Analysis
-
max time kernel
33s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 17:35
Static task
static1
Behavioral task
behavioral1
Sample
b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll
Resource
win7-20240903-en
General
-
Target
b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll
-
Size
120KB
-
MD5
1a6cc5ed8b02f30ff31665b8a8537311
-
SHA1
3bae2ec2245bbc68b1520290b6a92882e8bbaaeb
-
SHA256
b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2
-
SHA512
ecfc18114046f2662c5a3557c2ef97dfe45b36a8a7896ca30408b7080d0802eef5cb07db42a3c8568b27287ebf8a1e7f1c65d801280d47605ff230a911fb7934
-
SSDEEP
3072:pND39Bfsztt1rCl5zntpffoBGVJvELKhffsM6D:DUzL1rCTnFVtg8sP
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
f764ac6.exef764c7b.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f764c7b.exe -
Sality family
-
Processes:
f764ac6.exef764c7b.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764c7b.exe -
Processes:
f764ac6.exef764c7b.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f764ac6.exe -
Executes dropped EXE 3 IoCs
Processes:
f764ac6.exef764c7b.exef76677a.exepid Process 2728 f764ac6.exe 2768 f764c7b.exe 1812 f76677a.exe -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exepid Process 2632 rundll32.exe 2632 rundll32.exe 2632 rundll32.exe 2632 rundll32.exe 2632 rundll32.exe 2632 rundll32.exe -
Processes:
f764c7b.exef764ac6.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f764c7b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f764ac6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f764ac6.exe -
Processes:
f764ac6.exef764c7b.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764c7b.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f764ac6.exedescription ioc Process File opened (read-only) \??\J: f764ac6.exe File opened (read-only) \??\K: f764ac6.exe File opened (read-only) \??\L: f764ac6.exe File opened (read-only) \??\P: f764ac6.exe File opened (read-only) \??\G: f764ac6.exe File opened (read-only) \??\S: f764ac6.exe File opened (read-only) \??\T: f764ac6.exe File opened (read-only) \??\N: f764ac6.exe File opened (read-only) \??\I: f764ac6.exe File opened (read-only) \??\M: f764ac6.exe File opened (read-only) \??\Q: f764ac6.exe File opened (read-only) \??\R: f764ac6.exe File opened (read-only) \??\H: f764ac6.exe File opened (read-only) \??\O: f764ac6.exe File opened (read-only) \??\E: f764ac6.exe -
Processes:
resource yara_rule behavioral1/memory/2728-17-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-19-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-14-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-20-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-18-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-22-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-21-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-16-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-15-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-23-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-62-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-64-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-63-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-66-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-65-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-68-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-69-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-85-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-74-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-87-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-89-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2728-152-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2768-188-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2768-185-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
Processes:
f764c7b.exef764ac6.exedescription ioc Process File created C:\Windows\f769b65 f764c7b.exe File created C:\Windows\f764b43 f764ac6.exe File opened for modification C:\Windows\SYSTEM.INI f764ac6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f764ac6.exef764c7b.exerundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f764ac6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f764c7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
f764ac6.exef764c7b.exepid Process 2728 f764ac6.exe 2728 f764ac6.exe 2768 f764c7b.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
f764ac6.exef764c7b.exedescription pid Process Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2728 f764ac6.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe Token: SeDebugPrivilege 2768 f764c7b.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
rundll32.exerundll32.exef764ac6.exef764c7b.exedescription pid Process procid_target PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 3004 wrote to memory of 2632 3004 rundll32.exe 30 PID 2632 wrote to memory of 2728 2632 rundll32.exe 31 PID 2632 wrote to memory of 2728 2632 rundll32.exe 31 PID 2632 wrote to memory of 2728 2632 rundll32.exe 31 PID 2632 wrote to memory of 2728 2632 rundll32.exe 31 PID 2728 wrote to memory of 1128 2728 f764ac6.exe 19 PID 2728 wrote to memory of 1236 2728 f764ac6.exe 20 PID 2728 wrote to memory of 1280 2728 f764ac6.exe 21 PID 2728 wrote to memory of 840 2728 f764ac6.exe 25 PID 2728 wrote to memory of 3004 2728 f764ac6.exe 29 PID 2728 wrote to memory of 2632 2728 f764ac6.exe 30 PID 2728 wrote to memory of 2632 2728 f764ac6.exe 30 PID 2632 wrote to memory of 2768 2632 rundll32.exe 32 PID 2632 wrote to memory of 2768 2632 rundll32.exe 32 PID 2632 wrote to memory of 2768 2632 rundll32.exe 32 PID 2632 wrote to memory of 2768 2632 rundll32.exe 32 PID 2632 wrote to memory of 1812 2632 rundll32.exe 33 PID 2632 wrote to memory of 1812 2632 rundll32.exe 33 PID 2632 wrote to memory of 1812 2632 rundll32.exe 33 PID 2632 wrote to memory of 1812 2632 rundll32.exe 33 PID 2728 wrote to memory of 1128 2728 f764ac6.exe 19 PID 2728 wrote to memory of 1236 2728 f764ac6.exe 20 PID 2728 wrote to memory of 1280 2728 f764ac6.exe 21 PID 2728 wrote to memory of 840 2728 f764ac6.exe 25 PID 2728 wrote to memory of 2768 2728 f764ac6.exe 32 PID 2728 wrote to memory of 2768 2728 f764ac6.exe 32 PID 2728 wrote to memory of 1812 2728 f764ac6.exe 33 PID 2728 wrote to memory of 1812 2728 f764ac6.exe 33 PID 2768 wrote to memory of 1128 2768 f764c7b.exe 19 PID 2768 wrote to memory of 1236 2768 f764c7b.exe 20 PID 2768 wrote to memory of 1280 2768 f764c7b.exe 21 PID 2768 wrote to memory of 840 2768 f764c7b.exe 25 -
System policy modification 1 TTPs 2 IoCs
Processes:
f764ac6.exef764c7b.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764ac6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f764c7b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1236
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1280
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b836b9253a69becec7a0992ee75e72d490e4c7fe3c978a2f3238d172e6778cb2.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\f764ac6.exeC:\Users\Admin\AppData\Local\Temp\f764ac6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\f764c7b.exeC:\Users\Admin\AppData\Local\Temp\f764c7b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\f76677a.exeC:\Users\Admin\AppData\Local\Temp\f76677a.exe4⤵
- Executes dropped EXE
PID:1812
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:840
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5f553212a17de5efa43d137d1099b4a36
SHA132aded185746e937ead852a5df822ea243c62c41
SHA2564d1adbc55ac48612bfd8c4195850fd5218898b9cc717b51b819fd10619109b2c
SHA5123a2a3de9c7c1077842e64bfb08c8712413b6b9e65b9a8414f31d7830904881e5cb6677a97121f77efcf79ddfa7f08db0b5dd33fcaf76fde6f00959a07bc1dac7
-
Filesize
97KB
MD589d5b031b2b1b401ebcdc3da1ddb62e7
SHA10bc8c57e96a240918bac201759cfd366843cec6c
SHA2569e216be8e972cc2f483494fcd58460c5ef60036d8af53a3a00dda17c6c83ac3f
SHA512fb9ab954a2178d50be978f8666e30240cc0bddb2bd1bbc869284f3d490d1e181fc19f3e618f78e191b6f6e81b332d0413a2b0a58e1d3e2f69009675aab5deb06