Analysis
-
max time kernel
81s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 00:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
674223b4a821becf17ab41b159cd6e2aabd07291d6dba0573410e6f6b437731f.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
674223b4a821becf17ab41b159cd6e2aabd07291d6dba0573410e6f6b437731f.dll
-
Size
120KB
-
MD5
b4dba59e4b30b24f36f1316bbc1da442
-
SHA1
0bd3d953874ac8d02ceee50c62dbd254f7cc63ae
-
SHA256
674223b4a821becf17ab41b159cd6e2aabd07291d6dba0573410e6f6b437731f
-
SHA512
1a940cd8b1fc3da1fca173f9c583375616d72e6a025ee380334aa371e64c3f2789b79a85c65ed3afc348c4dbab08f0f3b132fde194dbd7c052892582bd420a4d
-
SSDEEP
1536:5orE1mniLs+zhQhZQEuWkNDxoh+cO9HYV/lSeFeryXh7Zv91/z3rTr49adfWOpHH:nz+SG+94TS385rIaoO5DDn/3qnFoeB2N
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f557.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f557.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f6fc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f557.exe -
Executes dropped EXE 3 IoCs
pid Process 2780 f76f557.exe 2980 f76f6fc.exe 2972 f7713ee.exe -
Loads dropped DLL 6 IoCs
pid Process 2772 rundll32.exe 2772 rundll32.exe 2772 rundll32.exe 2772 rundll32.exe 2772 rundll32.exe 2772 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f6fc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f6fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f6fc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f6fc.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76f557.exe File opened (read-only) \??\J: f76f557.exe File opened (read-only) \??\M: f76f557.exe File opened (read-only) \??\S: f76f557.exe File opened (read-only) \??\T: f76f557.exe File opened (read-only) \??\E: f76f557.exe File opened (read-only) \??\L: f76f557.exe File opened (read-only) \??\N: f76f557.exe File opened (read-only) \??\P: f76f557.exe File opened (read-only) \??\R: f76f557.exe File opened (read-only) \??\H: f76f557.exe File opened (read-only) \??\I: f76f557.exe File opened (read-only) \??\K: f76f557.exe File opened (read-only) \??\O: f76f557.exe File opened (read-only) \??\Q: f76f557.exe -
resource yara_rule behavioral1/memory/2780-11-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-15-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-18-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-13-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-16-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-14-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-21-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-20-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-19-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-17-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-58-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-60-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-61-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-62-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-59-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-64-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-65-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-66-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-79-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-81-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-83-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-104-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2780-152-0x00000000005A0000-0x000000000165A000-memory.dmp upx behavioral1/memory/2980-164-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2980-190-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7745e6 f76f6fc.exe File created C:\Windows\f76f5b4 f76f557.exe File opened for modification C:\Windows\SYSTEM.INI f76f557.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f557.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f6fc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2780 f76f557.exe 2780 f76f557.exe 2980 f76f6fc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2780 f76f557.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe Token: SeDebugPrivilege 2980 f76f6fc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2652 wrote to memory of 2772 2652 rundll32.exe 31 PID 2772 wrote to memory of 2780 2772 rundll32.exe 32 PID 2772 wrote to memory of 2780 2772 rundll32.exe 32 PID 2772 wrote to memory of 2780 2772 rundll32.exe 32 PID 2772 wrote to memory of 2780 2772 rundll32.exe 32 PID 2780 wrote to memory of 1060 2780 f76f557.exe 18 PID 2780 wrote to memory of 1120 2780 f76f557.exe 19 PID 2780 wrote to memory of 1180 2780 f76f557.exe 21 PID 2780 wrote to memory of 1140 2780 f76f557.exe 23 PID 2780 wrote to memory of 2652 2780 f76f557.exe 30 PID 2780 wrote to memory of 2772 2780 f76f557.exe 31 PID 2780 wrote to memory of 2772 2780 f76f557.exe 31 PID 2772 wrote to memory of 2980 2772 rundll32.exe 33 PID 2772 wrote to memory of 2980 2772 rundll32.exe 33 PID 2772 wrote to memory of 2980 2772 rundll32.exe 33 PID 2772 wrote to memory of 2980 2772 rundll32.exe 33 PID 2772 wrote to memory of 2972 2772 rundll32.exe 34 PID 2772 wrote to memory of 2972 2772 rundll32.exe 34 PID 2772 wrote to memory of 2972 2772 rundll32.exe 34 PID 2772 wrote to memory of 2972 2772 rundll32.exe 34 PID 2780 wrote to memory of 1060 2780 f76f557.exe 18 PID 2780 wrote to memory of 1120 2780 f76f557.exe 19 PID 2780 wrote to memory of 1180 2780 f76f557.exe 21 PID 2780 wrote to memory of 1140 2780 f76f557.exe 23 PID 2780 wrote to memory of 2980 2780 f76f557.exe 33 PID 2780 wrote to memory of 2980 2780 f76f557.exe 33 PID 2780 wrote to memory of 2972 2780 f76f557.exe 34 PID 2780 wrote to memory of 2972 2780 f76f557.exe 34 PID 2980 wrote to memory of 1060 2980 f76f6fc.exe 18 PID 2980 wrote to memory of 1120 2980 f76f6fc.exe 19 PID 2980 wrote to memory of 1180 2980 f76f6fc.exe 21 PID 2980 wrote to memory of 1140 2980 f76f6fc.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f557.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f6fc.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\674223b4a821becf17ab41b159cd6e2aabd07291d6dba0573410e6f6b437731f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\674223b4a821becf17ab41b159cd6e2aabd07291d6dba0573410e6f6b437731f.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\f76f557.exeC:\Users\Admin\AppData\Local\Temp\f76f557.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\f76f6fc.exeC:\Users\Admin\AppData\Local\Temp\f76f6fc.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\f7713ee.exeC:\Users\Admin\AppData\Local\Temp\f7713ee.exe4⤵
- Executes dropped EXE
PID:2972
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1140
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5d714cb63d4f8b2fccbe7802bcd0a6ac5
SHA1e12d316a6975e37fabb3ee911ba91e8b8fb2c1c5
SHA25629b02f516a9ba29027bff050d9892b2131087384618341a83de71676c81b3255
SHA512a9d75258c4ad5924ae4d3c070cd9e13defe9d7d444faaf6fca966c65aff5d02b475867ada11f9c26a726265ecb59ff410c9ddbfc370f8d7ce59eea258c336069
-
Filesize
97KB
MD583b41e08aa69c793c9b752725b749bf9
SHA1991009a9ae9dff0072e036e353bf328101e420da
SHA256ca5dd1e0abf6982bf695a1f19c3d4572d205ad18a81ea4b77a03805eebf3b572
SHA5124de8f36eb0d7b5786c022ced7a4107b544f278603b18347606d25fdab21cbc2a6f39a1c60aed9ed474c98f4585a1f5654d5e0a6f246b00233b037d14c998a298