Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 05:04
Static task
static1
Behavioral task
behavioral1
Sample
fdf0e5b020cd294e97e5c983c84c742428cc1071684d23e6a6e8c9d0c66e4b28N.dll
Resource
win7-20240903-en
General
-
Target
fdf0e5b020cd294e97e5c983c84c742428cc1071684d23e6a6e8c9d0c66e4b28N.dll
-
Size
120KB
-
MD5
c59671ec62f385ed57472752b4544a00
-
SHA1
5a3222912561c89bbb05c99ab0260babeab96c9d
-
SHA256
fdf0e5b020cd294e97e5c983c84c742428cc1071684d23e6a6e8c9d0c66e4b28
-
SHA512
c94faa92d8194e6b0cd44e0eb89803e6a07c50dc2cafc4aaae6db67de540a819d5957a807d366ac98aba3bfc0406b6eb8ba39c8e4ffd3033ccc74991f3fe76db
-
SSDEEP
3072:1VaQc7YLD0OHwM2mq349baISXXaRT+5oWj:s4AOHwMW34ZI+YoW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f46d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d8b3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d8b3.exe -
Executes dropped EXE 3 IoCs
pid Process 1840 f76d8b3.exe 2736 f76da0a.exe 2456 f76f46d.exe -
Loads dropped DLL 6 IoCs
pid Process 2136 rundll32.exe 2136 rundll32.exe 2136 rundll32.exe 2136 rundll32.exe 2136 rundll32.exe 2136 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f46d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f46d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f46d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d8b3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f46d.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76d8b3.exe File opened (read-only) \??\J: f76d8b3.exe File opened (read-only) \??\L: f76d8b3.exe File opened (read-only) \??\R: f76d8b3.exe File opened (read-only) \??\E: f76d8b3.exe File opened (read-only) \??\H: f76d8b3.exe File opened (read-only) \??\Q: f76d8b3.exe File opened (read-only) \??\S: f76d8b3.exe File opened (read-only) \??\T: f76d8b3.exe File opened (read-only) \??\G: f76d8b3.exe File opened (read-only) \??\K: f76d8b3.exe File opened (read-only) \??\M: f76d8b3.exe File opened (read-only) \??\E: f76f46d.exe File opened (read-only) \??\G: f76f46d.exe File opened (read-only) \??\N: f76d8b3.exe File opened (read-only) \??\O: f76d8b3.exe File opened (read-only) \??\P: f76d8b3.exe -
resource yara_rule behavioral1/memory/1840-16-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-18-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-13-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-14-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-20-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-21-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-19-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-17-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-15-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-22-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-61-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-62-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-63-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-64-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-65-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-67-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-68-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-85-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-87-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-89-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/1840-156-0x0000000000680000-0x000000000173A000-memory.dmp upx behavioral1/memory/2456-172-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx behavioral1/memory/2456-214-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76d8f1 f76d8b3.exe File opened for modification C:\Windows\SYSTEM.INI f76d8b3.exe File created C:\Windows\f7728b6 f76f46d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d8b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f46d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1840 f76d8b3.exe 1840 f76d8b3.exe 2456 f76f46d.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 1840 f76d8b3.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe Token: SeDebugPrivilege 2456 f76f46d.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2384 wrote to memory of 2136 2384 rundll32.exe 31 PID 2136 wrote to memory of 1840 2136 rundll32.exe 32 PID 2136 wrote to memory of 1840 2136 rundll32.exe 32 PID 2136 wrote to memory of 1840 2136 rundll32.exe 32 PID 2136 wrote to memory of 1840 2136 rundll32.exe 32 PID 1840 wrote to memory of 1080 1840 f76d8b3.exe 18 PID 1840 wrote to memory of 1088 1840 f76d8b3.exe 19 PID 1840 wrote to memory of 1156 1840 f76d8b3.exe 20 PID 1840 wrote to memory of 468 1840 f76d8b3.exe 25 PID 1840 wrote to memory of 2384 1840 f76d8b3.exe 30 PID 1840 wrote to memory of 2136 1840 f76d8b3.exe 31 PID 1840 wrote to memory of 2136 1840 f76d8b3.exe 31 PID 2136 wrote to memory of 2736 2136 rundll32.exe 33 PID 2136 wrote to memory of 2736 2136 rundll32.exe 33 PID 2136 wrote to memory of 2736 2136 rundll32.exe 33 PID 2136 wrote to memory of 2736 2136 rundll32.exe 33 PID 2136 wrote to memory of 2456 2136 rundll32.exe 34 PID 2136 wrote to memory of 2456 2136 rundll32.exe 34 PID 2136 wrote to memory of 2456 2136 rundll32.exe 34 PID 2136 wrote to memory of 2456 2136 rundll32.exe 34 PID 1840 wrote to memory of 1080 1840 f76d8b3.exe 18 PID 1840 wrote to memory of 1088 1840 f76d8b3.exe 19 PID 1840 wrote to memory of 1156 1840 f76d8b3.exe 20 PID 1840 wrote to memory of 468 1840 f76d8b3.exe 25 PID 1840 wrote to memory of 2736 1840 f76d8b3.exe 33 PID 1840 wrote to memory of 2736 1840 f76d8b3.exe 33 PID 1840 wrote to memory of 2456 1840 f76d8b3.exe 34 PID 1840 wrote to memory of 2456 1840 f76d8b3.exe 34 PID 2456 wrote to memory of 1080 2456 f76f46d.exe 18 PID 2456 wrote to memory of 1088 2456 f76f46d.exe 19 PID 2456 wrote to memory of 1156 2456 f76f46d.exe 20 PID 2456 wrote to memory of 468 2456 f76f46d.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d8b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f46d.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1080
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1156
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdf0e5b020cd294e97e5c983c84c742428cc1071684d23e6a6e8c9d0c66e4b28N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdf0e5b020cd294e97e5c983c84c742428cc1071684d23e6a6e8c9d0c66e4b28N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\f76d8b3.exeC:\Users\Admin\AppData\Local\Temp\f76d8b3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\f76da0a.exeC:\Users\Admin\AppData\Local\Temp\f76da0a.exe4⤵
- Executes dropped EXE
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\f76f46d.exeC:\Users\Admin\AppData\Local\Temp\f76f46d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:468
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD5f7061dea279c45fd9bba59d3a467a1bf
SHA1f83ac75a8baf3a086a494b1253aedf47c6a592b5
SHA256cbbff3559151c3229f4fcb6d0591d12bde776230a7a186a5954e30523fe240af
SHA5124bab9f627d362fb6841ec8f50bc40dc5c09ec15858ab35a306bdcc28e6ecc994619dfceb876207bc40336afd5e66f7157ed8a7a96bdffbebfbfcee7cfebfed81
-
Filesize
97KB
MD5d0f0188ff00e0af16ac796c8fe62404d
SHA1b41943df0049f0a2dc5385627055cdbffc0678aa
SHA256443659c41f012d0a0d0c12e03766a61033df262e7e28c3ef38bbad1f90ef9ff0
SHA512cad504fb0cd0036e7e4a919f25a186640ad20ac970c74189efe69f5322a6127ea73cf20113e1ba08c5f83e50fe2f86413e636a0ae7b0e02cf90a85cee9d46894