Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:26
Static task
static1
Behavioral task
behavioral1
Sample
cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe
Resource
win7-20240903-en
General
-
Target
cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe
-
Size
655KB
-
MD5
9abc05fbb9ad054f9c44d349fb61307d
-
SHA1
280926fe7a685d4cd3c752feb0a3284b4f2b6e74
-
SHA256
cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad
-
SHA512
8caff24b566437d21f3fe1ce544d2894bdbd2754177049ffcd7e77e140137008c998a6286dd77f7aca455eb6061c7b790383ea6b299e01e724fcc7bdae535e28
-
SSDEEP
12288:hGdfJDRM8SmKrBh69VpmSi6AxOzaO9TsnD98A7xH5zbgbWlIzkJZ:gdhDRYmKi9XiZYzZ9TSD9J7xH5zsbWlL
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
resource yara_rule behavioral2/memory/2196-3-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/2196-4-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/2196-5-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/2196-8-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/2196-11-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/2196-7-0x0000000002250000-0x000000000330A000-memory.dmp upx behavioral2/memory/2196-6-0x0000000002250000-0x000000000330A000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57b2b6 cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe File opened for modification C:\Windows\SYSTEM.INI cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2196 cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe 2196 cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2196 cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe Token: SeDebugPrivilege 2196 cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe"C:\Users\Admin\AppData\Local\Temp\cf9b3a04096f7d06ab7ce21ce05ae43a33afe45f9d7c9a3ad6b7c80eae603cad.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2196
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5