\AppData\Local\Temp\f765de8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\f765fdc.exeC:\Users\Admin\AppData\Local\Temp\f765fdc.exe4⤵
- Executes dropped EXE
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\f767964.exeC:\Users\Admin\AppData\Local\Temp\f767964.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1476
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5fcbb18d07d809fb1792a89630c6a3404
SHA130baab4ed7ec3e41f722005b9b94fb50edc21555
SHA25656961b05b50970a710e907e8f802c4b79d414693d7b777171bb1d3d8c36e5e96
SHA51221c262411e4a95d3e2103d7c037976d97bd2a6896748ffc029cad3c24bf9db328be8ca52b04c0309cfdb6370454beda8fae8c7b73945a5956c1e8afa75dfe5b6
-
Filesize
97KB
MD5c3674444ac8f1e70426277d6d32c371b
SHA11ffbf242e6f31b5b58b1f874f2dbe67e8c3ba1a8
SHA25694196e3d8b1a98e9135e16fb80cfccb2f7f764ddfde8befd866240567305cced
SHA512ce8fd7ceeed98d213041d325698d74fbf639d6d3f5ab6ef421ce90334e742a2d70516add54e19f3e42e521bf84330098b45e08361c7ca3dd7d057928a20aa545