Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 19:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
800c8aac7537c1fc3575bcfbc5674bbc1f36db8603f881ecf93003f8a6356dc8.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
800c8aac7537c1fc3575bcfbc5674bbc1f36db8603f881ecf93003f8a6356dc8.dll
-
Size
120KB
-
MD5
4cbec605e5ed1d3462d4a5b4b53db003
-
SHA1
c208ab93c731fab60cad427f47e2c1267dfb3b76
-
SHA256
800c8aac7537c1fc3575bcfbc5674bbc1f36db8603f881ecf93003f8a6356dc8
-
SHA512
9c6d01073bf6d6f203e396454385442d11fa8b977486e4bb8f9c1ff88043d42ea05c4d9bf0c9fcf95f11950030f0b26c0d0938a967e23d10e872f66ed01abdb4
-
SSDEEP
3072:gWF3SyZKlBuPwFY8EyRQcxLuwypnRXO0Hj+la8cdx:FS2wFY7bcxqvDX1ala3
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f768881.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f768881.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f766cc7.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768881.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768881.exe -
Executes dropped EXE 3 IoCs
pid Process 2980 f766cc7.exe 1648 f766f95.exe 2600 f768881.exe -
Loads dropped DLL 6 IoCs
pid Process 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe 2836 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766cc7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768881.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f768881.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766cc7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768881.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f766cc7.exe File opened (read-only) \??\K: f766cc7.exe File opened (read-only) \??\E: f766cc7.exe File opened (read-only) \??\L: f766cc7.exe File opened (read-only) \??\S: f766cc7.exe File opened (read-only) \??\H: f766cc7.exe File opened (read-only) \??\M: f766cc7.exe File opened (read-only) \??\N: f766cc7.exe File opened (read-only) \??\P: f766cc7.exe File opened (read-only) \??\R: f766cc7.exe File opened (read-only) \??\G: f766cc7.exe File opened (read-only) \??\I: f766cc7.exe File opened (read-only) \??\O: f766cc7.exe File opened (read-only) \??\Q: f766cc7.exe File opened (read-only) \??\E: f768881.exe -
resource yara_rule behavioral1/memory/2980-13-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-16-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-19-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-14-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-18-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-22-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-20-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-17-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-15-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-21-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-60-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-59-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-61-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-62-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-63-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-66-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-80-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-82-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-84-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-86-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2980-156-0x0000000000650000-0x000000000170A000-memory.dmp upx behavioral1/memory/2600-172-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2600-211-0x0000000000980000-0x0000000001A3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f766d25 f766cc7.exe File opened for modification C:\Windows\SYSTEM.INI f766cc7.exe File created C:\Windows\f76bf49 f768881.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f766cc7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f768881.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2980 f766cc7.exe 2980 f766cc7.exe 2600 f768881.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2980 f766cc7.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe Token: SeDebugPrivilege 2600 f768881.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2340 wrote to memory of 2836 2340 rundll32.exe 30 PID 2836 wrote to memory of 2980 2836 rundll32.exe 31 PID 2836 wrote to memory of 2980 2836 rundll32.exe 31 PID 2836 wrote to memory of 2980 2836 rundll32.exe 31 PID 2836 wrote to memory of 2980 2836 rundll32.exe 31 PID 2980 wrote to memory of 1112 2980 f766cc7.exe 19 PID 2980 wrote to memory of 1160 2980 f766cc7.exe 20 PID 2980 wrote to memory of 1196 2980 f766cc7.exe 21 PID 2980 wrote to memory of 276 2980 f766cc7.exe 25 PID 2980 wrote to memory of 2340 2980 f766cc7.exe 29 PID 2980 wrote to memory of 2836 2980 f766cc7.exe 30 PID 2980 wrote to memory of 2836 2980 f766cc7.exe 30 PID 2836 wrote to memory of 1648 2836 rundll32.exe 32 PID 2836 wrote to memory of 1648 2836 rundll32.exe 32 PID 2836 wrote to memory of 1648 2836 rundll32.exe 32 PID 2836 wrote to memory of 1648 2836 rundll32.exe 32 PID 2836 wrote to memory of 2600 2836 rundll32.exe 33 PID 2836 wrote to memory of 2600 2836 rundll32.exe 33 PID 2836 wrote to memory of 2600 2836 rundll32.exe 33 PID 2836 wrote to memory of 2600 2836 rundll32.exe 33 PID 2980 wrote to memory of 1112 2980 f766cc7.exe 19 PID 2980 wrote to memory of 1160 2980 f766cc7.exe 20 PID 2980 wrote to memory of 1196 2980 f766cc7.exe 21 PID 2980 wrote to memory of 276 2980 f766cc7.exe 25 PID 2980 wrote to memory of 1648 2980 f766cc7.exe 32 PID 2980 wrote to memory of 1648 2980 f766cc7.exe 32 PID 2980 wrote to memory of 2600 2980 f766cc7.exe 33 PID 2980 wrote to memory of 2600 2980 f766cc7.exe 33 PID 2600 wrote to memory of 1112 2600 f768881.exe 19 PID 2600 wrote to memory of 1160 2600 f768881.exe 20 PID 2600 wrote to memory of 1196 2600 f768881.exe 21 PID 2600 wrote to memory of 276 2600 f768881.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766cc7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768881.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\800c8aac7537c1fc3575bcfbc5674bbc1f36db8603f881ecf93003f8a6356dc8.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\800c8aac7537c1fc3575bcfbc5674bbc1f36db8603f881ecf93003f8a6356dc8.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\f766cc7.exeC:\Users\Admin\AppData\Local\Temp\f766cc7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\f766f95.exeC:\Users\Admin\AppData\Local\Temp\f766f95.exe4⤵
- Executes dropped EXE
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\f768881.exeC:\Users\Admin\AppData\Local\Temp\f768881.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:276
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5ee676e52f3bd91728c7d9f862fe648c3
SHA168641d276a1d9fe84008422e06b677c355becd1d
SHA2564371f7dba1bbb0246a30b9c2228efce9f55969fbbd3a078c4161fc1b3b40b443
SHA5129e03cc634602183a9279c88c0b3edbab3bb515bf68f0729b48f5175d9892f017ebf5e1f384307bf535daddd0a8f48b6f8344c506956ac4593f602a73080db224
-
Filesize
97KB
MD583b9c5b449d18aecccc9b1618ed1a1b7
SHA1177746d13fe078d49dbdc9c619f64ca54a2605f5
SHA25623875d8d64491f2af5bb0539d14ebdbb56f472fb2b3ea91859536207b6764e2e
SHA512c8047378f3f51dd1ed606537a6e8aa9c8d4910db2dbb67b35527e2b62e93d068164dd567d8eaf581fd53f44696164d12cc9df91543dedbb9592273b13345fe9c