Analysis
-
max time kernel
24s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 22:50
Behavioral task
behavioral1
Sample
57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe
Resource
win7-20240729-en
windows7-x64
27 signatures
150 seconds
General
-
Target
57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe
-
Size
173KB
-
MD5
e1b3afd58ac96bf02fa4ca7c20b3ec56
-
SHA1
b8dedf53d0f3a712d8293f0edf125a7c19049247
-
SHA256
57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395
-
SHA512
a52f947b1caac3cbb9abce75e650e1668010e8dcfbb237e8c7b59dd9612d214fd435f2481b01f5c0371f3b3e133615262f4f8a59ab167aa2b676a5e880bbeb2f
-
SSDEEP
3072:u5jsqhH3yIP7UuIfmojPdDa1Ns+ng92As4DyTpyCRJvV3EacJfzlW:GYy3yLfjdcnxkysyhOfA
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSMain.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSUpd.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctorRtp.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XDelBox.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AoYun.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravcopy.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWSUpd.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arswp3.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfserver.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stormii.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmp.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfserver.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCMgr.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "ntsd -d" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "ntsd -d" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe explorer.exe -
Deletes itself 1 IoCs
pid Process 2168 explorer.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TSPS.lnk explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1681.lnk explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8970.lnk explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2168 explorer.exe -
Loads dropped DLL 3 IoCs
pid Process 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 2168 explorer.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe -
Enumerates connected drives 3 TTPs 51 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\n: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\w: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\g: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\r: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\x: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\m: explorer.exe File opened (read-only) \??\q: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\l: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\m: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\o: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\n: explorer.exe File opened (read-only) \??\o: explorer.exe File opened (read-only) \??\y: explorer.exe File opened (read-only) \??\p: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\v: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\z: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\v: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\j: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\u: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\s: explorer.exe File opened (read-only) \??\t: explorer.exe File opened (read-only) \??\u: explorer.exe File opened (read-only) \??\l: explorer.exe File opened (read-only) \??\x: explorer.exe File opened (read-only) \??\k: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\s: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\e: explorer.exe File opened (read-only) \??\g: explorer.exe File opened (read-only) \??\h: explorer.exe File opened (read-only) \??\i: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\e: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\q: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\k: explorer.exe File opened (read-only) \??\p: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\z: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\h: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\t: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\w: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\y: 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened (read-only) \??\j: explorer.exe File opened (read-only) \??\r: explorer.exe File opened (read-only) \??\J: explorer.exe -
resource yara_rule behavioral1/memory/2296-0-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/2296-2-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/files/0x00080000000120fe-6.dat upx behavioral1/memory/2296-9-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2168-35-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/2296-18-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-16-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-8-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-5-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-4-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-17-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-7-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-39-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-40-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-41-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-57-0x0000000001DC0000-0x0000000002E4E000-memory.dmp upx behavioral1/memory/2296-72-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/2168-79-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/2168-82-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/2168-103-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx behavioral1/memory/2168-86-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx behavioral1/memory/2168-87-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx behavioral1/memory/2168-106-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx behavioral1/memory/2168-88-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx behavioral1/memory/2168-105-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx behavioral1/memory/2168-129-0x0000000002D00000-0x0000000003D8E000-memory.dmp upx -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files explorer.exe File opened for modification C:\Program Files (x86)\ explorer.exe File opened for modification C:\Program Files (x86)\Kaspersky Lab explorer.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe File opened for modification C:\Program Files (x86)\Common Files\ips888.dll explorer.exe File created C:\Program Files (x86)\Common Files\ips888.dll explorer.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe explorer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" explorer.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe 2168 explorer.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeLoadDriverPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeDebugPrivilege 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe Token: SeLoadDriverPrivilege 2168 explorer.exe Token: SeDebugPrivilege 2168 explorer.exe Token: SeDebugPrivilege 2168 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2168 explorer.exe 2168 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2168 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 30 PID 2296 wrote to memory of 2168 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 30 PID 2296 wrote to memory of 2168 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 30 PID 2296 wrote to memory of 2168 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 30 PID 2296 wrote to memory of 1116 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 19 PID 2296 wrote to memory of 1164 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 20 PID 2296 wrote to memory of 1204 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 21 PID 2296 wrote to memory of 324 2296 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe 25 PID 2168 wrote to memory of 1116 2168 explorer.exe 19 PID 2168 wrote to memory of 1164 2168 explorer.exe 20 PID 2168 wrote to memory of 1204 2168 explorer.exe 21 PID 2168 wrote to memory of 324 2168 explorer.exe 25 PID 2168 wrote to memory of 2056 2168 explorer.exe 31 PID 2168 wrote to memory of 1116 2168 explorer.exe 19 PID 2168 wrote to memory of 1164 2168 explorer.exe 20 PID 2168 wrote to memory of 1204 2168 explorer.exe 21 PID 2168 wrote to memory of 324 2168 explorer.exe 25 PID 2168 wrote to memory of 1780 2168 explorer.exe 32 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe"C:\Users\Admin\AppData\Local\Temp\57f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2296 -
C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe"3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2168
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:324
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2056
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1780
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5e1b3afd58ac96bf02fa4ca7c20b3ec56
SHA1b8dedf53d0f3a712d8293f0edf125a7c19049247
SHA25657f2464aa7cd73a85e2c36d3cd4146627bc5544b86efef4b29a8f3bf6725f395
SHA512a52f947b1caac3cbb9abce75e650e1668010e8dcfbb237e8c7b59dd9612d214fd435f2481b01f5c0371f3b3e133615262f4f8a59ab167aa2b676a5e880bbeb2f
-
Filesize
491B
MD5d38e2cf2c1665d1a9c34c52ec3670e9b
SHA1ae6e62f8c614571ee26947e2d6a9e1286ca0e422
SHA25628d22e43670eb6c1312895d4d68e3a56d80490a34154cdc39e2aae7a9e9114d9
SHA5120bf0d849473b5315e48112a25dd1443cc261d1722f294e5bbe8b179b590870b8a7942b60650627cae902efd12517f07bae03c38e005e438c4167648b0bdef3f5
-
Filesize
257B
MD588f13f821cfe04d8134e873219150318
SHA1eb2f93128f40452b0cd580c6c3d56e7817b464a2
SHA256d0244f0760eb7f82a25905430407e33bc4f8e45d2ddb5c3ec57970e80d44c0aa
SHA512a78de2c2f467dd0053a0dbea91790601df1678155c77140418006d75cb2ecb87d508de0ab16f4e55810e77c73ae585d1130817bea5995743bb3b1da2ede5391f
-
Filesize
100KB
MD57ade3c4a612c8b28e23a6622f62cffa4
SHA1ffbddc34c5fc0fce8b1f24dea7f587b2a4d041ee
SHA256055d89023eef5c9333843514569ff35dd145351f2cc44d975cfa33001448bf40
SHA5128347817bb3f96a0fe69a872cc84f68a99eba6034b9c3456346f96842a7cfd1909fe45538321b448f8e9e20364e690f78c7678b30d7c9356368eecf2eef94164a
-
Filesize
17KB
MD5f560174dbba429bc890961608e9eaaf1
SHA11397fd3d69ba8fd1615ff8fa7e0a187cca06dbaf
SHA25629c4eba9d950a47aaf7e023a3649ed8dbd065a143b0913c11d969f9df9823f5f
SHA51235099289aa8852909b82d5709f2504aa68e7672f2457656d2ebe6c77fea631c9d80585ebf186d7555d281443e56b67abdfb5848dc069a2a2c248a76a95d9a6bf