Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 13:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll
-
Size
120KB
-
MD5
25c6435d9b0074997c745a118d7369b0
-
SHA1
b51bfcf097915d96b3307a813c4eb3a17eefbbb7
-
SHA256
6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3
-
SHA512
37ce154807a9ef4d42ea151c5dc064fcd8930017fe79f8cf6c1d081a5a88e63fc5e7e50e619e1fdd82d22dd23e93cccd56fc27708623d1d861802b30fb4b4924
-
SSDEEP
3072:JnC2zgLPLXSqKxI1rmgBrsVgau7kSkk3a:JC2zgLzXS81qgBwqau7kG3a
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d337.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d337.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b77d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d337.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d337.exe -
Executes dropped EXE 3 IoCs
pid Process 2380 f76b77d.exe 2692 f76b8e3.exe 2552 f76d337.exe -
Loads dropped DLL 6 IoCs
pid Process 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe 3052 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d337.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b77d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d337.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d337.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f76b77d.exe File opened (read-only) \??\S: f76b77d.exe File opened (read-only) \??\T: f76b77d.exe File opened (read-only) \??\E: f76d337.exe File opened (read-only) \??\J: f76b77d.exe File opened (read-only) \??\N: f76b77d.exe File opened (read-only) \??\P: f76b77d.exe File opened (read-only) \??\Q: f76b77d.exe File opened (read-only) \??\L: f76b77d.exe File opened (read-only) \??\H: f76b77d.exe File opened (read-only) \??\I: f76b77d.exe File opened (read-only) \??\M: f76b77d.exe File opened (read-only) \??\O: f76b77d.exe File opened (read-only) \??\G: f76b77d.exe File opened (read-only) \??\R: f76b77d.exe File opened (read-only) \??\G: f76d337.exe File opened (read-only) \??\E: f76b77d.exe -
resource yara_rule behavioral1/memory/2380-11-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-15-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-17-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-19-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-14-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-20-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-18-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-13-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-16-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-21-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-60-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-61-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-62-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-64-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-63-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-66-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-67-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-82-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-84-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-87-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-107-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2380-157-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2552-174-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2552-214-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76b7ea f76b77d.exe File opened for modification C:\Windows\SYSTEM.INI f76b77d.exe File created C:\Windows\f7707fc f76d337.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d337.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b77d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2380 f76b77d.exe 2380 f76b77d.exe 2552 f76d337.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2380 f76b77d.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe Token: SeDebugPrivilege 2552 f76d337.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3000 wrote to memory of 3052 3000 rundll32.exe 30 PID 3052 wrote to memory of 2380 3052 rundll32.exe 31 PID 3052 wrote to memory of 2380 3052 rundll32.exe 31 PID 3052 wrote to memory of 2380 3052 rundll32.exe 31 PID 3052 wrote to memory of 2380 3052 rundll32.exe 31 PID 2380 wrote to memory of 1044 2380 f76b77d.exe 17 PID 2380 wrote to memory of 1076 2380 f76b77d.exe 18 PID 2380 wrote to memory of 1112 2380 f76b77d.exe 20 PID 2380 wrote to memory of 2020 2380 f76b77d.exe 23 PID 2380 wrote to memory of 3000 2380 f76b77d.exe 29 PID 2380 wrote to memory of 3052 2380 f76b77d.exe 30 PID 2380 wrote to memory of 3052 2380 f76b77d.exe 30 PID 3052 wrote to memory of 2692 3052 rundll32.exe 32 PID 3052 wrote to memory of 2692 3052 rundll32.exe 32 PID 3052 wrote to memory of 2692 3052 rundll32.exe 32 PID 3052 wrote to memory of 2692 3052 rundll32.exe 32 PID 3052 wrote to memory of 2552 3052 rundll32.exe 34 PID 3052 wrote to memory of 2552 3052 rundll32.exe 34 PID 3052 wrote to memory of 2552 3052 rundll32.exe 34 PID 3052 wrote to memory of 2552 3052 rundll32.exe 34 PID 2380 wrote to memory of 1044 2380 f76b77d.exe 17 PID 2380 wrote to memory of 1076 2380 f76b77d.exe 18 PID 2380 wrote to memory of 1112 2380 f76b77d.exe 20 PID 2380 wrote to memory of 2020 2380 f76b77d.exe 23 PID 2380 wrote to memory of 2692 2380 f76b77d.exe 32 PID 2380 wrote to memory of 2692 2380 f76b77d.exe 32 PID 2380 wrote to memory of 2552 2380 f76b77d.exe 34 PID 2380 wrote to memory of 2552 2380 f76b77d.exe 34 PID 2552 wrote to memory of 1044 2552 f76d337.exe 17 PID 2552 wrote to memory of 1076 2552 f76d337.exe 18 PID 2552 wrote to memory of 1112 2552 f76d337.exe 20 PID 2552 wrote to memory of 2020 2552 f76d337.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b77d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d337.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1044
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1076
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6082401001c418da5d14477dc99802f19abca1bab2d024d24c6090ff267522b3N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\f76b77d.exeC:\Users\Admin\AppData\Local\Temp\f76b77d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\f76b8e3.exeC:\Users\Admin\AppData\Local\Temp\f76b8e3.exe4⤵
- Executes dropped EXE
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\f76d337.exeC:\Users\Admin\AppData\Local\Temp\f76d337.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2552
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2020
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD57de9765e881e795d41806504215dab55
SHA18e35889d09160b898652ec49f296a64cd21f73cb
SHA256cefa843d1c49936bb9ed3ac34b2085d921f3f8da107693a368d3e6725e8697a7
SHA512e843967fa54320201c35699088aed61316842a9623d82013f111cbc07ff80df08c916ede571f106678978a5080573b4674f94a904293141d05a6a785d45464ad
-
Filesize
97KB
MD572ab4e4c05ba953be25a1a087a3dd0b2
SHA17be6725cf3bb491eb3de92dc6c1bdb72666ab77c
SHA2565352dc7e1c3cc2f1d775b8e3e21ca45399e61e52971bac221c8c34aca82672a1
SHA512c10c5b27a56241d19d0543c92c50db6db85b5d9fa11fb9d0124cb9af1cd010bf4c3b1f1ca0f60675a1f3c18bfbb31d10598e99ce82c38271d885052e1deffd1e