Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 16:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39cf19a4b6a90c22a8921abd736dcdd093d56a1f44e5d464c261b9d91ca75e7dN.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
39cf19a4b6a90c22a8921abd736dcdd093d56a1f44e5d464c261b9d91ca75e7dN.dll
-
Size
120KB
-
MD5
d6e28fd7baf7a84270a1bbbd406a26c0
-
SHA1
a4ec46c06a7912dc6ade2f59ce1ea6d7b68f780a
-
SHA256
39cf19a4b6a90c22a8921abd736dcdd093d56a1f44e5d464c261b9d91ca75e7d
-
SHA512
c0a4e7b0d6d7e725400a7d89780add0c5a1cd23a3b750edd563c913726eadf4a433192be09eddb56b6762850d9d03a0ec3c6453667688f75e29af86856cf67df
-
SSDEEP
3072:qlpjdxx5DknV3DWorKfnXpt8+nM4XD+kR:qXngnTrW5t8OBTxR
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ae1a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c9c5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ae1a.exe -
Executes dropped EXE 3 IoCs
pid Process 2500 f76ae1a.exe 3028 f76afa0.exe 600 f76c9c5.exe -
Loads dropped DLL 6 IoCs
pid Process 2104 rundll32.exe 2104 rundll32.exe 2104 rundll32.exe 2104 rundll32.exe 2104 rundll32.exe 2104 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c9c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c9c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c9c5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ae1a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c9c5.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76ae1a.exe File opened (read-only) \??\J: f76ae1a.exe File opened (read-only) \??\M: f76ae1a.exe File opened (read-only) \??\O: f76ae1a.exe File opened (read-only) \??\T: f76ae1a.exe File opened (read-only) \??\E: f76ae1a.exe File opened (read-only) \??\H: f76ae1a.exe File opened (read-only) \??\K: f76ae1a.exe File opened (read-only) \??\P: f76ae1a.exe File opened (read-only) \??\Q: f76ae1a.exe File opened (read-only) \??\L: f76ae1a.exe File opened (read-only) \??\N: f76ae1a.exe File opened (read-only) \??\E: f76c9c5.exe File opened (read-only) \??\G: f76c9c5.exe File opened (read-only) \??\G: f76ae1a.exe File opened (read-only) \??\R: f76ae1a.exe File opened (read-only) \??\S: f76ae1a.exe -
resource yara_rule behavioral1/memory/2500-11-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-15-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-17-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-18-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-20-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-21-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-19-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-14-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-13-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-16-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-63-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-62-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-64-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-66-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-65-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-68-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-69-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-86-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-88-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-90-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/2500-162-0x0000000000640000-0x00000000016FA000-memory.dmp upx behavioral1/memory/600-174-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/600-215-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76ae1a.exe File created C:\Windows\f76fe6b f76c9c5.exe File created C:\Windows\f76ae78 f76ae1a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c9c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ae1a.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2500 f76ae1a.exe 2500 f76ae1a.exe 600 f76c9c5.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 2500 f76ae1a.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe Token: SeDebugPrivilege 600 f76c9c5.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 1820 wrote to memory of 2104 1820 rundll32.exe 30 PID 2104 wrote to memory of 2500 2104 rundll32.exe 31 PID 2104 wrote to memory of 2500 2104 rundll32.exe 31 PID 2104 wrote to memory of 2500 2104 rundll32.exe 31 PID 2104 wrote to memory of 2500 2104 rundll32.exe 31 PID 2500 wrote to memory of 1124 2500 f76ae1a.exe 19 PID 2500 wrote to memory of 1184 2500 f76ae1a.exe 20 PID 2500 wrote to memory of 1216 2500 f76ae1a.exe 21 PID 2500 wrote to memory of 1532 2500 f76ae1a.exe 25 PID 2500 wrote to memory of 1820 2500 f76ae1a.exe 29 PID 2500 wrote to memory of 2104 2500 f76ae1a.exe 30 PID 2500 wrote to memory of 2104 2500 f76ae1a.exe 30 PID 2104 wrote to memory of 3028 2104 rundll32.exe 32 PID 2104 wrote to memory of 3028 2104 rundll32.exe 32 PID 2104 wrote to memory of 3028 2104 rundll32.exe 32 PID 2104 wrote to memory of 3028 2104 rundll32.exe 32 PID 2104 wrote to memory of 600 2104 rundll32.exe 33 PID 2104 wrote to memory of 600 2104 rundll32.exe 33 PID 2104 wrote to memory of 600 2104 rundll32.exe 33 PID 2104 wrote to memory of 600 2104 rundll32.exe 33 PID 2500 wrote to memory of 1124 2500 f76ae1a.exe 19 PID 2500 wrote to memory of 1184 2500 f76ae1a.exe 20 PID 2500 wrote to memory of 1216 2500 f76ae1a.exe 21 PID 2500 wrote to memory of 1532 2500 f76ae1a.exe 25 PID 2500 wrote to memory of 3028 2500 f76ae1a.exe 32 PID 2500 wrote to memory of 3028 2500 f76ae1a.exe 32 PID 2500 wrote to memory of 600 2500 f76ae1a.exe 33 PID 2500 wrote to memory of 600 2500 f76ae1a.exe 33 PID 600 wrote to memory of 1124 600 f76c9c5.exe 19 PID 600 wrote to memory of 1184 600 f76c9c5.exe 20 PID 600 wrote to memory of 1216 600 f76c9c5.exe 21 PID 600 wrote to memory of 1532 600 f76c9c5.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ae1a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c9c5.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39cf19a4b6a90c22a8921abd736dcdd093d56a1f44e5d464c261b9d91ca75e7dN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39cf19a4b6a90c22a8921abd736dcdd093d56a1f44e5d464c261b9d91ca75e7dN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\f76ae1a.exeC:\Users\Admin\AppData\Local\Temp\f76ae1a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\f76afa0.exeC:\Users\Admin\AppData\Local\Temp\f76afa0.exe4⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\f76c9c5.exeC:\Users\Admin\AppData\Local\Temp\f76c9c5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:600
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53d2221ab4e32ae512564fb54e08040b7
SHA176db2664eb92659323cdbc888b439d0a5d7c2144
SHA25664b7803cc50b33ca4deddcb98eaa68691478c655d246736e0e11ef21b87d9c88
SHA5127327a367f51a17984de5519583c81e598cc05aca84f1735b31b1306ee2754b9372c4d157bac0326a6094d2ce4f640fea0b6500bded846efe5156ac3c76ffef40
-
Filesize
257B
MD5b260b021d6824c5d2a3b6ac44d3cd55f
SHA19ee9d6cc184b281e0d5e401340332c5253b5d726
SHA256cb1e9cd02586deb756727be8524ccd84f5875fe259c75c9f40531a9264b27e73
SHA51248a589a828e33ebb153c0608ebb73b65d33692869aca30cb76563172db7237a910a032c1522bea541f11d34a65932b000b288556fc4f2e0e63521ccf53ca48eb