Analysis
-
max time kernel
28s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll
-
Size
120KB
-
MD5
35daebe77f7f9e5d9687fe7aa2ae10ec
-
SHA1
c55102490f8281eeca2e8fd4a0deee411f7e81b8
-
SHA256
3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0
-
SHA512
325ded718ca68629440b6def683438c422ed09857139d8922bda535c698397b0ad26760f361987fd61285179639d809ff7c25c19661fbe33383e477e80d57fa9
-
SSDEEP
3072:KWq52BJcoVCpyTSBTG2y5L1Nsa3eCsKsc+x:JqIjVkyTATGN5LMCFMx
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b220.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b220.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d0a7.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d0a7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b220.exe -
Executes dropped EXE 3 IoCs
pid Process 1724 f76b220.exe 2796 f76b403.exe 1616 f76d0a7.exe -
Loads dropped DLL 6 IoCs
pid Process 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe 1732 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b220.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d0a7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d0a7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d0a7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b220.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f76b220.exe File opened (read-only) \??\L: f76b220.exe File opened (read-only) \??\E: f76d0a7.exe File opened (read-only) \??\E: f76b220.exe File opened (read-only) \??\M: f76b220.exe File opened (read-only) \??\Q: f76b220.exe File opened (read-only) \??\R: f76b220.exe File opened (read-only) \??\H: f76b220.exe File opened (read-only) \??\I: f76b220.exe File opened (read-only) \??\J: f76b220.exe File opened (read-only) \??\P: f76b220.exe File opened (read-only) \??\T: f76b220.exe File opened (read-only) \??\G: f76b220.exe File opened (read-only) \??\N: f76b220.exe File opened (read-only) \??\O: f76b220.exe File opened (read-only) \??\S: f76b220.exe File opened (read-only) \??\G: f76d0a7.exe -
resource yara_rule behavioral1/memory/1724-15-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-19-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-18-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-16-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-23-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-22-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-21-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-20-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-17-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-14-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-59-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-60-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-65-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-66-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-67-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-70-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-71-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-72-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-86-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-89-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1724-153-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/1616-165-0x0000000000940000-0x00000000019FA000-memory.dmp upx behavioral1/memory/1616-206-0x0000000000940000-0x00000000019FA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76b28d f76b220.exe File opened for modification C:\Windows\SYSTEM.INI f76b220.exe File created C:\Windows\f7702ce f76d0a7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d0a7.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1724 f76b220.exe 1724 f76b220.exe 1616 f76d0a7.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1724 f76b220.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe Token: SeDebugPrivilege 1616 f76d0a7.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 2012 wrote to memory of 1732 2012 rundll32.exe 30 PID 1732 wrote to memory of 1724 1732 rundll32.exe 31 PID 1732 wrote to memory of 1724 1732 rundll32.exe 31 PID 1732 wrote to memory of 1724 1732 rundll32.exe 31 PID 1732 wrote to memory of 1724 1732 rundll32.exe 31 PID 1724 wrote to memory of 1112 1724 f76b220.exe 19 PID 1724 wrote to memory of 1164 1724 f76b220.exe 20 PID 1724 wrote to memory of 1204 1724 f76b220.exe 21 PID 1724 wrote to memory of 1656 1724 f76b220.exe 25 PID 1724 wrote to memory of 2012 1724 f76b220.exe 29 PID 1724 wrote to memory of 1732 1724 f76b220.exe 30 PID 1724 wrote to memory of 1732 1724 f76b220.exe 30 PID 1732 wrote to memory of 2796 1732 rundll32.exe 32 PID 1732 wrote to memory of 2796 1732 rundll32.exe 32 PID 1732 wrote to memory of 2796 1732 rundll32.exe 32 PID 1732 wrote to memory of 2796 1732 rundll32.exe 32 PID 1732 wrote to memory of 1616 1732 rundll32.exe 33 PID 1732 wrote to memory of 1616 1732 rundll32.exe 33 PID 1732 wrote to memory of 1616 1732 rundll32.exe 33 PID 1732 wrote to memory of 1616 1732 rundll32.exe 33 PID 1724 wrote to memory of 1112 1724 f76b220.exe 19 PID 1724 wrote to memory of 1164 1724 f76b220.exe 20 PID 1724 wrote to memory of 1204 1724 f76b220.exe 21 PID 1724 wrote to memory of 1656 1724 f76b220.exe 25 PID 1724 wrote to memory of 2796 1724 f76b220.exe 32 PID 1724 wrote to memory of 2796 1724 f76b220.exe 32 PID 1724 wrote to memory of 1616 1724 f76b220.exe 33 PID 1724 wrote to memory of 1616 1724 f76b220.exe 33 PID 1616 wrote to memory of 1112 1616 f76d0a7.exe 19 PID 1616 wrote to memory of 1164 1616 f76d0a7.exe 20 PID 1616 wrote to memory of 1204 1616 f76d0a7.exe 21 PID 1616 wrote to memory of 1656 1616 f76d0a7.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b220.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d0a7.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3455aa7ee045bb5372768bcffbde16476501a489dfb6ce86552346c1f82cf7f0.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\f76b220.exeC:\Users\Admin\AppData\Local\Temp\f76b220.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\f76b403.exeC:\Users\Admin\AppData\Local\Temp\f76b403.exe4⤵
- Executes dropped EXE
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\f76d0a7.exeC:\Users\Admin\AppData\Local\Temp\f76d0a7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1616
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1656
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e6d2a6e91fe52643353bf8a173744eda
SHA14b829916acbf3d4592080c5e7b1625bac20e3ef3
SHA256716b462bbde3398737bea237198d86e00cd41d8ad5d10cd5af22dc008bf8c1b1
SHA5122cfd5ff115add2392bff73767736d72efb4089f08cd9f0b3e2fb9019e8094ee0547683887d247e1afb22b353df2034ed99789d2c7977351e7d3efc8f730191c2
-
Filesize
257B
MD5bada3774ab39dac1cfe578b912967c68
SHA11cd3fd458959ca82f6c3966e060c196f2b500f9a
SHA256eab8b9d8825a1fd0f246e899eafc8522f1087ca4ede9fa46faf973839834ad38
SHA5120b575ed4791e7540abd090c753128d1e677297bef18f5327b9012b5769b7a1751ab4d697d3a9d375819b64d00ee17d469729c660e461fa2a56bff361f20f3ea9