Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 14:16
Static task
static1
Behavioral task
behavioral1
Sample
33046d944ef5e45fc6d4c438f5e55d704c3a3c02f7e7c4e0e5812cecd1c31b87N.dll
Resource
win7-20240729-en
General
-
Target
33046d944ef5e45fc6d4c438f5e55d704c3a3c02f7e7c4e0e5812cecd1c31b87N.dll
-
Size
120KB
-
MD5
ca857c65c74be7586d428534ff8e2550
-
SHA1
bfef2a4c283706975710dece2171879bdf206a7e
-
SHA256
33046d944ef5e45fc6d4c438f5e55d704c3a3c02f7e7c4e0e5812cecd1c31b87
-
SHA512
c2aca84c38905f0d1bd93b261fe71a41a5547a7881ed265f944df8c02c732416ffd5e098c7f88f7973eb4df5c906d36e6d71e144c8ad0c7fbcc95ff3d5e8d47b
-
SSDEEP
3072:asaMi91/70x+Wv29dJ/Ql9DZeNe4pQLw:altyt28lDme4p4w
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f103.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f103.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f103.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f103.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f103.exe -
Executes dropped EXE 3 IoCs
pid Process 1960 f76cd9b.exe 2888 f76cf12.exe 2668 f76f103.exe -
Loads dropped DLL 6 IoCs
pid Process 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cd9b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f103.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f103.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f103.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f103.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76cd9b.exe File opened (read-only) \??\L: f76cd9b.exe File opened (read-only) \??\E: f76f103.exe File opened (read-only) \??\I: f76cd9b.exe File opened (read-only) \??\M: f76cd9b.exe File opened (read-only) \??\N: f76cd9b.exe File opened (read-only) \??\O: f76cd9b.exe File opened (read-only) \??\P: f76cd9b.exe File opened (read-only) \??\H: f76cd9b.exe File opened (read-only) \??\J: f76cd9b.exe File opened (read-only) \??\G: f76f103.exe File opened (read-only) \??\I: f76f103.exe File opened (read-only) \??\G: f76cd9b.exe File opened (read-only) \??\K: f76cd9b.exe File opened (read-only) \??\H: f76f103.exe -
resource yara_rule behavioral1/memory/1960-13-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-22-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-62-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-63-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-64-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-65-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-81-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-100-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-101-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-103-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-105-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1960-141-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2668-167-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx behavioral1/memory/2668-198-0x00000000009C0000-0x0000000001A7A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76cde9 f76cd9b.exe File opened for modification C:\Windows\SYSTEM.INI f76cd9b.exe File created C:\Windows\f771e0c f76f103.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cd9b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f103.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1960 f76cd9b.exe 1960 f76cd9b.exe 2668 f76f103.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 1960 f76cd9b.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe Token: SeDebugPrivilege 2668 f76f103.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 1956 wrote to memory of 2536 1956 rundll32.exe 31 PID 2536 wrote to memory of 1960 2536 rundll32.exe 32 PID 2536 wrote to memory of 1960 2536 rundll32.exe 32 PID 2536 wrote to memory of 1960 2536 rundll32.exe 32 PID 2536 wrote to memory of 1960 2536 rundll32.exe 32 PID 1960 wrote to memory of 1104 1960 f76cd9b.exe 19 PID 1960 wrote to memory of 1172 1960 f76cd9b.exe 20 PID 1960 wrote to memory of 1252 1960 f76cd9b.exe 21 PID 1960 wrote to memory of 1656 1960 f76cd9b.exe 25 PID 1960 wrote to memory of 1956 1960 f76cd9b.exe 30 PID 1960 wrote to memory of 2536 1960 f76cd9b.exe 31 PID 1960 wrote to memory of 2536 1960 f76cd9b.exe 31 PID 2536 wrote to memory of 2888 2536 rundll32.exe 33 PID 2536 wrote to memory of 2888 2536 rundll32.exe 33 PID 2536 wrote to memory of 2888 2536 rundll32.exe 33 PID 2536 wrote to memory of 2888 2536 rundll32.exe 33 PID 2536 wrote to memory of 2668 2536 rundll32.exe 34 PID 2536 wrote to memory of 2668 2536 rundll32.exe 34 PID 2536 wrote to memory of 2668 2536 rundll32.exe 34 PID 2536 wrote to memory of 2668 2536 rundll32.exe 34 PID 1960 wrote to memory of 1104 1960 f76cd9b.exe 19 PID 1960 wrote to memory of 1172 1960 f76cd9b.exe 20 PID 1960 wrote to memory of 1252 1960 f76cd9b.exe 21 PID 1960 wrote to memory of 1656 1960 f76cd9b.exe 25 PID 1960 wrote to memory of 2888 1960 f76cd9b.exe 33 PID 1960 wrote to memory of 2888 1960 f76cd9b.exe 33 PID 1960 wrote to memory of 2668 1960 f76cd9b.exe 34 PID 1960 wrote to memory of 2668 1960 f76cd9b.exe 34 PID 2668 wrote to memory of 1104 2668 f76f103.exe 19 PID 2668 wrote to memory of 1172 2668 f76f103.exe 20 PID 2668 wrote to memory of 1252 2668 f76f103.exe 21 PID 2668 wrote to memory of 1656 2668 f76f103.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cd9b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f103.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1252
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33046d944ef5e45fc6d4c438f5e55d704c3a3c02f7e7c4e0e5812cecd1c31b87N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33046d944ef5e45fc6d4c438f5e55d704c3a3c02f7e7c4e0e5812cecd1c31b87N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\f76cd9b.exeC:\Users\Admin\AppData\Local\Temp\f76cd9b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\f76cf12.exeC:\Users\Admin\AppData\Local\Temp\f76cf12.exe4⤵
- Executes dropped EXE
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\f76f103.exeC:\Users\Admin\AppData\Local\Temp\f76f103.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1656
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5bc77d3d234a5699c99759eac9a11eadb
SHA1c7bf134a36e2ff1e131addcffd8f7902c38a2281
SHA2565a8d7a39a0d6cee2c76f977c308229154ac59e4ef29ca5b7a4b764ee16962416
SHA51292475222a2ad7365af59fa9930a82576d18d4806068cead50cdf399cf33752579248a69554626aaef91d50b544474dbe98f7690500b9bc3c555467642a70d00d
-
Filesize
97KB
MD5629351d19b7344f397b1841523958869
SHA1720b7d7a06e3cc46bbc822a9dd81900249023453
SHA256d90a36bbb3bd894e849b18d0bbc663c76eccbf1959a5e4f763e6a4d69d6127bd
SHA5125a85ca714ab2ba5aa5c9a37c2cc67dc45d76a16a99964d70e07d0549e0e53b93d944d0a2c33d64d5ad8dba35b3473675ae3256529639466a9638a9adcc166697