Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
eb15f0dd46225fd42d695fb59e0c9af51fb3e044474eb91edc720f1f849fde7b.dll
Resource
win7-20240903-en
General
-
Target
eb15f0dd46225fd42d695fb59e0c9af51fb3e044474eb91edc720f1f849fde7b.dll
-
Size
120KB
-
MD5
0cee5d8e8e0eb33fd3452ed36a2e9fc7
-
SHA1
1b5478e48fe5c50aeeb7b442f79afbe9e529f29b
-
SHA256
eb15f0dd46225fd42d695fb59e0c9af51fb3e044474eb91edc720f1f849fde7b
-
SHA512
8165f6b684183830b1ec7bd0dcfb0b44d02db328884bfe0d5c7dbdcb9b7d59439b7943781ca674c9adc41e2b6d4434513fb5de63b277ac54458039ec8f33544d
-
SSDEEP
3072:8t8jbl+hLVCE88y22OcOaRz2z2TV7HZkWOFA:i8jb8hA38y2up2zy7HD
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76afcf.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76afcf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76afcf.exe -
Executes dropped EXE 3 IoCs
pid Process 2576 f7693f6.exe 2776 f76957c.exe 2924 f76afcf.exe -
Loads dropped DLL 6 IoCs
pid Process 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe 2520 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7693f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7693f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76afcf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76afcf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76afcf.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76afcf.exe File opened (read-only) \??\G: f76afcf.exe -
resource yara_rule behavioral1/memory/2576-21-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-20-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-18-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-15-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-19-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-16-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-13-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-17-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-14-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-11-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2576-61-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2924-118-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2924-111-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2924-109-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2924-158-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f769473 f7693f6.exe File opened for modification C:\Windows\SYSTEM.INI f7693f6.exe File created C:\Windows\f76e3da f76afcf.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7693f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76afcf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2576 f7693f6.exe 2576 f7693f6.exe 2924 f76afcf.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2576 f7693f6.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe Token: SeDebugPrivilege 2924 f76afcf.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 3056 wrote to memory of 2520 3056 rundll32.exe 30 PID 2520 wrote to memory of 2576 2520 rundll32.exe 31 PID 2520 wrote to memory of 2576 2520 rundll32.exe 31 PID 2520 wrote to memory of 2576 2520 rundll32.exe 31 PID 2520 wrote to memory of 2576 2520 rundll32.exe 31 PID 2576 wrote to memory of 1112 2576 f7693f6.exe 19 PID 2576 wrote to memory of 1156 2576 f7693f6.exe 20 PID 2576 wrote to memory of 1192 2576 f7693f6.exe 21 PID 2576 wrote to memory of 1600 2576 f7693f6.exe 25 PID 2576 wrote to memory of 3056 2576 f7693f6.exe 29 PID 2576 wrote to memory of 2520 2576 f7693f6.exe 30 PID 2576 wrote to memory of 2520 2576 f7693f6.exe 30 PID 2520 wrote to memory of 2776 2520 rundll32.exe 32 PID 2520 wrote to memory of 2776 2520 rundll32.exe 32 PID 2520 wrote to memory of 2776 2520 rundll32.exe 32 PID 2520 wrote to memory of 2776 2520 rundll32.exe 32 PID 2520 wrote to memory of 2924 2520 rundll32.exe 33 PID 2520 wrote to memory of 2924 2520 rundll32.exe 33 PID 2520 wrote to memory of 2924 2520 rundll32.exe 33 PID 2520 wrote to memory of 2924 2520 rundll32.exe 33 PID 2576 wrote to memory of 1112 2576 f7693f6.exe 19 PID 2576 wrote to memory of 1156 2576 f7693f6.exe 20 PID 2576 wrote to memory of 1192 2576 f7693f6.exe 21 PID 2576 wrote to memory of 1600 2576 f7693f6.exe 25 PID 2576 wrote to memory of 2776 2576 f7693f6.exe 32 PID 2576 wrote to memory of 2776 2576 f7693f6.exe 32 PID 2576 wrote to memory of 2924 2576 f7693f6.exe 33 PID 2576 wrote to memory of 2924 2576 f7693f6.exe 33 PID 2924 wrote to memory of 1112 2924 f76afcf.exe 19 PID 2924 wrote to memory of 1156 2924 f76afcf.exe 20 PID 2924 wrote to memory of 1192 2924 f76afcf.exe 21 PID 2924 wrote to memory of 1600 2924 f76afcf.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7693f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76afcf.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eb15f0dd46225fd42d695fb59e0c9af51fb3e044474eb91edc720f1f849fde7b.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eb15f0dd46225fd42d695fb59e0c9af51fb3e044474eb91edc720f1f849fde7b.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\f7693f6.exeC:\Users\Admin\AppData\Local\Temp\f7693f6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\f76957c.exeC:\Users\Admin\AppData\Local\Temp\f76957c.exe4⤵
- Executes dropped EXE
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\f76afcf.exeC:\Users\Admin\AppData\Local\Temp\f76afcf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1600
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD56305bad6b53b268f6215e128ed9d3b86
SHA1f453353650f3b410ed96713bc9d85ac626c954a3
SHA256f8679f0f727dccb11cc51276a291b8af2b3dad6f73c47c8ffaab74bb6ead2389
SHA512c45e8cc9e1a11356026314559aa6ff71117f6919081dc49fcb3a4be03f6afcd41eea4a4beb6fda376a947869edd3cd64f16789aef981ec2e3920b1c2e15f12cd
-
Filesize
257B
MD521a58fdb8648eaf788249c8af1e9463e
SHA109993430d4bdffe02df017358b5d5065d1350ce4
SHA25646c49325e1830b518b6828ee90f4a1220cf146663c129cfa5863a7e8b1f70d4c
SHA51295795a931862fe09f99a1b472864f1acda2cb268633d36fc7bcdf9c1dd7ca4200f32e737a8f1a79fd416ed927a3b6a7e92e121cad380fee24fb98d0bf44bbd06