Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dd99f4d2b50d85e626b5792a8dc4b92255df56bb26bbb5f1fa9dfc0e716aa740N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
dd99f4d2b50d85e626b5792a8dc4b92255df56bb26bbb5f1fa9dfc0e716aa740N.dll
-
Size
120KB
-
MD5
ef592a3b9b69390316239bf5d8f11df0
-
SHA1
ae504a1dc3cb39ca5bb8701384dd160f1e7e852f
-
SHA256
dd99f4d2b50d85e626b5792a8dc4b92255df56bb26bbb5f1fa9dfc0e716aa740
-
SHA512
0167362e1db5e6ea2f1b12116a99cc96fdd13824616836f7346d77ea6c34d547f6922797298fa45deb14e2191d0d0250fc01c5edf3439fbc69dfd95de723be78
-
SSDEEP
1536:BHJPA12494n6e7Gt4nZvIbl9g+9SeJglqe3w52SBfLyMBzp8y0Tj9EEAo:BZuvWGt4Ib/hMAiqM4Bf2W3do
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c497.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c497.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a90b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c497.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c497.exe -
Executes dropped EXE 3 IoCs
pid Process 2112 f76a90b.exe 2792 f76aa91.exe 2696 f76c497.exe -
Loads dropped DLL 6 IoCs
pid Process 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe 1576 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a90b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c497.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c497.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c497.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c497.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76a90b.exe File opened (read-only) \??\J: f76a90b.exe File opened (read-only) \??\N: f76a90b.exe File opened (read-only) \??\T: f76a90b.exe File opened (read-only) \??\G: f76a90b.exe File opened (read-only) \??\Q: f76a90b.exe File opened (read-only) \??\G: f76c497.exe File opened (read-only) \??\H: f76a90b.exe File opened (read-only) \??\K: f76a90b.exe File opened (read-only) \??\M: f76a90b.exe File opened (read-only) \??\O: f76a90b.exe File opened (read-only) \??\P: f76a90b.exe File opened (read-only) \??\R: f76a90b.exe File opened (read-only) \??\E: f76c497.exe File opened (read-only) \??\I: f76a90b.exe File opened (read-only) \??\L: f76a90b.exe File opened (read-only) \??\S: f76a90b.exe -
resource yara_rule behavioral1/memory/2112-11-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-15-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-18-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-20-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-13-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-21-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-19-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-17-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-16-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-14-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-60-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-59-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-61-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-62-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-63-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-65-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-66-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-83-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-84-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-87-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-105-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-107-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2112-146-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/2696-158-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx behavioral1/memory/2696-199-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76a90b.exe File created C:\Windows\f76f97c f76c497.exe File created C:\Windows\f76a959 f76a90b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a90b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c497.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2112 f76a90b.exe 2112 f76a90b.exe 2696 f76c497.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2112 f76a90b.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe Token: SeDebugPrivilege 2696 f76c497.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 2560 wrote to memory of 1576 2560 rundll32.exe 30 PID 1576 wrote to memory of 2112 1576 rundll32.exe 31 PID 1576 wrote to memory of 2112 1576 rundll32.exe 31 PID 1576 wrote to memory of 2112 1576 rundll32.exe 31 PID 1576 wrote to memory of 2112 1576 rundll32.exe 31 PID 2112 wrote to memory of 1124 2112 f76a90b.exe 19 PID 2112 wrote to memory of 1192 2112 f76a90b.exe 20 PID 2112 wrote to memory of 1272 2112 f76a90b.exe 21 PID 2112 wrote to memory of 1268 2112 f76a90b.exe 25 PID 2112 wrote to memory of 2560 2112 f76a90b.exe 29 PID 2112 wrote to memory of 1576 2112 f76a90b.exe 30 PID 2112 wrote to memory of 1576 2112 f76a90b.exe 30 PID 1576 wrote to memory of 2792 1576 rundll32.exe 32 PID 1576 wrote to memory of 2792 1576 rundll32.exe 32 PID 1576 wrote to memory of 2792 1576 rundll32.exe 32 PID 1576 wrote to memory of 2792 1576 rundll32.exe 32 PID 1576 wrote to memory of 2696 1576 rundll32.exe 33 PID 1576 wrote to memory of 2696 1576 rundll32.exe 33 PID 1576 wrote to memory of 2696 1576 rundll32.exe 33 PID 1576 wrote to memory of 2696 1576 rundll32.exe 33 PID 2112 wrote to memory of 1124 2112 f76a90b.exe 19 PID 2112 wrote to memory of 1192 2112 f76a90b.exe 20 PID 2112 wrote to memory of 1272 2112 f76a90b.exe 21 PID 2112 wrote to memory of 1268 2112 f76a90b.exe 25 PID 2112 wrote to memory of 2792 2112 f76a90b.exe 32 PID 2112 wrote to memory of 2792 2112 f76a90b.exe 32 PID 2112 wrote to memory of 2696 2112 f76a90b.exe 33 PID 2112 wrote to memory of 2696 2112 f76a90b.exe 33 PID 2696 wrote to memory of 1124 2696 f76c497.exe 19 PID 2696 wrote to memory of 1192 2696 f76c497.exe 20 PID 2696 wrote to memory of 1272 2696 f76c497.exe 21 PID 2696 wrote to memory of 1268 2696 f76c497.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a90b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c497.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1272
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd99f4d2b50d85e626b5792a8dc4b92255df56bb26bbb5f1fa9dfc0e716aa740N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd99f4d2b50d85e626b5792a8dc4b92255df56bb26bbb5f1fa9dfc0e716aa740N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\f76a90b.exeC:\Users\Admin\AppData\Local\Temp\f76a90b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\f76aa91.exeC:\Users\Admin\AppData\Local\Temp\f76aa91.exe4⤵
- Executes dropped EXE
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\f76c497.exeC:\Users\Admin\AppData\Local\Temp\f76c497.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2696
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1268
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5898e8369de18242df138d9155151bca0
SHA1faed9fbbe779d759a2bc5abdae3b02c54c213fcb
SHA256c859d9b8ddcc310ceb647be549123bca77c9cb1d792bf3508cf57f79cc309c4a
SHA512b9254ab9abfb70b6aab592c943992c8726f7733462d236badb0a3a43cac4dc3e84a8b36aa555f8f3924a7ce27162c90c23feed91179e7147b70f824ef3fcc2fc
-
Filesize
97KB
MD53229e5fd6f89ef823fcc4d70cc9f3ece
SHA1aa9e498b365891f893f64e7643c440a65107f9e5
SHA25640f1752cc468baa0c6275d107df617e13c6d421710bdb18d81087ffaef3662e1
SHA512136760d409e23121904ff71b7177ec4d5d0aacc42dd877aeeaadb2ff3ab9a7bf85ccea4d441c4e683ee57cccc2d83fb2e7edfbab8ccc63b38e821405e2a1a498