Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ba0b14bb4f0bb279164d473b897108251e0d6128447c48d7005b948846339b6N.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
120 seconds
General
-
Target
1ba0b14bb4f0bb279164d473b897108251e0d6128447c48d7005b948846339b6N.dll
-
Size
120KB
-
MD5
80e0d158b42e48eece20ff1bdfe67da0
-
SHA1
8e180a35599f7c31a15408e9c891646037e3563b
-
SHA256
1ba0b14bb4f0bb279164d473b897108251e0d6128447c48d7005b948846339b6
-
SHA512
79b31b33203ec8861384fb09ccc0e7cb5dd2db003930fa0992a983e8c3f6c124f79372da266593d2f7a20a1be09f1868f9fb6c4a5d523dbf8e12a3f760996795
-
SSDEEP
1536:4RbFheFGVax37zNxA9Eobg04n/bQ6PS/ZVY/o7S5PEGIx5DKf2hCHLSG3D7Ydxbj:4ReUV2PATubQbY/5cJTDR3FXCtJ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f768891.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f768891.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768891.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766ca8.exe -
Executes dropped EXE 3 IoCs
pid Process 2984 f766ca8.exe 2548 f766fb4.exe 2424 f768891.exe -
Loads dropped DLL 6 IoCs
pid Process 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766ca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768891.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768891.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766ca8.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f766ca8.exe File opened (read-only) \??\O: f766ca8.exe File opened (read-only) \??\R: f766ca8.exe File opened (read-only) \??\S: f766ca8.exe File opened (read-only) \??\I: f766ca8.exe File opened (read-only) \??\J: f766ca8.exe File opened (read-only) \??\L: f766ca8.exe File opened (read-only) \??\P: f766ca8.exe File opened (read-only) \??\E: f768891.exe File opened (read-only) \??\G: f766ca8.exe File opened (read-only) \??\H: f766ca8.exe File opened (read-only) \??\K: f766ca8.exe File opened (read-only) \??\M: f766ca8.exe File opened (read-only) \??\N: f766ca8.exe File opened (read-only) \??\Q: f766ca8.exe -
resource yara_rule behavioral1/memory/2984-13-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-16-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-19-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-22-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-21-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-20-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-18-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-17-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-15-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-14-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-59-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-60-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-61-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-62-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-63-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-66-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-67-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-81-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-85-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-86-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2984-151-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2424-168-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2424-206-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f766cf6 f766ca8.exe File opened for modification C:\Windows\SYSTEM.INI f766ca8.exe File created C:\Windows\f76bf0b f768891.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f766ca8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f768891.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2984 f766ca8.exe 2984 f766ca8.exe 2424 f768891.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2984 f766ca8.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe Token: SeDebugPrivilege 2424 f768891.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2944 wrote to memory of 2836 2944 rundll32.exe 30 PID 2836 wrote to memory of 2984 2836 rundll32.exe 31 PID 2836 wrote to memory of 2984 2836 rundll32.exe 31 PID 2836 wrote to memory of 2984 2836 rundll32.exe 31 PID 2836 wrote to memory of 2984 2836 rundll32.exe 31 PID 2984 wrote to memory of 1112 2984 f766ca8.exe 19 PID 2984 wrote to memory of 1160 2984 f766ca8.exe 20 PID 2984 wrote to memory of 1196 2984 f766ca8.exe 21 PID 2984 wrote to memory of 276 2984 f766ca8.exe 25 PID 2984 wrote to memory of 2944 2984 f766ca8.exe 29 PID 2984 wrote to memory of 2836 2984 f766ca8.exe 30 PID 2984 wrote to memory of 2836 2984 f766ca8.exe 30 PID 2836 wrote to memory of 2548 2836 rundll32.exe 32 PID 2836 wrote to memory of 2548 2836 rundll32.exe 32 PID 2836 wrote to memory of 2548 2836 rundll32.exe 32 PID 2836 wrote to memory of 2548 2836 rundll32.exe 32 PID 2836 wrote to memory of 2424 2836 rundll32.exe 33 PID 2836 wrote to memory of 2424 2836 rundll32.exe 33 PID 2836 wrote to memory of 2424 2836 rundll32.exe 33 PID 2836 wrote to memory of 2424 2836 rundll32.exe 33 PID 2984 wrote to memory of 1112 2984 f766ca8.exe 19 PID 2984 wrote to memory of 1160 2984 f766ca8.exe 20 PID 2984 wrote to memory of 1196 2984 f766ca8.exe 21 PID 2984 wrote to memory of 276 2984 f766ca8.exe 25 PID 2984 wrote to memory of 2548 2984 f766ca8.exe 32 PID 2984 wrote to memory of 2548 2984 f766ca8.exe 32 PID 2984 wrote to memory of 2424 2984 f766ca8.exe 33 PID 2984 wrote to memory of 2424 2984 f766ca8.exe 33 PID 2424 wrote to memory of 1112 2424 f768891.exe 19 PID 2424 wrote to memory of 1160 2424 f768891.exe 20 PID 2424 wrote to memory of 1196 2424 f768891.exe 21 PID 2424 wrote to memory of 276 2424 f768891.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766ca8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768891.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1ba0b14bb4f0bb279164d473b897108251e0d6128447c48d7005b948846339b6N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1ba0b14bb4f0bb279164d473b897108251e0d6128447c48d7005b948846339b6N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\f766ca8.exeC:\Users\Admin\AppData\Local\Temp\f766ca8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\f766fb4.exeC:\Users\Admin\AppData\Local\Temp\f766fb4.exe4⤵
- Executes dropped EXE
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\f768891.exeC:\Users\Admin\AppData\Local\Temp\f768891.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:276
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD57f75ebee5474f53663d89793f844a1fb
SHA147714dfd2c996551a6f626703cfe176fad734e0f
SHA256890196202cca7f472e227eb854886e123283ad13899128113564dad9a05ca7c7
SHA5123ea4b8b8412717d85b455fc7ce7eabec7c18ffbc37aa31ea01169f6fcfe42dc10cb4b5720ac1ab3afc6dd0e581a6f19b04098b28a2dc54e5c1181e09d7ccdc35
-
Filesize
257B
MD51a492ce2d368abfd1fe83bb19a59b078
SHA188d2550ecc2dd7289504b3786fb70bfe5c6f4c81
SHA25668220cef4651b3a4fabebc87e03c72f805ffb01e2c1d11380704e97f293e64af
SHA512a5ddce285251af276decaed41926542fcc870973c7e38975686d83bc4993d46c6226d332286f3292322e00045809a754d3b48c538021d011824e527ae48c26c8