Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
82382c213c2c2abe0305f1a7f0cf88621c6e5e7c20c0c4cdc70be8fb2cb82245.dll
Resource
win7-20240903-en
General
-
Target
82382c213c2c2abe0305f1a7f0cf88621c6e5e7c20c0c4cdc70be8fb2cb82245.dll
-
Size
120KB
-
MD5
17ab86fe6265d8314eb31e504e79203d
-
SHA1
553a60f2ec87ba976ee1cc0359374464c8a4265c
-
SHA256
82382c213c2c2abe0305f1a7f0cf88621c6e5e7c20c0c4cdc70be8fb2cb82245
-
SHA512
26363759c4b1f99fc20dd1ecfafa45f3f28c7316e4a1edd2c1eccbdfb77959dcb195fbe3f931ee65b5cf8c72135584af79a876e4eab7a8bbf3598e84ff6e76c2
-
SSDEEP
3072:a2yozsdm63aUSxlnBVnRMO2X1YMhpb85kcBfU6a:rym63gxdBVRb2lYMhaFBM
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e8c9.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e8c9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cd0f.exe -
Executes dropped EXE 3 IoCs
pid Process 2176 f76cd0f.exe 2604 f76cfcd.exe 1840 f76e8c9.exe -
Loads dropped DLL 6 IoCs
pid Process 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe 2252 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e8c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e8c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e8c9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cd0f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e8c9.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: f76cd0f.exe File opened (read-only) \??\J: f76cd0f.exe File opened (read-only) \??\H: f76cd0f.exe File opened (read-only) \??\K: f76cd0f.exe File opened (read-only) \??\E: f76e8c9.exe File opened (read-only) \??\E: f76cd0f.exe File opened (read-only) \??\L: f76cd0f.exe File opened (read-only) \??\O: f76cd0f.exe File opened (read-only) \??\P: f76cd0f.exe File opened (read-only) \??\Q: f76cd0f.exe File opened (read-only) \??\R: f76cd0f.exe File opened (read-only) \??\G: f76cd0f.exe File opened (read-only) \??\N: f76cd0f.exe File opened (read-only) \??\S: f76cd0f.exe File opened (read-only) \??\T: f76cd0f.exe File opened (read-only) \??\I: f76cd0f.exe -
resource yara_rule behavioral1/memory/2176-13-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-22-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-20-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-16-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-14-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-18-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-15-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-21-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-19-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-17-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-59-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-60-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-61-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-63-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-62-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-65-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-66-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-80-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-83-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-84-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-87-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/2176-152-0x0000000000620000-0x00000000016DA000-memory.dmp upx behavioral1/memory/1840-170-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/1840-207-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76cd7c f76cd0f.exe File opened for modification C:\Windows\SYSTEM.INI f76cd0f.exe File created C:\Windows\f771ef6 f76e8c9.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cd0f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e8c9.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2176 f76cd0f.exe 2176 f76cd0f.exe 1840 f76e8c9.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 2176 f76cd0f.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe Token: SeDebugPrivilege 1840 f76e8c9.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2228 wrote to memory of 2252 2228 rundll32.exe 31 PID 2252 wrote to memory of 2176 2252 rundll32.exe 32 PID 2252 wrote to memory of 2176 2252 rundll32.exe 32 PID 2252 wrote to memory of 2176 2252 rundll32.exe 32 PID 2252 wrote to memory of 2176 2252 rundll32.exe 32 PID 2176 wrote to memory of 1096 2176 f76cd0f.exe 19 PID 2176 wrote to memory of 1156 2176 f76cd0f.exe 20 PID 2176 wrote to memory of 1188 2176 f76cd0f.exe 21 PID 2176 wrote to memory of 1988 2176 f76cd0f.exe 23 PID 2176 wrote to memory of 2228 2176 f76cd0f.exe 30 PID 2176 wrote to memory of 2252 2176 f76cd0f.exe 31 PID 2176 wrote to memory of 2252 2176 f76cd0f.exe 31 PID 2252 wrote to memory of 2604 2252 rundll32.exe 33 PID 2252 wrote to memory of 2604 2252 rundll32.exe 33 PID 2252 wrote to memory of 2604 2252 rundll32.exe 33 PID 2252 wrote to memory of 2604 2252 rundll32.exe 33 PID 2252 wrote to memory of 1840 2252 rundll32.exe 34 PID 2252 wrote to memory of 1840 2252 rundll32.exe 34 PID 2252 wrote to memory of 1840 2252 rundll32.exe 34 PID 2252 wrote to memory of 1840 2252 rundll32.exe 34 PID 2176 wrote to memory of 1096 2176 f76cd0f.exe 19 PID 2176 wrote to memory of 1156 2176 f76cd0f.exe 20 PID 2176 wrote to memory of 1188 2176 f76cd0f.exe 21 PID 2176 wrote to memory of 1988 2176 f76cd0f.exe 23 PID 2176 wrote to memory of 2604 2176 f76cd0f.exe 33 PID 2176 wrote to memory of 2604 2176 f76cd0f.exe 33 PID 2176 wrote to memory of 1840 2176 f76cd0f.exe 34 PID 2176 wrote to memory of 1840 2176 f76cd0f.exe 34 PID 1840 wrote to memory of 1096 1840 f76e8c9.exe 19 PID 1840 wrote to memory of 1156 1840 f76e8c9.exe 20 PID 1840 wrote to memory of 1188 1840 f76e8c9.exe 21 PID 1840 wrote to memory of 1988 1840 f76e8c9.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cd0f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e8c9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1096
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82382c213c2c2abe0305f1a7f0cf88621c6e5e7c20c0c4cdc70be8fb2cb82245.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82382c213c2c2abe0305f1a7f0cf88621c6e5e7c20c0c4cdc70be8fb2cb82245.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\f76cd0f.exeC:\Users\Admin\AppData\Local\Temp\f76cd0f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\f76cfcd.exeC:\Users\Admin\AppData\Local\Temp\f76cfcd.exe4⤵
- Executes dropped EXE
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\f76e8c9.exeC:\Users\Admin\AppData\Local\Temp\f76e8c9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1988
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD545166d13c6018a57305935e7d5ac5a03
SHA1dae9504bd7351ee3f2bf0d0f7da40841102e1fac
SHA25612f7c228490023f46439e03e3f9eeca2a32f2e19cc3c45af840860f693c74a14
SHA512ad603ab7ede071c0b8c09ac0e1cdab3b7288a23c33fe52ff09b7c44dbf738ead1d909d70c6b76a1302f9430dacaae8101376ab588ec01dc3920057913ed2f50b
-
Filesize
97KB
MD5f0e476ddf083de62372af2df34c40419
SHA18bfc1469a4fac4fde83182bfaabafedc332ab3ad
SHA25639971fc5a46dbef79f70e6351c1525378a1a3811fffd2e0e35f516a496d3b536
SHA51213cd9c581c4d337a693ab0380b7bf784e3874400e08dbf317c29242e750560ac15a34faeb5c60c2a8424342c71ea8ca2626a49b0b2b73dba9c424f7da5efc5b4