Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 03:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll
-
Size
120KB
-
MD5
b01eb07fd3ef3b5152b7d6e28f722b50
-
SHA1
5f3a6d9f95f60de033da491d496fe2d51d9bd483
-
SHA256
8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3
-
SHA512
14105809fd2bd555297d16c2a036521cd3402023d692da3a2fdc4ea1bca33f73816b22baecc9cc44dc6c4d0e8672c6fb2aac7152ee19a3d76739e1da09d617b4
-
SSDEEP
3072:4S9rqLo4Jt/ktSZH9PSaQQh28EQif4W3FyLrUGkB9:4S5L4JBktSbSab27Q47FUQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f766068.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f766068.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767be4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767be4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767be4.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767be4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767be4.exe -
Executes dropped EXE 3 IoCs
pid Process 2920 f766068.exe 2628 f7663f1.exe 2012 f767be4.exe -
Loads dropped DLL 6 IoCs
pid Process 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766068.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767be4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767be4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766068.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767be4.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f766068.exe File opened (read-only) \??\N: f766068.exe File opened (read-only) \??\E: f766068.exe File opened (read-only) \??\L: f766068.exe File opened (read-only) \??\O: f766068.exe File opened (read-only) \??\Q: f766068.exe File opened (read-only) \??\S: f766068.exe File opened (read-only) \??\H: f766068.exe File opened (read-only) \??\I: f766068.exe File opened (read-only) \??\K: f766068.exe File opened (read-only) \??\R: f766068.exe File opened (read-only) \??\E: f767be4.exe File opened (read-only) \??\J: f766068.exe File opened (read-only) \??\M: f766068.exe File opened (read-only) \??\P: f766068.exe -
resource yara_rule behavioral1/memory/2920-13-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-15-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-18-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-22-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-20-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-19-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-17-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-16-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-14-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-21-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-59-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-60-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-61-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-62-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-63-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-65-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-80-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-82-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-84-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-87-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-106-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2920-147-0x00000000006F0000-0x00000000017AA000-memory.dmp upx behavioral1/memory/2012-163-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2012-202-0x0000000000980000-0x0000000001A3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7660d5 f766068.exe File opened for modification C:\Windows\SYSTEM.INI f766068.exe File created C:\Windows\f76b329 f767be4.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f766068.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767be4.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2920 f766068.exe 2920 f766068.exe 2012 f767be4.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2920 f766068.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe Token: SeDebugPrivilege 2012 f767be4.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2868 wrote to memory of 2888 2868 rundll32.exe 30 PID 2888 wrote to memory of 2920 2888 rundll32.exe 31 PID 2888 wrote to memory of 2920 2888 rundll32.exe 31 PID 2888 wrote to memory of 2920 2888 rundll32.exe 31 PID 2888 wrote to memory of 2920 2888 rundll32.exe 31 PID 2920 wrote to memory of 1100 2920 f766068.exe 19 PID 2920 wrote to memory of 1164 2920 f766068.exe 20 PID 2920 wrote to memory of 1196 2920 f766068.exe 21 PID 2920 wrote to memory of 1608 2920 f766068.exe 25 PID 2920 wrote to memory of 2868 2920 f766068.exe 29 PID 2920 wrote to memory of 2888 2920 f766068.exe 30 PID 2920 wrote to memory of 2888 2920 f766068.exe 30 PID 2888 wrote to memory of 2628 2888 rundll32.exe 32 PID 2888 wrote to memory of 2628 2888 rundll32.exe 32 PID 2888 wrote to memory of 2628 2888 rundll32.exe 32 PID 2888 wrote to memory of 2628 2888 rundll32.exe 32 PID 2888 wrote to memory of 2012 2888 rundll32.exe 33 PID 2888 wrote to memory of 2012 2888 rundll32.exe 33 PID 2888 wrote to memory of 2012 2888 rundll32.exe 33 PID 2888 wrote to memory of 2012 2888 rundll32.exe 33 PID 2920 wrote to memory of 1100 2920 f766068.exe 19 PID 2920 wrote to memory of 1164 2920 f766068.exe 20 PID 2920 wrote to memory of 1196 2920 f766068.exe 21 PID 2920 wrote to memory of 1608 2920 f766068.exe 25 PID 2920 wrote to memory of 2628 2920 f766068.exe 32 PID 2920 wrote to memory of 2628 2920 f766068.exe 32 PID 2920 wrote to memory of 2012 2920 f766068.exe 33 PID 2920 wrote to memory of 2012 2920 f766068.exe 33 PID 2012 wrote to memory of 1100 2012 f767be4.exe 19 PID 2012 wrote to memory of 1164 2012 f767be4.exe 20 PID 2012 wrote to memory of 1196 2012 f767be4.exe 21 PID 2012 wrote to memory of 1608 2012 f767be4.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766068.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767be4.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8493d8720bb672a05a7a7058bc2450b242c1325f8e689dd75e80024294aa0bb3N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\f766068.exeC:\Users\Admin\AppData\Local\Temp\f766068.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\f7663f1.exeC:\Users\Admin\AppData\Local\Temp\f7663f1.exe4⤵
- Executes dropped EXE
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\f767be4.exeC:\Users\Admin\AppData\Local\Temp\f767be4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1608
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5b29bcef78f846c4a3ddf0a1088842888
SHA11ee943b39f81feb1b27e72cbf5d6f97d676a983b
SHA25601de0323e5bbcde4b16fbdd3a613a1fe915d3a0ab2d3b1d65564c33c703fb09c
SHA5128de9a66b6d642c79ce86b1b079e2e87cc82913303d3e722ea5fd6b7c093fd1f63619febaec11b98e33c678384ee32dfcbfe31b408ba3448f7c61e49bde7bfd8f
-
Filesize
97KB
MD574253e545a44d6acb4d2b6ea7f46865c
SHA1e3c6f68044ab550972e4fc6b43841716b6e121bf
SHA256bd363615eecb1207b489d79a578d9d5d359dff4fe89efddbe4826c399f2893f9
SHA51296fe7ef34c938ce1f214b9d49397d2d6ff9d6ed2b96be571ae48fbd24768d411c32109bc40a5370d684829bfd4b132c1bb3584f40cdeb837cc4d0a7fff80bd49