Analysis
-
max time kernel
83s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:08
Static task
static1
Behavioral task
behavioral1
Sample
27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll
Resource
win7-20240708-en
General
-
Target
27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll
-
Size
120KB
-
MD5
bcac25a742dc6b230b7aaf593f22a086
-
SHA1
dcca2ec364493ce09dc8f443873aabe2c0781682
-
SHA256
27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43
-
SHA512
80ec85721c6e12b34ce322b907d44819473bda98a01b9e33a94b55351153d1fb8bb17ac40ae82e92b3eb5871bcfc9caf96b8ee70eaa06e599e064f5315575c3c
-
SSDEEP
3072:cFmdaG5KraU4n+AIz+EfRSPhWHP63zDH8r:cF0aGlgrf2hWKXW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e198.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e198.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76fd52.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fd52.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fd52.exe -
Executes dropped EXE 3 IoCs
pid Process 2500 f76e198.exe 2600 f76e34d.exe 2284 f76fd52.exe -
Loads dropped DLL 6 IoCs
pid Process 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe 2172 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fd52.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e198.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fd52.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e198.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fd52.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: f76e198.exe File opened (read-only) \??\G: f76e198.exe File opened (read-only) \??\J: f76e198.exe File opened (read-only) \??\M: f76e198.exe File opened (read-only) \??\N: f76e198.exe File opened (read-only) \??\P: f76e198.exe File opened (read-only) \??\Q: f76e198.exe File opened (read-only) \??\R: f76e198.exe File opened (read-only) \??\E: f76fd52.exe File opened (read-only) \??\E: f76e198.exe File opened (read-only) \??\I: f76e198.exe File opened (read-only) \??\L: f76e198.exe File opened (read-only) \??\S: f76e198.exe File opened (read-only) \??\G: f76fd52.exe File opened (read-only) \??\O: f76e198.exe File opened (read-only) \??\H: f76e198.exe File opened (read-only) \??\K: f76e198.exe -
resource yara_rule behavioral1/memory/2500-19-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-21-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-22-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-20-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-17-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-26-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-25-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-23-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-18-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-24-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-63-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-62-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-64-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-66-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-65-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-68-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-69-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-84-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-86-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-88-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-108-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-109-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2500-155-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2284-174-0x0000000000990000-0x0000000001A4A000-memory.dmp upx behavioral1/memory/2284-212-0x0000000000990000-0x0000000001A4A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76e1f6 f76e198.exe File opened for modification C:\Windows\SYSTEM.INI f76e198.exe File created C:\Windows\f773247 f76fd52.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e198.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76fd52.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2500 f76e198.exe 2500 f76e198.exe 2284 f76fd52.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2500 f76e198.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe Token: SeDebugPrivilege 2284 f76fd52.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2756 wrote to memory of 2172 2756 rundll32.exe 31 PID 2172 wrote to memory of 2500 2172 rundll32.exe 32 PID 2172 wrote to memory of 2500 2172 rundll32.exe 32 PID 2172 wrote to memory of 2500 2172 rundll32.exe 32 PID 2172 wrote to memory of 2500 2172 rundll32.exe 32 PID 2500 wrote to memory of 1048 2500 f76e198.exe 17 PID 2500 wrote to memory of 1056 2500 f76e198.exe 18 PID 2500 wrote to memory of 1124 2500 f76e198.exe 20 PID 2500 wrote to memory of 1472 2500 f76e198.exe 25 PID 2500 wrote to memory of 2756 2500 f76e198.exe 30 PID 2500 wrote to memory of 2172 2500 f76e198.exe 31 PID 2500 wrote to memory of 2172 2500 f76e198.exe 31 PID 2172 wrote to memory of 2600 2172 rundll32.exe 33 PID 2172 wrote to memory of 2600 2172 rundll32.exe 33 PID 2172 wrote to memory of 2600 2172 rundll32.exe 33 PID 2172 wrote to memory of 2600 2172 rundll32.exe 33 PID 2172 wrote to memory of 2284 2172 rundll32.exe 34 PID 2172 wrote to memory of 2284 2172 rundll32.exe 34 PID 2172 wrote to memory of 2284 2172 rundll32.exe 34 PID 2172 wrote to memory of 2284 2172 rundll32.exe 34 PID 2500 wrote to memory of 1048 2500 f76e198.exe 17 PID 2500 wrote to memory of 1056 2500 f76e198.exe 18 PID 2500 wrote to memory of 1124 2500 f76e198.exe 20 PID 2500 wrote to memory of 1472 2500 f76e198.exe 25 PID 2500 wrote to memory of 2600 2500 f76e198.exe 33 PID 2500 wrote to memory of 2600 2500 f76e198.exe 33 PID 2500 wrote to memory of 2284 2500 f76e198.exe 34 PID 2500 wrote to memory of 2284 2500 f76e198.exe 34 PID 2284 wrote to memory of 1048 2284 f76fd52.exe 17 PID 2284 wrote to memory of 1056 2284 f76fd52.exe 18 PID 2284 wrote to memory of 1124 2284 f76fd52.exe 20 PID 2284 wrote to memory of 1472 2284 f76fd52.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fd52.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1048
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1056
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1124
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27de9e4980f60d63b20bbe155f97b9a7b3b47b15b94fbf59197e2dbbc8359e43.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\f76e198.exeC:\Users\Admin\AppData\Local\Temp\f76e198.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\f76e34d.exeC:\Users\Admin\AppData\Local\Temp\f76e34d.exe4⤵
- Executes dropped EXE
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\f76fd52.exeC:\Users\Admin\AppData\Local\Temp\f76fd52.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2284
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5c4fb63aaa88ae8ff630f86f79f1d8db1
SHA13e39831a916fd490c609d3c9cdbeb725bfee8e50
SHA256abb637dd41321095c454a649164590de7f224bb2fa03a45a8c8893185919f4a3
SHA51251a1b0df4c7e5175cb2d95777904ca4a22f6b9da4b56ecbee3aa31768342a3b0348f8169d757f595514f4772b3325d8a959c069b0b1de8915e0134d0c6144053
-
Filesize
97KB
MD55d61bd5cfd312ce28752a7d6e172eff7
SHA1e388c0c0ff67cdb7aaf2a21ef4a9959e3775dbaf
SHA256a99fb4151ce1214a1a64511f2d79214e739966734400901f9946c57572fc420d
SHA512c199b7c2c9f29f4d1689dd60c982ee5380581d3cd2292b9d3a5dc050665b0278c6f94ca29d5a1870d7621a11fd3b0d107c7303d436594972a66a28d1a0fd9bef