Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 00:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d68323c9ba9d98dac7fa3a13b8691f8d451e18de388658e8d1a4d8b15261ae5.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
8d68323c9ba9d98dac7fa3a13b8691f8d451e18de388658e8d1a4d8b15261ae5.dll
-
Size
120KB
-
MD5
6a05d1e79242b6010760a499241fc1c2
-
SHA1
9e69a022712fd5f37ecf14a27fb0c78681d9982a
-
SHA256
8d68323c9ba9d98dac7fa3a13b8691f8d451e18de388658e8d1a4d8b15261ae5
-
SHA512
1dfc0e89b4ad498a91accbe27b7abbeca95a975231739391cf16548ac5af7be14fed4720dd022d715e7c4b25075a7c1dee25e7a7a6d30accc7477acc750f4aba
-
SSDEEP
3072:HncA3Dt/nVkSmkOBpiCtl0xfRoA6Z5HklRDAB:8AjDm5axfCAPvMB
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769b84.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769b84.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c265.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c265.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769b84.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769b84.exe -
Executes dropped EXE 3 IoCs
pid Process 2464 f769b84.exe 2624 f769d77.exe 2588 f76c265.exe -
Loads dropped DLL 6 IoCs
pid Process 2376 rundll32.exe 2376 rundll32.exe 2376 rundll32.exe 2376 rundll32.exe 2376 rundll32.exe 2376 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c265.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c265.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c265.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c265.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c265.exe -
Enumerates connected drives 3 TTPs 19 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76c265.exe File opened (read-only) \??\H: f769b84.exe File opened (read-only) \??\J: f769b84.exe File opened (read-only) \??\L: f769b84.exe File opened (read-only) \??\E: f76c265.exe File opened (read-only) \??\H: f76c265.exe File opened (read-only) \??\G: f769b84.exe File opened (read-only) \??\I: f769b84.exe File opened (read-only) \??\Q: f769b84.exe File opened (read-only) \??\K: f769b84.exe File opened (read-only) \??\M: f769b84.exe File opened (read-only) \??\N: f769b84.exe File opened (read-only) \??\T: f769b84.exe File opened (read-only) \??\G: f76c265.exe File opened (read-only) \??\E: f769b84.exe File opened (read-only) \??\O: f769b84.exe File opened (read-only) \??\P: f769b84.exe File opened (read-only) \??\R: f769b84.exe File opened (read-only) \??\S: f769b84.exe -
resource yara_rule behavioral1/memory/2464-17-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-20-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-24-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-21-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-19-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-18-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-16-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-25-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-22-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-23-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-62-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-64-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-63-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-65-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-66-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-68-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-69-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-70-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-71-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-74-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-75-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-106-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-108-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2464-154-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2588-176-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2588-211-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f769c01 f769b84.exe File opened for modification C:\Windows\SYSTEM.INI f769b84.exe File created C:\Windows\f76ec23 f76c265.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769b84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c265.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2464 f769b84.exe 2464 f769b84.exe 2588 f76c265.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2464 f769b84.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe Token: SeDebugPrivilege 2588 f76c265.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2524 wrote to memory of 2376 2524 rundll32.exe 30 PID 2376 wrote to memory of 2464 2376 rundll32.exe 31 PID 2376 wrote to memory of 2464 2376 rundll32.exe 31 PID 2376 wrote to memory of 2464 2376 rundll32.exe 31 PID 2376 wrote to memory of 2464 2376 rundll32.exe 31 PID 2464 wrote to memory of 1096 2464 f769b84.exe 19 PID 2464 wrote to memory of 1176 2464 f769b84.exe 20 PID 2464 wrote to memory of 1204 2464 f769b84.exe 21 PID 2464 wrote to memory of 884 2464 f769b84.exe 25 PID 2464 wrote to memory of 2524 2464 f769b84.exe 29 PID 2464 wrote to memory of 2376 2464 f769b84.exe 30 PID 2464 wrote to memory of 2376 2464 f769b84.exe 30 PID 2376 wrote to memory of 2624 2376 rundll32.exe 32 PID 2376 wrote to memory of 2624 2376 rundll32.exe 32 PID 2376 wrote to memory of 2624 2376 rundll32.exe 32 PID 2376 wrote to memory of 2624 2376 rundll32.exe 32 PID 2376 wrote to memory of 2588 2376 rundll32.exe 33 PID 2376 wrote to memory of 2588 2376 rundll32.exe 33 PID 2376 wrote to memory of 2588 2376 rundll32.exe 33 PID 2376 wrote to memory of 2588 2376 rundll32.exe 33 PID 2464 wrote to memory of 1096 2464 f769b84.exe 19 PID 2464 wrote to memory of 1176 2464 f769b84.exe 20 PID 2464 wrote to memory of 1204 2464 f769b84.exe 21 PID 2464 wrote to memory of 884 2464 f769b84.exe 25 PID 2464 wrote to memory of 2624 2464 f769b84.exe 32 PID 2464 wrote to memory of 2624 2464 f769b84.exe 32 PID 2464 wrote to memory of 2588 2464 f769b84.exe 33 PID 2464 wrote to memory of 2588 2464 f769b84.exe 33 PID 2588 wrote to memory of 1096 2588 f76c265.exe 19 PID 2588 wrote to memory of 1176 2588 f76c265.exe 20 PID 2588 wrote to memory of 1204 2588 f76c265.exe 21 PID 2588 wrote to memory of 884 2588 f76c265.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769b84.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c265.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d68323c9ba9d98dac7fa3a13b8691f8d451e18de388658e8d1a4d8b15261ae5.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d68323c9ba9d98dac7fa3a13b8691f8d451e18de388658e8d1a4d8b15261ae5.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\f769b84.exeC:\Users\Admin\AppData\Local\Temp\f769b84.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\f769d77.exeC:\Users\Admin\AppData\Local\Temp\f769d77.exe4⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\f76c265.exeC:\Users\Admin\AppData\Local\Temp\f76c265.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2588
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:884
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57f17cf0c4dd94c25a3bc5061a3d2e6c3
SHA1a58fe6a944166c8f89abfd4b4c702af60701a060
SHA256422b263edfe90ddcdb74d23545ab558cc0cd252fe9f28227ec309d500d6d152d
SHA512e9bdb61f1b369e77acadb6a1e8be028313266b2da4aecbcece13c9fb10b3f7ccc0dfcecc2686f534a45da1e7c6c7f98aaadba2258a93b69dac7fe2e721691be7
-
Filesize
257B
MD58c2b93a07872cb9830ef971f955a2ca5
SHA1016481c37ff21d19b17120330e431c9468ed846e
SHA256c37ca7fb273aa76486e505aac2bc22b6e2523734ee72c6efe44fdc8cdcbc916e
SHA512fff8126371ecfaede16dee2b6c9a7aefdc8ae76c3825ada819622979d3458bcfec04b8c13c5ad1b3f86f38c885a30d5ac01ef5b0ac71f2e32104a8287d3d5edd