Analysis
-
max time kernel
26s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
120 seconds
General
-
Target
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll
-
Size
120KB
-
MD5
9dc96332f0429dcdf0d5cf740a199d1d
-
SHA1
ae161f31ffd151782ac230f2d284cefa37a7d893
-
SHA256
ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e
-
SHA512
4eb806fe37abe922c7140247dc6ebf05b2ea86e318219910ac85cf77e280ca4fb5c22a636520c4b062df6a4cb5427b096c6e7431efa91d3a9d53489698d6b491
-
SSDEEP
1536:nteWGbTI21kNVKvLOLgtznu/qT5syoj4oygV26nUOVUtsSkqV4PVIDrhC:nubE2a7ZUwqT+bEHgVvUaa463w
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f048.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f048.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f048.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d4bd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f048.exe -
Executes dropped EXE 3 IoCs
pid Process 2096 f76d4bd.exe 2704 f76d662.exe 3056 f76f048.exe -
Loads dropped DLL 6 IoCs
pid Process 2320 rundll32.exe 2320 rundll32.exe 2320 rundll32.exe 2320 rundll32.exe 2320 rundll32.exe 2320 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f048.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f048.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d4bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f048.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f048.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f76d4bd.exe File opened (read-only) \??\E: f76f048.exe File opened (read-only) \??\E: f76d4bd.exe File opened (read-only) \??\G: f76d4bd.exe File opened (read-only) \??\K: f76d4bd.exe File opened (read-only) \??\I: f76d4bd.exe File opened (read-only) \??\J: f76d4bd.exe File opened (read-only) \??\N: f76d4bd.exe File opened (read-only) \??\S: f76d4bd.exe File opened (read-only) \??\T: f76d4bd.exe File opened (read-only) \??\H: f76d4bd.exe File opened (read-only) \??\L: f76d4bd.exe File opened (read-only) \??\M: f76d4bd.exe File opened (read-only) \??\P: f76d4bd.exe File opened (read-only) \??\Q: f76d4bd.exe File opened (read-only) \??\R: f76d4bd.exe -
resource yara_rule behavioral1/memory/2096-11-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-15-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-18-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-17-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-19-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-16-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-14-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-13-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-20-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-21-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-62-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-63-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-64-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-65-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-66-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-68-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-69-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-84-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-85-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-87-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-106-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2096-150-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/3056-166-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/3056-207-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76d51a f76d4bd.exe File opened for modification C:\Windows\SYSTEM.INI f76d4bd.exe File created C:\Windows\f77253c f76f048.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d4bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f048.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2096 f76d4bd.exe 2096 f76d4bd.exe 3056 f76f048.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 2096 f76d4bd.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe Token: SeDebugPrivilege 3056 f76f048.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 388 wrote to memory of 2320 388 rundll32.exe 31 PID 2320 wrote to memory of 2096 2320 rundll32.exe 32 PID 2320 wrote to memory of 2096 2320 rundll32.exe 32 PID 2320 wrote to memory of 2096 2320 rundll32.exe 32 PID 2320 wrote to memory of 2096 2320 rundll32.exe 32 PID 2096 wrote to memory of 1120 2096 f76d4bd.exe 19 PID 2096 wrote to memory of 1164 2096 f76d4bd.exe 20 PID 2096 wrote to memory of 1192 2096 f76d4bd.exe 21 PID 2096 wrote to memory of 1632 2096 f76d4bd.exe 25 PID 2096 wrote to memory of 388 2096 f76d4bd.exe 30 PID 2096 wrote to memory of 2320 2096 f76d4bd.exe 31 PID 2096 wrote to memory of 2320 2096 f76d4bd.exe 31 PID 2320 wrote to memory of 2704 2320 rundll32.exe 33 PID 2320 wrote to memory of 2704 2320 rundll32.exe 33 PID 2320 wrote to memory of 2704 2320 rundll32.exe 33 PID 2320 wrote to memory of 2704 2320 rundll32.exe 33 PID 2320 wrote to memory of 3056 2320 rundll32.exe 34 PID 2320 wrote to memory of 3056 2320 rundll32.exe 34 PID 2320 wrote to memory of 3056 2320 rundll32.exe 34 PID 2320 wrote to memory of 3056 2320 rundll32.exe 34 PID 2096 wrote to memory of 1120 2096 f76d4bd.exe 19 PID 2096 wrote to memory of 1164 2096 f76d4bd.exe 20 PID 2096 wrote to memory of 1192 2096 f76d4bd.exe 21 PID 2096 wrote to memory of 1632 2096 f76d4bd.exe 25 PID 2096 wrote to memory of 2704 2096 f76d4bd.exe 33 PID 2096 wrote to memory of 2704 2096 f76d4bd.exe 33 PID 2096 wrote to memory of 3056 2096 f76d4bd.exe 34 PID 2096 wrote to memory of 3056 2096 f76d4bd.exe 34 PID 3056 wrote to memory of 1120 3056 f76f048.exe 19 PID 3056 wrote to memory of 1164 3056 f76f048.exe 20 PID 3056 wrote to memory of 1192 3056 f76f048.exe 21 PID 3056 wrote to memory of 1632 3056 f76f048.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d4bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f048.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecde9a0a9f37504f18044d633ded80b13107ab8570e363fec63b82608e9d528e.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\f76d4bd.exeC:\Users\Admin\AppData\Local\Temp\f76d4bd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\f76d662.exeC:\Users\Admin\AppData\Local\Temp\f76d662.exe4⤵
- Executes dropped EXE
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\f76f048.exeC:\Users\Admin\AppData\Local\Temp\f76f048.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1632
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD58cecba15856b0bd3a1ed7fb60cf3ca93
SHA116d5b8533dce2a178dfacde9eba735e64d4a7e2d
SHA2561bf09baa2acc019b414d170fc72fb7193a56a5dd3dbf4c35dfe25ff8b4de5c51
SHA512c5089266be0eb8f0f5a552227f85319f76a6aa084f72439ef205185357edd223aaea116a57b28e2bb4c4664c4e72839ecbba96f9121095da6e454ef2fcfb084d
-
Filesize
97KB
MD57a9f23db544b655b415b2d03244c245b
SHA1c1df12d309f332801b40a8fe1f229dc455b8e138
SHA2568460ffeffa1070169b26cdb8b0551eddea30e0a6ef3a29dd060eaa68a9629e29
SHA512f919b4c173fe250f78f6493763efa0dbc333b7ca7e557875f687778563fb99251e70798d823a8ce86c21deff9a4ec0d8a6860ef1c1ba44020793d683e919164e