Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 00:25
Static task
static1
Behavioral task
behavioral1
Sample
a338a47e555ce3b6df0223777d4a7c9886dabb83dbb31a2d70b2618d63e9110d.dll
Resource
win7-20240903-en
General
-
Target
a338a47e555ce3b6df0223777d4a7c9886dabb83dbb31a2d70b2618d63e9110d.dll
-
Size
120KB
-
MD5
c850d056cc0d91ca955cdf7ccca4ac59
-
SHA1
705496d93152c25d6f4b0ddaa07fd1048e924ffa
-
SHA256
a338a47e555ce3b6df0223777d4a7c9886dabb83dbb31a2d70b2618d63e9110d
-
SHA512
3fe54507833c2b3d3f2791cf7d15d14811caf576d4e7df0cec13d238b19a439d1ad2d56ea3c4049389b02c7069379d13df98c2fba641f7265e8e731dd37a1612
-
SSDEEP
3072:1VaQc7YLD0OHwM2mq349baISXXaRT+5oWjB:s4AOHwMW34ZI+YoW1
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a737.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a737.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c301.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c301.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c301.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c301.exe -
Executes dropped EXE 3 IoCs
pid Process 1364 f76a737.exe 3020 f76a988.exe 2700 f76c301.exe -
Loads dropped DLL 6 IoCs
pid Process 2516 rundll32.exe 2516 rundll32.exe 2516 rundll32.exe 2516 rundll32.exe 2516 rundll32.exe 2516 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a737.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c301.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c301.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76a737.exe File opened (read-only) \??\N: f76a737.exe File opened (read-only) \??\Q: f76a737.exe File opened (read-only) \??\L: f76a737.exe File opened (read-only) \??\R: f76a737.exe File opened (read-only) \??\E: f76a737.exe File opened (read-only) \??\G: f76a737.exe File opened (read-only) \??\H: f76a737.exe File opened (read-only) \??\J: f76a737.exe File opened (read-only) \??\P: f76a737.exe File opened (read-only) \??\T: f76a737.exe File opened (read-only) \??\G: f76c301.exe File opened (read-only) \??\E: f76c301.exe File opened (read-only) \??\K: f76a737.exe File opened (read-only) \??\M: f76a737.exe File opened (read-only) \??\O: f76a737.exe File opened (read-only) \??\S: f76a737.exe -
resource yara_rule behavioral1/memory/1364-18-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-20-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-22-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-23-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-21-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-24-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-26-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-19-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-17-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-25-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-64-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-65-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-66-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-68-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-67-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-70-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-71-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-85-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-87-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-89-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-91-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-92-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1364-156-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/3020-162-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2700-187-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx behavioral1/memory/2700-215-0x0000000000A80000-0x0000000001B3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76a776 f76a737.exe File opened for modification C:\Windows\SYSTEM.INI f76a737.exe File created C:\Windows\f76f8b1 f76c301.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a737.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c301.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1364 f76a737.exe 1364 f76a737.exe 2700 f76c301.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 1364 f76a737.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe Token: SeDebugPrivilege 2700 f76c301.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2548 wrote to memory of 2516 2548 rundll32.exe 30 PID 2516 wrote to memory of 1364 2516 rundll32.exe 31 PID 2516 wrote to memory of 1364 2516 rundll32.exe 31 PID 2516 wrote to memory of 1364 2516 rundll32.exe 31 PID 2516 wrote to memory of 1364 2516 rundll32.exe 31 PID 1364 wrote to memory of 1072 1364 f76a737.exe 18 PID 1364 wrote to memory of 1156 1364 f76a737.exe 20 PID 1364 wrote to memory of 1192 1364 f76a737.exe 21 PID 1364 wrote to memory of 316 1364 f76a737.exe 25 PID 1364 wrote to memory of 2548 1364 f76a737.exe 29 PID 1364 wrote to memory of 2516 1364 f76a737.exe 30 PID 1364 wrote to memory of 2516 1364 f76a737.exe 30 PID 2516 wrote to memory of 3020 2516 rundll32.exe 32 PID 2516 wrote to memory of 3020 2516 rundll32.exe 32 PID 2516 wrote to memory of 3020 2516 rundll32.exe 32 PID 2516 wrote to memory of 3020 2516 rundll32.exe 32 PID 2516 wrote to memory of 2700 2516 rundll32.exe 33 PID 2516 wrote to memory of 2700 2516 rundll32.exe 33 PID 2516 wrote to memory of 2700 2516 rundll32.exe 33 PID 2516 wrote to memory of 2700 2516 rundll32.exe 33 PID 1364 wrote to memory of 1072 1364 f76a737.exe 18 PID 1364 wrote to memory of 1156 1364 f76a737.exe 20 PID 1364 wrote to memory of 1192 1364 f76a737.exe 21 PID 1364 wrote to memory of 316 1364 f76a737.exe 25 PID 1364 wrote to memory of 3020 1364 f76a737.exe 32 PID 1364 wrote to memory of 3020 1364 f76a737.exe 32 PID 1364 wrote to memory of 2700 1364 f76a737.exe 33 PID 1364 wrote to memory of 2700 1364 f76a737.exe 33 PID 2700 wrote to memory of 1072 2700 f76c301.exe 18 PID 2700 wrote to memory of 1156 2700 f76c301.exe 20 PID 2700 wrote to memory of 1192 2700 f76c301.exe 21 PID 2700 wrote to memory of 316 2700 f76c301.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a737.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c301.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1072
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a338a47e555ce3b6df0223777d4a7c9886dabb83dbb31a2d70b2618d63e9110d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a338a47e555ce3b6df0223777d4a7c9886dabb83dbb31a2d70b2618d63e9110d.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\f76a737.exeC:\Users\Admin\AppData\Local\Temp\f76a737.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1364
-
-
C:\Users\Admin\AppData\Local\Temp\f76a988.exeC:\Users\Admin\AppData\Local\Temp\f76a988.exe4⤵
- Executes dropped EXE
PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\f76c301.exeC:\Users\Admin\AppData\Local\Temp\f76c301.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2700
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:316
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD54a8a8bdf30ca86c6002d6db121d3157f
SHA1b470d16a14259f1c6db9c1c41cd1510c6c117db4
SHA2560591bcefdd4f012c0fcf0fa919cd94fb1c39c17cf5910b8997be5a098c9cba17
SHA5122bf53377530c98f41740c266eeedce280e9b9769b779dbd81d4f85fc8f48b473d44c3d357b19023aeeba5a149818f78dead38f2ff8d060452dc5e47edd7a711c
-
Filesize
97KB
MD5d0f0188ff00e0af16ac796c8fe62404d
SHA1b41943df0049f0a2dc5385627055cdbffc0678aa
SHA256443659c41f012d0a0d0c12e03766a61033df262e7e28c3ef38bbad1f90ef9ff0
SHA512cad504fb0cd0036e7e4a919f25a186640ad20ac970c74189efe69f5322a6127ea73cf20113e1ba08c5f83e50fe2f86413e636a0ae7b0e02cf90a85cee9d46894