Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll
Resource
win7-20240903-en
General
-
Target
a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll
-
Size
120KB
-
MD5
89f777f85e883ec4b45d9c2568e10ab0
-
SHA1
6cee9f1ce114ce0e6357b27d56fab429914146fc
-
SHA256
a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607
-
SHA512
cabc908fb6c53f28bce24b9a77491c72583bdb33a7a406704b78f7e6c9f2b7f28d180a4081c2a3c5e0250dce55750c780d39b275c2febd1fb321dc65356ab4a0
-
SSDEEP
1536:ryZUI76rS/VmFjSeRaEKdDWpu9ADzDF9oBd7z8YhwaDNvOOckVyPpUV0DC+UaUPm:iMuVGjSz4u9G9oB2Cw0ObVhBubBAez
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f768a93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f768a93.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f768a93.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768a93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766ee9.exe -
Executes dropped EXE 3 IoCs
pid Process 2736 f766ee9.exe 332 f767040.exe 2380 f768a93.exe -
Loads dropped DLL 6 IoCs
pid Process 2876 rundll32.exe 2876 rundll32.exe 2876 rundll32.exe 2876 rundll32.exe 2876 rundll32.exe 2876 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768a93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f766ee9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768a93.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766ee9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768a93.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f766ee9.exe File opened (read-only) \??\M: f766ee9.exe File opened (read-only) \??\N: f766ee9.exe File opened (read-only) \??\P: f766ee9.exe File opened (read-only) \??\R: f766ee9.exe File opened (read-only) \??\S: f766ee9.exe File opened (read-only) \??\T: f766ee9.exe File opened (read-only) \??\E: f766ee9.exe File opened (read-only) \??\E: f768a93.exe File opened (read-only) \??\K: f766ee9.exe File opened (read-only) \??\O: f766ee9.exe File opened (read-only) \??\G: f766ee9.exe File opened (read-only) \??\L: f766ee9.exe File opened (read-only) \??\G: f768a93.exe File opened (read-only) \??\I: f766ee9.exe File opened (read-only) \??\Q: f766ee9.exe File opened (read-only) \??\J: f766ee9.exe -
resource yara_rule behavioral1/memory/2736-11-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-13-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-18-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-15-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-20-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-16-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-21-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-17-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-14-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-19-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-62-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-61-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-63-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-65-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-64-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-67-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-68-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-83-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-85-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-87-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2736-155-0x00000000006A0000-0x000000000175A000-memory.dmp upx behavioral1/memory/2380-169-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx behavioral1/memory/2380-212-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f766f37 f766ee9.exe File opened for modification C:\Windows\SYSTEM.INI f766ee9.exe File created C:\Windows\f76bf59 f768a93.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f766ee9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f768a93.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2736 f766ee9.exe 2736 f766ee9.exe 2380 f768a93.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2736 f766ee9.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe Token: SeDebugPrivilege 2380 f768a93.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2784 wrote to memory of 2876 2784 rundll32.exe 30 PID 2876 wrote to memory of 2736 2876 rundll32.exe 31 PID 2876 wrote to memory of 2736 2876 rundll32.exe 31 PID 2876 wrote to memory of 2736 2876 rundll32.exe 31 PID 2876 wrote to memory of 2736 2876 rundll32.exe 31 PID 2736 wrote to memory of 1048 2736 f766ee9.exe 17 PID 2736 wrote to memory of 1092 2736 f766ee9.exe 18 PID 2736 wrote to memory of 1100 2736 f766ee9.exe 19 PID 2736 wrote to memory of 1556 2736 f766ee9.exe 25 PID 2736 wrote to memory of 2784 2736 f766ee9.exe 29 PID 2736 wrote to memory of 2876 2736 f766ee9.exe 30 PID 2736 wrote to memory of 2876 2736 f766ee9.exe 30 PID 2876 wrote to memory of 332 2876 rundll32.exe 32 PID 2876 wrote to memory of 332 2876 rundll32.exe 32 PID 2876 wrote to memory of 332 2876 rundll32.exe 32 PID 2876 wrote to memory of 332 2876 rundll32.exe 32 PID 2876 wrote to memory of 2380 2876 rundll32.exe 33 PID 2876 wrote to memory of 2380 2876 rundll32.exe 33 PID 2876 wrote to memory of 2380 2876 rundll32.exe 33 PID 2876 wrote to memory of 2380 2876 rundll32.exe 33 PID 2736 wrote to memory of 1048 2736 f766ee9.exe 17 PID 2736 wrote to memory of 1092 2736 f766ee9.exe 18 PID 2736 wrote to memory of 1100 2736 f766ee9.exe 19 PID 2736 wrote to memory of 1556 2736 f766ee9.exe 25 PID 2736 wrote to memory of 332 2736 f766ee9.exe 32 PID 2736 wrote to memory of 332 2736 f766ee9.exe 32 PID 2736 wrote to memory of 2380 2736 f766ee9.exe 33 PID 2736 wrote to memory of 2380 2736 f766ee9.exe 33 PID 2380 wrote to memory of 1048 2380 f768a93.exe 17 PID 2380 wrote to memory of 1092 2380 f768a93.exe 18 PID 2380 wrote to memory of 1100 2380 f768a93.exe 19 PID 2380 wrote to memory of 1556 2380 f768a93.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768a93.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f766ee9.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1048
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1092
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1100
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a5d2123b9c0dcb7e29ac48276c1f00f166c22bf1681ebfcf80f52fe59b0a6607N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\f766ee9.exeC:\Users\Admin\AppData\Local\Temp\f766ee9.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\f767040.exeC:\Users\Admin\AppData\Local\Temp\f767040.exe4⤵
- Executes dropped EXE
PID:332
-
-
C:\Users\Admin\AppData\Local\Temp\f768a93.exeC:\Users\Admin\AppData\Local\Temp\f768a93.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1556
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5beb23f2733426fdb8231cb4977ee70ed
SHA1c10664546443f07797b050fd158c926173f72963
SHA25680212f48744e97873461d0ef07ed2970c4f2ce8f94ddb1da0a6a6f1b753759e0
SHA5125f99344721fc6efb2cd1778f9cac9519fad9dba72870e50ab21c0380c30a52e940fce93795368162dfc4b359556ce245246f14fbeed9bb13ac545d83dbe0ee66
-
Filesize
97KB
MD5bd78a65d792cae1e3a0e184c23122c37
SHA17b8eb3b5852bd32051680154f18b190465d53b76
SHA256fa0a3c3b2de196c46efd1e75eaeb85e1e9d13e50b6fb6a0a776273490ad71af7
SHA5124ab79fa1fc91eebafd6a2522f2fbc152239973dc7878d42a69f0bc326f404d9aaf89b0cb6bd5d6d7e622da5849eb3d26d43317d24fd2e8933ace7728a0409a98