Analysis
-
max time kernel
24s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 22:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
150 seconds
General
-
Target
4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll
-
Size
120KB
-
MD5
c47745b1195f7c9a274921de15ff7c1a
-
SHA1
d0faa49e7e94a7069febab86a57528a903bc39cb
-
SHA256
4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05
-
SHA512
8c31e3b2b5b655e0c49f027fd53f9a28ac6729348069c776a7ced77c088e11695da06924d56df5060cdaeeee2728bb3628e10adb7bf3872a69cf7c8ee992a18a
-
SSDEEP
3072:euYY3Nd1zWEFscoa2pZI28s1N5h+saUHogCHp:ZYOd1zWEFEG25N5UpngCJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c504.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c504.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c504.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c504.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c504.exe -
Executes dropped EXE 3 IoCs
pid Process 1896 f76a94a.exe 2864 f76aaef.exe 2732 f76c504.exe -
Loads dropped DLL 6 IoCs
pid Process 2116 rundll32.exe 2116 rundll32.exe 2116 rundll32.exe 2116 rundll32.exe 2116 rundll32.exe 2116 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a94a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c504.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a94a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a94a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c504.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f76a94a.exe File opened (read-only) \??\T: f76a94a.exe File opened (read-only) \??\K: f76a94a.exe File opened (read-only) \??\M: f76a94a.exe File opened (read-only) \??\N: f76a94a.exe File opened (read-only) \??\R: f76a94a.exe File opened (read-only) \??\S: f76a94a.exe File opened (read-only) \??\E: f76a94a.exe File opened (read-only) \??\H: f76a94a.exe File opened (read-only) \??\L: f76a94a.exe File opened (read-only) \??\O: f76a94a.exe File opened (read-only) \??\Q: f76a94a.exe File opened (read-only) \??\I: f76a94a.exe File opened (read-only) \??\J: f76a94a.exe File opened (read-only) \??\G: f76a94a.exe -
resource yara_rule behavioral1/memory/1896-12-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-15-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-18-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-21-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-22-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-20-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-19-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-17-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-16-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-14-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-59-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-60-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-61-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-62-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-63-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-65-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-66-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-81-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-83-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-86-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-107-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1896-151-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2732-167-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2732-204-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76a94a.exe File created C:\Windows\f76f9d9 f76c504.exe File created C:\Windows\f76a9c7 f76a94a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a94a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c504.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1896 f76a94a.exe 1896 f76a94a.exe 2732 f76c504.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 1896 f76a94a.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe Token: SeDebugPrivilege 2732 f76c504.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2596 wrote to memory of 2116 2596 rundll32.exe 30 PID 2116 wrote to memory of 1896 2116 rundll32.exe 31 PID 2116 wrote to memory of 1896 2116 rundll32.exe 31 PID 2116 wrote to memory of 1896 2116 rundll32.exe 31 PID 2116 wrote to memory of 1896 2116 rundll32.exe 31 PID 1896 wrote to memory of 1112 1896 f76a94a.exe 19 PID 1896 wrote to memory of 1176 1896 f76a94a.exe 20 PID 1896 wrote to memory of 1204 1896 f76a94a.exe 21 PID 1896 wrote to memory of 1652 1896 f76a94a.exe 25 PID 1896 wrote to memory of 2596 1896 f76a94a.exe 29 PID 1896 wrote to memory of 2116 1896 f76a94a.exe 30 PID 1896 wrote to memory of 2116 1896 f76a94a.exe 30 PID 2116 wrote to memory of 2864 2116 rundll32.exe 32 PID 2116 wrote to memory of 2864 2116 rundll32.exe 32 PID 2116 wrote to memory of 2864 2116 rundll32.exe 32 PID 2116 wrote to memory of 2864 2116 rundll32.exe 32 PID 2116 wrote to memory of 2732 2116 rundll32.exe 33 PID 2116 wrote to memory of 2732 2116 rundll32.exe 33 PID 2116 wrote to memory of 2732 2116 rundll32.exe 33 PID 2116 wrote to memory of 2732 2116 rundll32.exe 33 PID 1896 wrote to memory of 1112 1896 f76a94a.exe 19 PID 1896 wrote to memory of 1176 1896 f76a94a.exe 20 PID 1896 wrote to memory of 1204 1896 f76a94a.exe 21 PID 1896 wrote to memory of 1652 1896 f76a94a.exe 25 PID 1896 wrote to memory of 2864 1896 f76a94a.exe 32 PID 1896 wrote to memory of 2864 1896 f76a94a.exe 32 PID 1896 wrote to memory of 2732 1896 f76a94a.exe 33 PID 1896 wrote to memory of 2732 1896 f76a94a.exe 33 PID 2732 wrote to memory of 1112 2732 f76c504.exe 19 PID 2732 wrote to memory of 1176 2732 f76c504.exe 20 PID 2732 wrote to memory of 1204 2732 f76c504.exe 21 PID 2732 wrote to memory of 1652 2732 f76c504.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c504.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a94a.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5467b5c1f1846d8f7cf63fa8c6c546e9fdfe0238219e3c23b506b600a7ae05.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\f76a94a.exeC:\Users\Admin\AppData\Local\Temp\f76a94a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\f76aaef.exeC:\Users\Admin\AppData\Local\Temp\f76aaef.exe4⤵
- Executes dropped EXE
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\f76c504.exeC:\Users\Admin\AppData\Local\Temp\f76c504.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1652
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51c8db678d5eaa482d3124f483f4fe42c
SHA19c87e342508405bbfa12d8105c24318b0ce22997
SHA2566bade7cea956e302bfb87477b216a457defa23724e4451440382645087ecae8a
SHA512c6ee14521d11d81292abbadbebaa19525bbbef0810e325054ce5a675bc8655a7ef4c4a8f794716f436f7189f62a4301d35887aab9a0e826564843ce13f4e0eb9
-
Filesize
257B
MD5ae38089cf978dad4054ae1e0475355a2
SHA127b55a6d67104d01bfe6d0d5895b78a53c9c4c77
SHA2560a75ecaa211adba8b9b73104c91141ab977ce5d39c3376cec90dfa3633a72d41
SHA512f63e5c25fe0cf634269b0b6446a2659d9577fd45de75f697313a8e9e06ae235cb26eeccf295458bf6ba2701dd2aa34755b351fa65841a917344a01b777c90113