Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 20:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11df08ffae08dd4b727582990fa72ad0033e6fa66dc5ab923ca0449822d1181f.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
11df08ffae08dd4b727582990fa72ad0033e6fa66dc5ab923ca0449822d1181f.dll
-
Size
120KB
-
MD5
dbf988fdb09d9461465cb075533d9dda
-
SHA1
7562626e045ae542817e3bc97e0b2d438c64fec5
-
SHA256
11df08ffae08dd4b727582990fa72ad0033e6fa66dc5ab923ca0449822d1181f
-
SHA512
1136cb4f0771f6514e220aca7bbd2e8a6f350379599bee25183b9166c475eece15f6017a198c3a6224be921145030e731f6b85074fac1a158d6a9588332e2a49
-
SSDEEP
1536:+LHh/rwCCbYMtENi9HA5xLMLG9quDz4uX29fu2spjjxICyhwI2gRy7mNxlBD:+LlnatE8A7L6G/HX29fxgJIKgRy7mVD
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e5dc.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e5dc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e3f9.exe -
Executes dropped EXE 3 IoCs
pid Process 2248 f76e3f9.exe 2828 f76e5dc.exe 2996 f76ffc2.exe -
Loads dropped DLL 6 IoCs
pid Process 2484 rundll32.exe 2484 rundll32.exe 2484 rundll32.exe 2484 rundll32.exe 2484 rundll32.exe 2484 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e3f9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e5dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e5dc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e5dc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e5dc.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f76e3f9.exe File opened (read-only) \??\N: f76e3f9.exe File opened (read-only) \??\O: f76e3f9.exe File opened (read-only) \??\Q: f76e3f9.exe File opened (read-only) \??\I: f76e3f9.exe File opened (read-only) \??\L: f76e3f9.exe File opened (read-only) \??\S: f76e3f9.exe File opened (read-only) \??\J: f76e3f9.exe File opened (read-only) \??\T: f76e3f9.exe File opened (read-only) \??\E: f76e3f9.exe File opened (read-only) \??\G: f76e3f9.exe File opened (read-only) \??\K: f76e3f9.exe File opened (read-only) \??\M: f76e3f9.exe File opened (read-only) \??\P: f76e3f9.exe File opened (read-only) \??\R: f76e3f9.exe -
resource yara_rule behavioral1/memory/2248-11-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-14-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-16-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-18-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-13-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-19-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-21-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-17-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-15-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-20-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-60-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-61-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-62-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-64-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-63-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-66-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-67-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-82-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-84-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-87-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2248-159-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2828-165-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2828-194-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76e495 f76e3f9.exe File opened for modification C:\Windows\SYSTEM.INI f76e3f9.exe File created C:\Windows\f77344a f76e5dc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e3f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e5dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2248 f76e3f9.exe 2248 f76e3f9.exe 2828 f76e5dc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2248 f76e3f9.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe Token: SeDebugPrivilege 2828 f76e5dc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 1392 wrote to memory of 2484 1392 rundll32.exe 31 PID 2484 wrote to memory of 2248 2484 rundll32.exe 32 PID 2484 wrote to memory of 2248 2484 rundll32.exe 32 PID 2484 wrote to memory of 2248 2484 rundll32.exe 32 PID 2484 wrote to memory of 2248 2484 rundll32.exe 32 PID 2248 wrote to memory of 1116 2248 f76e3f9.exe 19 PID 2248 wrote to memory of 1160 2248 f76e3f9.exe 20 PID 2248 wrote to memory of 1208 2248 f76e3f9.exe 21 PID 2248 wrote to memory of 2040 2248 f76e3f9.exe 23 PID 2248 wrote to memory of 1392 2248 f76e3f9.exe 30 PID 2248 wrote to memory of 2484 2248 f76e3f9.exe 31 PID 2248 wrote to memory of 2484 2248 f76e3f9.exe 31 PID 2484 wrote to memory of 2828 2484 rundll32.exe 33 PID 2484 wrote to memory of 2828 2484 rundll32.exe 33 PID 2484 wrote to memory of 2828 2484 rundll32.exe 33 PID 2484 wrote to memory of 2828 2484 rundll32.exe 33 PID 2484 wrote to memory of 2996 2484 rundll32.exe 34 PID 2484 wrote to memory of 2996 2484 rundll32.exe 34 PID 2484 wrote to memory of 2996 2484 rundll32.exe 34 PID 2484 wrote to memory of 2996 2484 rundll32.exe 34 PID 2248 wrote to memory of 1116 2248 f76e3f9.exe 19 PID 2248 wrote to memory of 1160 2248 f76e3f9.exe 20 PID 2248 wrote to memory of 1208 2248 f76e3f9.exe 21 PID 2248 wrote to memory of 2040 2248 f76e3f9.exe 23 PID 2248 wrote to memory of 2828 2248 f76e3f9.exe 33 PID 2248 wrote to memory of 2828 2248 f76e3f9.exe 33 PID 2248 wrote to memory of 2996 2248 f76e3f9.exe 34 PID 2248 wrote to memory of 2996 2248 f76e3f9.exe 34 PID 2828 wrote to memory of 1116 2828 f76e5dc.exe 19 PID 2828 wrote to memory of 1160 2828 f76e5dc.exe 20 PID 2828 wrote to memory of 1208 2828 f76e5dc.exe 21 PID 2828 wrote to memory of 2040 2828 f76e5dc.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e3f9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e5dc.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11df08ffae08dd4b727582990fa72ad0033e6fa66dc5ab923ca0449822d1181f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11df08ffae08dd4b727582990fa72ad0033e6fa66dc5ab923ca0449822d1181f.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\f76e3f9.exeC:\Users\Admin\AppData\Local\Temp\f76e3f9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\f76e5dc.exeC:\Users\Admin\AppData\Local\Temp\f76e5dc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\f76ffc2.exeC:\Users\Admin\AppData\Local\Temp\f76ffc2.exe4⤵
- Executes dropped EXE
PID:2996
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2040
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD54db963c522ccbbf31c33e0a74a9c3b17
SHA1c4ac2fb7baf67e89de4ce3d0718192ca5ed20827
SHA256479874aeaf2d55ad57ecaf4a0e93ec6d5d289d557aea75a710141efb13da4e00
SHA512aece151b6cf7530fbe52cf0c7a58f65e0ed0e41c1abc149b86172a51613baf62efc013c532a9a87fe7358d1121b5e2a057d4a0488021dfda2997e2dcdcdcaeb0
-
Filesize
97KB
MD5d78b524f0d6188b13ce4466f5e06ddb9
SHA142671372a930cc3da287ff706ea08942c6f16b5d
SHA2561ffc474c5e42202983709bb5d010070c2f191cfbb0caf3997dfb480415351c8a
SHA5125e0f10d1edc933bc40ef9d476815f3232b3f6ca3b698dd53a1fd2f6454427928b6efab39996c132fd4cfa0d2c7cbed3e5f67e1da95c06f0b2705f0bd241747ae