Analysis
-
max time kernel
35s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe
Resource
win7-20240903-en
General
-
Target
9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe
-
Size
1.1MB
-
MD5
dccfa9d28ed1ae89bd574d60aef59970
-
SHA1
3da6e8cf97bb4801dc38fb88afed711d954f7d89
-
SHA256
9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1b
-
SHA512
69fde639caa70aa18cb3a026f60b0e5c499ae66c22af8b4191ae35b522370c52677d472766373afc73552cbb640ced7766691f43ba9a4cd4ff8d83ab59f48ce2
-
SSDEEP
24576:W1/aGLDCM4D8ayGMCPnXo8/ql8ahCKn+xnjbmf8NRUoNvo2OKVlnFr4sIZjUHt99:FD8ayGM0Xonl84UHmf8NRUoNvo2OKVlJ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" odstbl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" odstbl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" odstbl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" odstbl.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" odstbl.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2204 odstbl.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 odstbl.exe -
Loads dropped DLL 2 IoCs
pid Process 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" odstbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" odstbl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\odstbl.exe" odstbl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" odstbl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
resource yara_rule behavioral1/memory/2168-1-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-4-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-9-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-7-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-8-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-10-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-6-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-11-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-5-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-3-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-13-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-14-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2168-23-0x0000000001EC0000-0x0000000002F4E000-memory.dmp upx behavioral1/memory/2204-38-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-42-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-51-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-53-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-52-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-50-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-54-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-60-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-59-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-74-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-73-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-94-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-95-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-99-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-100-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-131-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-140-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-139-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-172-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-174-0x0000000002130000-0x00000000031BE000-memory.dmp upx behavioral1/memory/2204-179-0x0000000002130000-0x00000000031BE000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE odstbl.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language odstbl.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 2204 odstbl.exe 2204 odstbl.exe 2204 odstbl.exe 2204 odstbl.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe Token: SeDebugPrivilege 2204 odstbl.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2204 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 30 PID 2168 wrote to memory of 2204 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 30 PID 2168 wrote to memory of 2204 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 30 PID 2168 wrote to memory of 2204 2168 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe 30 PID 2204 wrote to memory of 1104 2204 odstbl.exe 19 PID 2204 wrote to memory of 1152 2204 odstbl.exe 20 PID 2204 wrote to memory of 1188 2204 odstbl.exe 21 PID 2204 wrote to memory of 1376 2204 odstbl.exe 23 PID 2204 wrote to memory of 1104 2204 odstbl.exe 19 PID 2204 wrote to memory of 1152 2204 odstbl.exe 20 PID 2204 wrote to memory of 1188 2204 odstbl.exe 21 PID 2204 wrote to memory of 1376 2204 odstbl.exe 23 PID 2204 wrote to memory of 1104 2204 odstbl.exe 19 PID 2204 wrote to memory of 1152 2204 odstbl.exe 20 PID 2204 wrote to memory of 1188 2204 odstbl.exe 21 PID 2204 wrote to memory of 1376 2204 odstbl.exe 23 PID 2204 wrote to memory of 1104 2204 odstbl.exe 19 PID 2204 wrote to memory of 1152 2204 odstbl.exe 20 PID 2204 wrote to memory of 1188 2204 odstbl.exe 21 PID 2204 wrote to memory of 1376 2204 odstbl.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" odstbl.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe"C:\Users\Admin\AppData\Local\Temp\9fec6e7b5afbfa14c042363f8aae7067fe280ada5ba511de1ef9891f08496a1bN.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2168 -
C:\ProgramData\odstbl.exe"C:\ProgramData\odstbl.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1376
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a9e7f57bd0aa2250831e985092298cc0
SHA1dfcf3e9f328251d500c900a03a936632e69e8158
SHA256a8e30fc86e3d5abb1a293a78f34d80792f557a1074d536d9c4fe0d511fea9ac3
SHA5128ca82c8b7ff07da7f4703f9bd8227dd44c7eedb42a3b55d958d70bfa3e1f0d42888b6782018c56a2ad476626236e74ada8ac9bedf846775a0b170f036679f49a
-
Filesize
557KB
MD56f1656028d98fceaa83d9b6f8cc5459d
SHA17f2e990ad5347f6613683e7efa86f08ebfa9f4a6
SHA2562121af2516f030cebfd88efb6b6c195ecc4573cdbc79595253af54970a0a8a9a
SHA512cc0ede5bd411363d4f6a81e20521af15865decedbfb539702744f8cafc2087533a513f4a7541cb0eb3447411397cd042d00232e9d091a97e09043711379ce71e
-
Filesize
522KB
MD56446bbe2addac3f982b578c153b4052e
SHA1d8959dad9432a64837ce1055e1f7027bae652c6a
SHA256772d512687c47d87af5db585360fd029c54696ada86c144b2ebcfc2017a9a67c
SHA5128f1ee09ee5b9e79b266483510b2411f1b2fca43131ac06e82c6413eb23a138ad60df0bcb35fda1d2b3eacd5ea66ef907204998ba056aebe3c97f4d15fd1b28d8
-
Filesize
255B
MD56ffd6f4353b7e651c7dc619a57f45d91
SHA1476917801ba11a578c7b1ca81e7770020a0e10ea
SHA256ab5ae19ad81fddfe8a563fe357256c452b19d26c4745edc02123dc16b1c8a5c9
SHA5121c0e4fc0d37f72b6a9f2ddd95e2fb6f02b7cbc14702f15d163deb8dcf10742fb86b8ff5151d01b95db91b27a57408ba26322607a4e8ebe8e433bb70dde96bb51