Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll
Resource
win7-20240903-en
General
-
Target
4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll
-
Size
120KB
-
MD5
569dbc3e62f64310d59e8feb04e67efa
-
SHA1
78207b8218f357a31cc489b1bcc43273211ee09b
-
SHA256
4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4
-
SHA512
e0804d23fcab2576e422cd06e4cf6aed634ddcce8e0e74de7826d1078af402bb7c2e536dc2a659bcae0279846cb556016ba7bccb4dc2355a34f0b0c2138d1adc
-
SSDEEP
3072:IArJjMrZDYiin0kCKBXcbbAZ13quJCbT:IeJjMrxYfM0MXAJEbT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767e92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767e92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769a6b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769a6b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767e92.exe -
Executes dropped EXE 3 IoCs
pid Process 1888 f767e92.exe 2640 f7680d3.exe 2172 f769a6b.exe -
Loads dropped DLL 6 IoCs
pid Process 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767e92.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769a6b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769a6b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769a6b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769a6b.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: f767e92.exe File opened (read-only) \??\O: f767e92.exe File opened (read-only) \??\P: f767e92.exe File opened (read-only) \??\G: f769a6b.exe File opened (read-only) \??\H: f767e92.exe File opened (read-only) \??\R: f767e92.exe File opened (read-only) \??\S: f767e92.exe File opened (read-only) \??\E: f769a6b.exe File opened (read-only) \??\G: f767e92.exe File opened (read-only) \??\I: f767e92.exe File opened (read-only) \??\K: f767e92.exe File opened (read-only) \??\Q: f767e92.exe File opened (read-only) \??\T: f767e92.exe File opened (read-only) \??\E: f767e92.exe File opened (read-only) \??\J: f767e92.exe File opened (read-only) \??\M: f767e92.exe File opened (read-only) \??\N: f767e92.exe -
resource yara_rule behavioral1/memory/1888-13-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-15-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-17-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-19-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-21-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-22-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-20-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-18-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-16-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-23-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-60-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-61-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-62-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-63-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-64-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-66-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-67-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-83-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-85-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-88-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-89-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-90-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/1888-149-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2172-166-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx behavioral1/memory/2172-206-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f767f0f f767e92.exe File opened for modification C:\Windows\SYSTEM.INI f767e92.exe File created C:\Windows\f76d00b f769a6b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767e92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769a6b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1888 f767e92.exe 1888 f767e92.exe 2172 f769a6b.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 1888 f767e92.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe Token: SeDebugPrivilege 2172 f769a6b.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1808 wrote to memory of 1872 1808 rundll32.exe 28 PID 1872 wrote to memory of 1888 1872 rundll32.exe 29 PID 1872 wrote to memory of 1888 1872 rundll32.exe 29 PID 1872 wrote to memory of 1888 1872 rundll32.exe 29 PID 1872 wrote to memory of 1888 1872 rundll32.exe 29 PID 1888 wrote to memory of 1072 1888 f767e92.exe 18 PID 1888 wrote to memory of 1120 1888 f767e92.exe 19 PID 1888 wrote to memory of 1184 1888 f767e92.exe 21 PID 1888 wrote to memory of 324 1888 f767e92.exe 23 PID 1888 wrote to memory of 1808 1888 f767e92.exe 27 PID 1888 wrote to memory of 1872 1888 f767e92.exe 28 PID 1888 wrote to memory of 1872 1888 f767e92.exe 28 PID 1872 wrote to memory of 2640 1872 rundll32.exe 30 PID 1872 wrote to memory of 2640 1872 rundll32.exe 30 PID 1872 wrote to memory of 2640 1872 rundll32.exe 30 PID 1872 wrote to memory of 2640 1872 rundll32.exe 30 PID 1872 wrote to memory of 2172 1872 rundll32.exe 31 PID 1872 wrote to memory of 2172 1872 rundll32.exe 31 PID 1872 wrote to memory of 2172 1872 rundll32.exe 31 PID 1872 wrote to memory of 2172 1872 rundll32.exe 31 PID 1888 wrote to memory of 1072 1888 f767e92.exe 18 PID 1888 wrote to memory of 1120 1888 f767e92.exe 19 PID 1888 wrote to memory of 1184 1888 f767e92.exe 21 PID 1888 wrote to memory of 324 1888 f767e92.exe 23 PID 1888 wrote to memory of 2640 1888 f767e92.exe 30 PID 1888 wrote to memory of 2640 1888 f767e92.exe 30 PID 1888 wrote to memory of 2172 1888 f767e92.exe 31 PID 1888 wrote to memory of 2172 1888 f767e92.exe 31 PID 2172 wrote to memory of 1072 2172 f769a6b.exe 18 PID 2172 wrote to memory of 1120 2172 f769a6b.exe 19 PID 2172 wrote to memory of 1184 2172 f769a6b.exe 21 PID 2172 wrote to memory of 324 2172 f769a6b.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767e92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769a6b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1072
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4471ec4b2b6280b130c29c74c6438b61cc4eac5411cbb7984177e64f382e0be4.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\f767e92.exeC:\Users\Admin\AppData\Local\Temp\f767e92.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\f7680d3.exeC:\Users\Admin\AppData\Local\Temp\f7680d3.exe4⤵
- Executes dropped EXE
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\f769a6b.exeC:\Users\Admin\AppData\Local\Temp\f769a6b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:324
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5228991b851fc71a311d7584bee489d67
SHA19740469e8ef56eb1908dc4bb9c7ed691f8b2a7db
SHA256056ffc495a0d14538384a1117bc77e8b07485381f1450c9a5b67bc28ca5923cd
SHA512b556dd5e58001554d5cf9789a5ca16de614233a7916747d96c2f673a077cf41a8e7e78b07737fa4e04bc6dfea01584124e514b43353fbca57b720e551f56d605
-
Filesize
97KB
MD5f9dc17f6dc60b9a74244a6b0dc8ebfaf
SHA1b788caa75bfd264448b450ac5c627e28d311afae
SHA256ac57e444c06e5b6c52c238879aa530f5ca07dab8edb52680cc5b28acf36411cc
SHA5122e41d6e385e7048b2dee0a335551695032b47ed94a0a7d069e8fdacad763a0aa3f805ebfcd5bc563195b4cd5e2304d5fdcb316efed507fed9f37c0becbcc3f18