Analysis
-
max time kernel
84s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
17afab41ce7c42e19997f1b00d38676028752594c41e8975cf033f4d8641a2a6.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
17afab41ce7c42e19997f1b00d38676028752594c41e8975cf033f4d8641a2a6.dll
-
Size
120KB
-
MD5
e5727499423bad7385bc6015935f0c3e
-
SHA1
3f9c731f3a59adec1f6fb92ca3b1d0d4b94b6826
-
SHA256
17afab41ce7c42e19997f1b00d38676028752594c41e8975cf033f4d8641a2a6
-
SHA512
887314f5ede720fb6b439fa280c2a2594210a478934ff022be0c63148bd154010102d956eed8c55b551d63ebc7c5caa5afa4ccb8a09bce56e183b12435aa12c7
-
SSDEEP
3072:/Rd1YU0RnXLo0SmMGZSubsbenBdKbCe2HH:ZdjQnXLkmpaeBU+e2n
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f781fa1.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f781fa1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f781fa1.exe -
Executes dropped EXE 3 IoCs
pid Process 3032 f7803a9.exe 2656 f780741.exe 1660 f781fa1.exe -
Loads dropped DLL 6 IoCs
pid Process 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe 2164 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7803a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f781fa1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7803a9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7803a9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f781fa1.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f7803a9.exe File opened (read-only) \??\G: f7803a9.exe File opened (read-only) \??\I: f7803a9.exe File opened (read-only) \??\J: f7803a9.exe File opened (read-only) \??\T: f7803a9.exe File opened (read-only) \??\O: f7803a9.exe File opened (read-only) \??\R: f7803a9.exe File opened (read-only) \??\S: f7803a9.exe File opened (read-only) \??\N: f7803a9.exe File opened (read-only) \??\P: f7803a9.exe File opened (read-only) \??\Q: f7803a9.exe File opened (read-only) \??\E: f781fa1.exe File opened (read-only) \??\E: f7803a9.exe File opened (read-only) \??\H: f7803a9.exe File opened (read-only) \??\M: f7803a9.exe File opened (read-only) \??\L: f7803a9.exe -
resource yara_rule behavioral1/memory/3032-11-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-13-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-59-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-60-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-63-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-62-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-66-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-67-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-81-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-83-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-85-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-86-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/3032-157-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1660-167-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/1660-213-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f780426 f7803a9.exe File opened for modification C:\Windows\SYSTEM.INI f7803a9.exe File created C:\Windows\f7856d7 f781fa1.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7803a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f781fa1.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3032 f7803a9.exe 3032 f7803a9.exe 1660 f781fa1.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 3032 f7803a9.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe Token: SeDebugPrivilege 1660 f781fa1.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 1308 wrote to memory of 2164 1308 rundll32.exe 29 PID 2164 wrote to memory of 3032 2164 rundll32.exe 30 PID 2164 wrote to memory of 3032 2164 rundll32.exe 30 PID 2164 wrote to memory of 3032 2164 rundll32.exe 30 PID 2164 wrote to memory of 3032 2164 rundll32.exe 30 PID 3032 wrote to memory of 1096 3032 f7803a9.exe 18 PID 3032 wrote to memory of 1152 3032 f7803a9.exe 19 PID 3032 wrote to memory of 1196 3032 f7803a9.exe 20 PID 3032 wrote to memory of 1240 3032 f7803a9.exe 22 PID 3032 wrote to memory of 1308 3032 f7803a9.exe 28 PID 3032 wrote to memory of 2164 3032 f7803a9.exe 29 PID 3032 wrote to memory of 2164 3032 f7803a9.exe 29 PID 2164 wrote to memory of 2656 2164 rundll32.exe 31 PID 2164 wrote to memory of 2656 2164 rundll32.exe 31 PID 2164 wrote to memory of 2656 2164 rundll32.exe 31 PID 2164 wrote to memory of 2656 2164 rundll32.exe 31 PID 2164 wrote to memory of 1660 2164 rundll32.exe 32 PID 2164 wrote to memory of 1660 2164 rundll32.exe 32 PID 2164 wrote to memory of 1660 2164 rundll32.exe 32 PID 2164 wrote to memory of 1660 2164 rundll32.exe 32 PID 3032 wrote to memory of 1096 3032 f7803a9.exe 18 PID 3032 wrote to memory of 1152 3032 f7803a9.exe 19 PID 3032 wrote to memory of 1196 3032 f7803a9.exe 20 PID 3032 wrote to memory of 1240 3032 f7803a9.exe 22 PID 3032 wrote to memory of 2656 3032 f7803a9.exe 31 PID 3032 wrote to memory of 2656 3032 f7803a9.exe 31 PID 3032 wrote to memory of 1660 3032 f7803a9.exe 32 PID 3032 wrote to memory of 1660 3032 f7803a9.exe 32 PID 1660 wrote to memory of 1096 1660 f781fa1.exe 18 PID 1660 wrote to memory of 1152 1660 f781fa1.exe 19 PID 1660 wrote to memory of 1196 1660 f781fa1.exe 20 PID 1660 wrote to memory of 1240 1660 f781fa1.exe 22 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f781fa1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7803a9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17afab41ce7c42e19997f1b00d38676028752594c41e8975cf033f4d8641a2a6.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\17afab41ce7c42e19997f1b00d38676028752594c41e8975cf033f4d8641a2a6.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\f7803a9.exeC:\Users\Admin\AppData\Local\Temp\f7803a9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\f780741.exeC:\Users\Admin\AppData\Local\Temp\f780741.exe4⤵
- Executes dropped EXE
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\f781fa1.exeC:\Users\Admin\AppData\Local\Temp\f781fa1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1660
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1240
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5af2e86d19713e6b6dbb7502807cae9c4
SHA13367138dc5895aa4a40487cc90ddcf6335449336
SHA256b81e518b33c44f309a96d31a00735b20e1075f4714212a9f74b8eae5ae0dc1a9
SHA512d5c0b3a75585703ba9fa8d05ecd8c853574503193d8ccff99bf9ae687712ab2d44875d4dd67cb76689b20b53654b7c10eeb62e160cf40c215d5ebcc31207614a
-
Filesize
97KB
MD5454e22d08f8c5d18d2ce72ca55782c40
SHA1717c9f420c9e8a55658f5a974c8d0e89fa544754
SHA25631591c9d984f7f3d72bc78cfabb8f800f4b7361724393109738491c68c58d43b
SHA51247736fd71837268bb3f2a3a8b52037d7d5f174af6b2442f521b541fbf844efc184da96742844b947645679656771e5f189d0639b38c7ab2e332e1ddd910568f0