Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
7f062695f926c4e2a1c2fbbb198197e396bd0125448c3386e761142a160bdfb9.dll
Resource
win7-20240903-en
General
-
Target
7f062695f926c4e2a1c2fbbb198197e396bd0125448c3386e761142a160bdfb9.dll
-
Size
120KB
-
MD5
66cd8f7903ebe6b3a6ca48c69b7b5fbd
-
SHA1
85386e5417c72d77b90e3d287c88cef92b0253bf
-
SHA256
7f062695f926c4e2a1c2fbbb198197e396bd0125448c3386e761142a160bdfb9
-
SHA512
62303347daa3b6af61dd2d029efb090ef545ae5f8b30b57e0de5d21b47a550dd586c8db2bcd6d150f808404c9db00d86a2d1c48fc68d1b49a7175bcad124df36
-
SSDEEP
1536:BHJPA12494n6e7Gt4nZvIbl9g+9SeJglqe3w52SBfLyMBzp8y0Tj9EEAoP:BZuvWGt4Ib/hMAiqM4Bf2W3doP
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e08f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e08f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e08f.exe -
Executes dropped EXE 3 IoCs
pid Process 2420 f76c4f4.exe 2644 f76c6a9.exe 2804 f76e08f.exe -
Loads dropped DLL 6 IoCs
pid Process 1356 rundll32.exe 1356 rundll32.exe 1356 rundll32.exe 1356 rundll32.exe 1356 rundll32.exe 1356 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c4f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c4f4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e08f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e08f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c4f4.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76c4f4.exe File opened (read-only) \??\K: f76c4f4.exe File opened (read-only) \??\N: f76c4f4.exe File opened (read-only) \??\Q: f76c4f4.exe File opened (read-only) \??\G: f76e08f.exe File opened (read-only) \??\H: f76c4f4.exe File opened (read-only) \??\J: f76c4f4.exe File opened (read-only) \??\M: f76c4f4.exe File opened (read-only) \??\P: f76c4f4.exe File opened (read-only) \??\T: f76c4f4.exe File opened (read-only) \??\E: f76e08f.exe File opened (read-only) \??\L: f76c4f4.exe File opened (read-only) \??\O: f76c4f4.exe File opened (read-only) \??\R: f76c4f4.exe File opened (read-only) \??\E: f76c4f4.exe File opened (read-only) \??\I: f76c4f4.exe File opened (read-only) \??\S: f76c4f4.exe -
resource yara_rule behavioral1/memory/2420-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-24-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-23-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-63-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-68-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-69-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-87-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-106-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-108-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2420-155-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2804-168-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2804-211-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f76c4f4.exe File created C:\Windows\f771555 f76e08f.exe File created C:\Windows\f76c571 f76c4f4.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c4f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e08f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2420 f76c4f4.exe 2420 f76c4f4.exe 2804 f76e08f.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2420 f76c4f4.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe Token: SeDebugPrivilege 2804 f76e08f.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1900 wrote to memory of 1356 1900 rundll32.exe 30 PID 1356 wrote to memory of 2420 1356 rundll32.exe 31 PID 1356 wrote to memory of 2420 1356 rundll32.exe 31 PID 1356 wrote to memory of 2420 1356 rundll32.exe 31 PID 1356 wrote to memory of 2420 1356 rundll32.exe 31 PID 2420 wrote to memory of 1064 2420 f76c4f4.exe 18 PID 2420 wrote to memory of 1144 2420 f76c4f4.exe 20 PID 2420 wrote to memory of 1176 2420 f76c4f4.exe 21 PID 2420 wrote to memory of 2016 2420 f76c4f4.exe 23 PID 2420 wrote to memory of 1900 2420 f76c4f4.exe 29 PID 2420 wrote to memory of 1356 2420 f76c4f4.exe 30 PID 2420 wrote to memory of 1356 2420 f76c4f4.exe 30 PID 1356 wrote to memory of 2644 1356 rundll32.exe 32 PID 1356 wrote to memory of 2644 1356 rundll32.exe 32 PID 1356 wrote to memory of 2644 1356 rundll32.exe 32 PID 1356 wrote to memory of 2644 1356 rundll32.exe 32 PID 1356 wrote to memory of 2804 1356 rundll32.exe 34 PID 1356 wrote to memory of 2804 1356 rundll32.exe 34 PID 1356 wrote to memory of 2804 1356 rundll32.exe 34 PID 1356 wrote to memory of 2804 1356 rundll32.exe 34 PID 2420 wrote to memory of 1064 2420 f76c4f4.exe 18 PID 2420 wrote to memory of 1144 2420 f76c4f4.exe 20 PID 2420 wrote to memory of 1176 2420 f76c4f4.exe 21 PID 2420 wrote to memory of 2016 2420 f76c4f4.exe 23 PID 2420 wrote to memory of 2644 2420 f76c4f4.exe 32 PID 2420 wrote to memory of 2644 2420 f76c4f4.exe 32 PID 2420 wrote to memory of 2804 2420 f76c4f4.exe 34 PID 2420 wrote to memory of 2804 2420 f76c4f4.exe 34 PID 2804 wrote to memory of 1064 2804 f76e08f.exe 18 PID 2804 wrote to memory of 1144 2804 f76e08f.exe 20 PID 2804 wrote to memory of 1176 2804 f76e08f.exe 21 PID 2804 wrote to memory of 2016 2804 f76e08f.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e08f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c4f4.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1064
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1176
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f062695f926c4e2a1c2fbbb198197e396bd0125448c3386e761142a160bdfb9.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f062695f926c4e2a1c2fbbb198197e396bd0125448c3386e761142a160bdfb9.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\f76c4f4.exeC:\Users\Admin\AppData\Local\Temp\f76c4f4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\f76c6a9.exeC:\Users\Admin\AppData\Local\Temp\f76c6a9.exe4⤵
- Executes dropped EXE
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\f76e08f.exeC:\Users\Admin\AppData\Local\Temp\f76e08f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2016
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5f92e7b3b69d9e50e585bb7d5dae5c31c
SHA19a427e5ab3674f29f04a6dfc6d3f64152225f4d8
SHA256616886b72bf0b28a9081bf52274ab9f310707004d4f6ce78ec9ca7d0d1c0146b
SHA5121ab13ae59a42d3a6b28ae212b90698cd23240685313f004edb411dca870fd19b9be308a0f8a5f293278acc8a39e5dddbd2707c37ce88f1659fd21b4d71f39214
-
Filesize
97KB
MD53229e5fd6f89ef823fcc4d70cc9f3ece
SHA1aa9e498b365891f893f64e7643c440a65107f9e5
SHA25640f1752cc468baa0c6275d107df617e13c6d421710bdb18d81087ffaef3662e1
SHA512136760d409e23121904ff71b7177ec4d5d0aacc42dd877aeeaadb2ff3ab9a7bf85ccea4d441c4e683ee57cccc2d83fb2e7edfbab8ccc63b38e821405e2a1a498