Analysis
-
max time kernel
85s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
8e637b6a9aaf1498626cbb15b66a14dcf6c46abb48d500ff0a21fee9245eb52d.dll
Resource
win7-20240903-en
General
-
Target
8e637b6a9aaf1498626cbb15b66a14dcf6c46abb48d500ff0a21fee9245eb52d.dll
-
Size
120KB
-
MD5
182db204f6a386abacdcd9a26cda860c
-
SHA1
86a6f3baddf63a891937b370adee8359f1412fdf
-
SHA256
8e637b6a9aaf1498626cbb15b66a14dcf6c46abb48d500ff0a21fee9245eb52d
-
SHA512
fca5f2ab615dc6194cbe74e0618e8da5bee550509563a1f87ee71730ebae74cb42448e5363b4084ab8d06ae424c739ebc13c1c4f30ff45227e4ad020fe70f23e
-
SSDEEP
3072:shTeRa1aq0mP4Laf1I3pXrzYjYE3wr1JIyp:shTqOavfZbcTk1JIA
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f770474.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f770474.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f770474.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e060.exe -
Executes dropped EXE 3 IoCs
pid Process 2068 f76e060.exe 2868 f76e1f6.exe 2248 f770474.exe -
Loads dropped DLL 6 IoCs
pid Process 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe 1660 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f770474.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f770474.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f770474.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: f76e060.exe File opened (read-only) \??\G: f770474.exe File opened (read-only) \??\K: f76e060.exe File opened (read-only) \??\O: f76e060.exe File opened (read-only) \??\E: f770474.exe File opened (read-only) \??\I: f770474.exe File opened (read-only) \??\E: f76e060.exe File opened (read-only) \??\N: f76e060.exe File opened (read-only) \??\L: f76e060.exe File opened (read-only) \??\P: f76e060.exe File opened (read-only) \??\I: f76e060.exe File opened (read-only) \??\J: f76e060.exe File opened (read-only) \??\M: f76e060.exe File opened (read-only) \??\H: f770474.exe File opened (read-only) \??\G: f76e060.exe File opened (read-only) \??\H: f76e060.exe -
resource yara_rule behavioral1/memory/2068-14-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-18-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-13-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-15-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-19-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-16-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-11-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-21-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-20-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-17-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-61-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-62-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-63-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-64-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-65-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-67-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-68-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-84-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-104-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-106-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-108-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2068-152-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2248-173-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/2248-212-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7730d0 f770474.exe File created C:\Windows\f76e0ce f76e060.exe File opened for modification C:\Windows\SYSTEM.INI f76e060.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e060.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f770474.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2068 f76e060.exe 2068 f76e060.exe 2248 f770474.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2068 f76e060.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe Token: SeDebugPrivilege 2248 f770474.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 2280 wrote to memory of 1660 2280 rundll32.exe 31 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 1660 wrote to memory of 2068 1660 rundll32.exe 32 PID 2068 wrote to memory of 1116 2068 f76e060.exe 19 PID 2068 wrote to memory of 1168 2068 f76e060.exe 20 PID 2068 wrote to memory of 1224 2068 f76e060.exe 21 PID 2068 wrote to memory of 1336 2068 f76e060.exe 23 PID 2068 wrote to memory of 2280 2068 f76e060.exe 30 PID 2068 wrote to memory of 1660 2068 f76e060.exe 31 PID 2068 wrote to memory of 1660 2068 f76e060.exe 31 PID 1660 wrote to memory of 2868 1660 rundll32.exe 33 PID 1660 wrote to memory of 2868 1660 rundll32.exe 33 PID 1660 wrote to memory of 2868 1660 rundll32.exe 33 PID 1660 wrote to memory of 2868 1660 rundll32.exe 33 PID 1660 wrote to memory of 2248 1660 rundll32.exe 34 PID 1660 wrote to memory of 2248 1660 rundll32.exe 34 PID 1660 wrote to memory of 2248 1660 rundll32.exe 34 PID 1660 wrote to memory of 2248 1660 rundll32.exe 34 PID 2068 wrote to memory of 1116 2068 f76e060.exe 19 PID 2068 wrote to memory of 1168 2068 f76e060.exe 20 PID 2068 wrote to memory of 1224 2068 f76e060.exe 21 PID 2068 wrote to memory of 1336 2068 f76e060.exe 23 PID 2068 wrote to memory of 2868 2068 f76e060.exe 33 PID 2068 wrote to memory of 2868 2068 f76e060.exe 33 PID 2068 wrote to memory of 2248 2068 f76e060.exe 34 PID 2068 wrote to memory of 2248 2068 f76e060.exe 34 PID 2248 wrote to memory of 1116 2248 f770474.exe 19 PID 2248 wrote to memory of 1168 2248 f770474.exe 20 PID 2248 wrote to memory of 1224 2248 f770474.exe 21 PID 2248 wrote to memory of 1336 2248 f770474.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f770474.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e637b6a9aaf1498626cbb15b66a14dcf6c46abb48d500ff0a21fee9245eb52d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e637b6a9aaf1498626cbb15b66a14dcf6c46abb48d500ff0a21fee9245eb52d.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\f76e060.exeC:\Users\Admin\AppData\Local\Temp\f76e060.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\f76e1f6.exeC:\Users\Admin\AppData\Local\Temp\f76e1f6.exe4⤵
- Executes dropped EXE
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\f770474.exeC:\Users\Admin\AppData\Local\Temp\f770474.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1336
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e7913e106e0eb68257bafcffe4038960
SHA14db431107c9f1c7e7d9a3d008aaf307989502ae6
SHA25609966d9328e2e0d0e663f9a7a29c9a6cd436277ed27835a33c37a2f9ec699670
SHA512eb4dc30529c5576ff75d2ad6f0db115ec9c0c3cbc168c0901f311b3521061a0fb8510db94c1b767e42463a94a13324636aaf745153480c0d7ab67d9df90664b2
-
Filesize
257B
MD53a853484b34c8d3eb917f2b1f419791d
SHA1f302c5529b49ec9e0265fcd21d408dcd4f0c42ea
SHA256b01ba374bc529d7caca789553c690db5bca169efd0672cb2402c7062952fdbff
SHA51291a6fd1da858f4cc82503682a5a8d66eed1f7e1bdb522752bec482846864cf4660afa54911df0d9202b739b2df7db9d63898afd79e995b38f3008f8a24cb3d60