Analysis
-
max time kernel
81s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 01:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30f7d0ff4bb0af0c962b54af6ddcaabde0155513651164e6b61ed2b17e335181N.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
30f7d0ff4bb0af0c962b54af6ddcaabde0155513651164e6b61ed2b17e335181N.dll
-
Size
120KB
-
MD5
81852ca80ffd1469ecc52ce97e5d92d0
-
SHA1
b85b87385d52bb93fe98e08eafd528e661087ae5
-
SHA256
30f7d0ff4bb0af0c962b54af6ddcaabde0155513651164e6b61ed2b17e335181
-
SHA512
ec2c004243ea61a060a21d1b97e305b89ed25cf1058e6a8d3140e46fa1b4763b155c0073f0afd861c176a94d313471c0102d3d58615ee1d23d248bf0ab2c0fc2
-
SSDEEP
3072:MOjhnoTze1v5KHmnlLSyOQkyOycUjnsUiZ:f5ovdmZ1OQkdUE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f5c4.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7c7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f7c7.exe -
Executes dropped EXE 3 IoCs
pid Process 2764 f76f5c4.exe 2596 f76f7c7.exe 2840 f7714c8.exe -
Loads dropped DLL 6 IoCs
pid Process 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f5c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f7c7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f7c7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7c7.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76f5c4.exe File opened (read-only) \??\I: f76f5c4.exe File opened (read-only) \??\E: f76f5c4.exe File opened (read-only) \??\H: f76f5c4.exe File opened (read-only) \??\J: f76f5c4.exe File opened (read-only) \??\P: f76f5c4.exe File opened (read-only) \??\S: f76f5c4.exe File opened (read-only) \??\T: f76f5c4.exe File opened (read-only) \??\M: f76f5c4.exe File opened (read-only) \??\O: f76f5c4.exe File opened (read-only) \??\Q: f76f5c4.exe File opened (read-only) \??\K: f76f5c4.exe File opened (read-only) \??\L: f76f5c4.exe File opened (read-only) \??\N: f76f5c4.exe File opened (read-only) \??\R: f76f5c4.exe -
resource yara_rule behavioral1/memory/2764-11-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-17-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-13-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-14-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-18-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-21-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-20-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-19-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-16-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-15-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-57-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-58-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-59-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-60-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-61-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-63-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-64-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-65-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-66-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-80-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-82-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-104-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2764-151-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2596-163-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx behavioral1/memory/2596-186-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76f622 f76f5c4.exe File opened for modification C:\Windows\SYSTEM.INI f76f5c4.exe File created C:\Windows\f7746ef f76f7c7.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f5c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f7c7.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2764 f76f5c4.exe 2764 f76f5c4.exe 2596 f76f7c7.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2764 f76f5c4.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe Token: SeDebugPrivilege 2596 f76f7c7.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2064 wrote to memory of 2668 2064 rundll32.exe 31 PID 2668 wrote to memory of 2764 2668 rundll32.exe 32 PID 2668 wrote to memory of 2764 2668 rundll32.exe 32 PID 2668 wrote to memory of 2764 2668 rundll32.exe 32 PID 2668 wrote to memory of 2764 2668 rundll32.exe 32 PID 2764 wrote to memory of 1060 2764 f76f5c4.exe 18 PID 2764 wrote to memory of 1120 2764 f76f5c4.exe 19 PID 2764 wrote to memory of 1180 2764 f76f5c4.exe 21 PID 2764 wrote to memory of 1140 2764 f76f5c4.exe 23 PID 2764 wrote to memory of 2064 2764 f76f5c4.exe 30 PID 2764 wrote to memory of 2668 2764 f76f5c4.exe 31 PID 2764 wrote to memory of 2668 2764 f76f5c4.exe 31 PID 2668 wrote to memory of 2596 2668 rundll32.exe 33 PID 2668 wrote to memory of 2596 2668 rundll32.exe 33 PID 2668 wrote to memory of 2596 2668 rundll32.exe 33 PID 2668 wrote to memory of 2596 2668 rundll32.exe 33 PID 2668 wrote to memory of 2840 2668 rundll32.exe 34 PID 2668 wrote to memory of 2840 2668 rundll32.exe 34 PID 2668 wrote to memory of 2840 2668 rundll32.exe 34 PID 2668 wrote to memory of 2840 2668 rundll32.exe 34 PID 2764 wrote to memory of 1060 2764 f76f5c4.exe 18 PID 2764 wrote to memory of 1120 2764 f76f5c4.exe 19 PID 2764 wrote to memory of 1180 2764 f76f5c4.exe 21 PID 2764 wrote to memory of 1140 2764 f76f5c4.exe 23 PID 2764 wrote to memory of 2596 2764 f76f5c4.exe 33 PID 2764 wrote to memory of 2596 2764 f76f5c4.exe 33 PID 2764 wrote to memory of 2840 2764 f76f5c4.exe 34 PID 2764 wrote to memory of 2840 2764 f76f5c4.exe 34 PID 2596 wrote to memory of 1060 2596 f76f7c7.exe 18 PID 2596 wrote to memory of 1120 2596 f76f7c7.exe 19 PID 2596 wrote to memory of 1180 2596 f76f7c7.exe 21 PID 2596 wrote to memory of 1140 2596 f76f7c7.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f5c4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f7c7.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1060
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30f7d0ff4bb0af0c962b54af6ddcaabde0155513651164e6b61ed2b17e335181N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30f7d0ff4bb0af0c962b54af6ddcaabde0155513651164e6b61ed2b17e335181N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\f76f5c4.exeC:\Users\Admin\AppData\Local\Temp\f76f5c4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\f76f7c7.exeC:\Users\Admin\AppData\Local\Temp\f76f7c7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\f7714c8.exeC:\Users\Admin\AppData\Local\Temp\f7714c8.exe4⤵
- Executes dropped EXE
PID:2840
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1140
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5eb097af31884c0a3e5d11a66e6ed64d5
SHA11fafd4cacf906ee1503f86ad970a086207c7d8b2
SHA25628f1877ef4c5ce7dd96a49941b84c7ec0711a464543b4b3ccbaeab03b459b417
SHA512b42d9b2e4afab4d887297e8071c2369d03b0ce16f6303b478e35bf5fe86eacc20ec5d05eac0bf9b41d2f33b03cee3975eecc8cad61aff836a643216279c090a4
-
Filesize
97KB
MD5b56a1d07bf17e1c41a57f24e3459da8d
SHA1874f2b1ec9832565e11511881f3acb5a79d98a58
SHA256bae006ea2b32149769a6eb2c67c4398aab6bf890a35b28c54a22fed16a79a440
SHA512b0a70eb8da6f2eb6c039dc449dd02a7144b045a08893e7318c4bfa301c20b7fe8737437d5970766b85e1062361218359edc155aa81b98cf226cbdd25906070e6