Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 22:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b74530b9ba525ef08e929979fe655e83c15ebedc0761b95c1d4c15078e0172e.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
4b74530b9ba525ef08e929979fe655e83c15ebedc0761b95c1d4c15078e0172e.dll
-
Size
120KB
-
MD5
5e07f7afa123c6d69ae5527b04e69cc8
-
SHA1
e494737bc0e6457ac041c46c2b9aa5572b47bf62
-
SHA256
4b74530b9ba525ef08e929979fe655e83c15ebedc0761b95c1d4c15078e0172e
-
SHA512
6450e09e9d04eedba3caab688e43738a7f96576e18b3b588b91a30fe963ca2dbbdbd38dea11df77294a5d6e3912bf38d8525bcfa48e9f57fd06aff2c83be314a
-
SSDEEP
3072:b5TZl2TBABZuvmR+JNsymi0xfqdwYpZlPKlzXtpAzNOotiMSSs6:11lZBMvtJ7oxf2t5Kt9pAzQ1MSSs
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e08f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fbbd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fbbd.exe -
Executes dropped EXE 3 IoCs
pid Process 2524 f76e08f.exe 2476 f76e2c1.exe 2676 f76fbbd.exe -
Loads dropped DLL 6 IoCs
pid Process 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe 2992 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e08f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fbbd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fbbd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fbbd.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76e08f.exe File opened (read-only) \??\J: f76e08f.exe File opened (read-only) \??\O: f76e08f.exe File opened (read-only) \??\P: f76e08f.exe File opened (read-only) \??\E: f76e08f.exe File opened (read-only) \??\K: f76e08f.exe File opened (read-only) \??\L: f76e08f.exe File opened (read-only) \??\R: f76e08f.exe File opened (read-only) \??\G: f76e08f.exe File opened (read-only) \??\H: f76e08f.exe File opened (read-only) \??\N: f76e08f.exe File opened (read-only) \??\Q: f76e08f.exe File opened (read-only) \??\M: f76e08f.exe File opened (read-only) \??\S: f76e08f.exe File opened (read-only) \??\E: f76fbbd.exe -
resource yara_rule behavioral1/memory/2524-11-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-13-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-57-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-58-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-59-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-60-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-63-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-65-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-79-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-83-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-84-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-106-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2524-148-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2676-164-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2676-203-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f773208 f76fbbd.exe File created C:\Windows\f76e0fc f76e08f.exe File opened for modification C:\Windows\SYSTEM.INI f76e08f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e08f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76fbbd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2524 f76e08f.exe 2524 f76e08f.exe 2676 f76fbbd.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2524 f76e08f.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe Token: SeDebugPrivilege 2676 f76fbbd.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 1668 wrote to memory of 2992 1668 rundll32.exe 31 PID 2992 wrote to memory of 2524 2992 rundll32.exe 32 PID 2992 wrote to memory of 2524 2992 rundll32.exe 32 PID 2992 wrote to memory of 2524 2992 rundll32.exe 32 PID 2992 wrote to memory of 2524 2992 rundll32.exe 32 PID 2524 wrote to memory of 1100 2524 f76e08f.exe 19 PID 2524 wrote to memory of 1152 2524 f76e08f.exe 20 PID 2524 wrote to memory of 1176 2524 f76e08f.exe 21 PID 2524 wrote to memory of 1264 2524 f76e08f.exe 25 PID 2524 wrote to memory of 1668 2524 f76e08f.exe 30 PID 2524 wrote to memory of 2992 2524 f76e08f.exe 31 PID 2524 wrote to memory of 2992 2524 f76e08f.exe 31 PID 2992 wrote to memory of 2476 2992 rundll32.exe 33 PID 2992 wrote to memory of 2476 2992 rundll32.exe 33 PID 2992 wrote to memory of 2476 2992 rundll32.exe 33 PID 2992 wrote to memory of 2476 2992 rundll32.exe 33 PID 2992 wrote to memory of 2676 2992 rundll32.exe 34 PID 2992 wrote to memory of 2676 2992 rundll32.exe 34 PID 2992 wrote to memory of 2676 2992 rundll32.exe 34 PID 2992 wrote to memory of 2676 2992 rundll32.exe 34 PID 2524 wrote to memory of 1100 2524 f76e08f.exe 19 PID 2524 wrote to memory of 1152 2524 f76e08f.exe 20 PID 2524 wrote to memory of 1176 2524 f76e08f.exe 21 PID 2524 wrote to memory of 1264 2524 f76e08f.exe 25 PID 2524 wrote to memory of 2476 2524 f76e08f.exe 33 PID 2524 wrote to memory of 2476 2524 f76e08f.exe 33 PID 2524 wrote to memory of 2676 2524 f76e08f.exe 34 PID 2524 wrote to memory of 2676 2524 f76e08f.exe 34 PID 2676 wrote to memory of 1100 2676 f76fbbd.exe 19 PID 2676 wrote to memory of 1152 2676 f76fbbd.exe 20 PID 2676 wrote to memory of 1176 2676 f76fbbd.exe 21 PID 2676 wrote to memory of 1264 2676 f76fbbd.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fbbd.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1176
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b74530b9ba525ef08e929979fe655e83c15ebedc0761b95c1d4c15078e0172e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4b74530b9ba525ef08e929979fe655e83c15ebedc0761b95c1d4c15078e0172e.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\f76e08f.exeC:\Users\Admin\AppData\Local\Temp\f76e08f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\f76e2c1.exeC:\Users\Admin\AppData\Local\Temp\f76e2c1.exe4⤵
- Executes dropped EXE
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\f76fbbd.exeC:\Users\Admin\AppData\Local\Temp\f76fbbd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2676
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1264
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD553239066b64723ce758297b26bf6428c
SHA141567950f91a1595f6c2bd34aac3edc2e6d8e29d
SHA256257b552d18f8191fe8d5b59d893afa6321a750758832d42be4843bfaeab76137
SHA5126e11f9cc7c8382368736b8d3c4649f347d6bd26ee6c6e1026bf3216a33e174c1376fcdf668f4d1b96b51b09379a6434a1659e3eda53db998eed5549b00448bee
-
Filesize
97KB
MD5a09d0ba589d1449401ab5c5ccd6444b5
SHA1912bb5415ae96df2098ee7a91e97b446955bed23
SHA256b70dea45044f2ffd31d8a880b551202948de6d831a457ccb75e03d8613da1fed
SHA512aaeaf8867773bdeacfd0173b60e021545b86c710d85d6d484cec1dde3bdf86cafe8b5ffc29f1cd026ee2b16e0c8e719bf99713939ae5726a57cd570f6ded4fb0