Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 05:44
Static task
static1
Behavioral task
behavioral1
Sample
216325d52a456244458de3c1abf7c06f8d6cd4c581e69246beabdfdecb7fce36.dll
Resource
win7-20240903-en
General
-
Target
216325d52a456244458de3c1abf7c06f8d6cd4c581e69246beabdfdecb7fce36.dll
-
Size
120KB
-
MD5
dabc422f285be9ff30e4699ad7748c4a
-
SHA1
471661c68aea7c300de12cdc99810420248a0fba
-
SHA256
216325d52a456244458de3c1abf7c06f8d6cd4c581e69246beabdfdecb7fce36
-
SHA512
b000898b769b3c334ba245006698419a65005f4be044a554a96170a378cd2d496610f7b78658ce8e720ffcd64e37788e94dd7ed445ad04555c359018021b1662
-
SSDEEP
3072:WytBSCdTmIdXhhf9LcwmVVHrpG6/a4ZIQ:DyCZmInV9LcD746t7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76447f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76447f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76621d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76621d.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76621d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76621d.exe -
Executes dropped EXE 3 IoCs
pid Process 2712 f76447f.exe 2848 f764644.exe 2652 f76621d.exe -
Loads dropped DLL 6 IoCs
pid Process 2768 rundll32.exe 2768 rundll32.exe 2768 rundll32.exe 2768 rundll32.exe 2768 rundll32.exe 2768 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76621d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76621d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76621d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76621d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76621d.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76447f.exe File opened (read-only) \??\I: f76447f.exe File opened (read-only) \??\L: f76447f.exe File opened (read-only) \??\O: f76447f.exe File opened (read-only) \??\Q: f76447f.exe File opened (read-only) \??\E: f76621d.exe File opened (read-only) \??\G: f76447f.exe File opened (read-only) \??\H: f76447f.exe File opened (read-only) \??\M: f76447f.exe File opened (read-only) \??\N: f76447f.exe File opened (read-only) \??\R: f76447f.exe File opened (read-only) \??\S: f76447f.exe File opened (read-only) \??\G: f76621d.exe File opened (read-only) \??\J: f76447f.exe File opened (read-only) \??\K: f76447f.exe File opened (read-only) \??\P: f76447f.exe File opened (read-only) \??\T: f76447f.exe -
resource yara_rule behavioral1/memory/2712-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-24-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-25-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-23-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-59-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-60-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-80-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-81-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-104-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-106-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2712-152-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2848-158-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2652-171-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2652-210-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7644ec f76447f.exe File opened for modification C:\Windows\SYSTEM.INI f76447f.exe File created C:\Windows\f76953d f76621d.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76447f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76621d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2712 f76447f.exe 2712 f76447f.exe 2652 f76621d.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2712 f76447f.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe Token: SeDebugPrivilege 2652 f76621d.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2756 wrote to memory of 2768 2756 rundll32.exe 30 PID 2768 wrote to memory of 2712 2768 rundll32.exe 31 PID 2768 wrote to memory of 2712 2768 rundll32.exe 31 PID 2768 wrote to memory of 2712 2768 rundll32.exe 31 PID 2768 wrote to memory of 2712 2768 rundll32.exe 31 PID 2712 wrote to memory of 1080 2712 f76447f.exe 17 PID 2712 wrote to memory of 1096 2712 f76447f.exe 19 PID 2712 wrote to memory of 1160 2712 f76447f.exe 20 PID 2712 wrote to memory of 1488 2712 f76447f.exe 25 PID 2712 wrote to memory of 2756 2712 f76447f.exe 29 PID 2712 wrote to memory of 2768 2712 f76447f.exe 30 PID 2712 wrote to memory of 2768 2712 f76447f.exe 30 PID 2768 wrote to memory of 2848 2768 rundll32.exe 32 PID 2768 wrote to memory of 2848 2768 rundll32.exe 32 PID 2768 wrote to memory of 2848 2768 rundll32.exe 32 PID 2768 wrote to memory of 2848 2768 rundll32.exe 32 PID 2768 wrote to memory of 2652 2768 rundll32.exe 33 PID 2768 wrote to memory of 2652 2768 rundll32.exe 33 PID 2768 wrote to memory of 2652 2768 rundll32.exe 33 PID 2768 wrote to memory of 2652 2768 rundll32.exe 33 PID 2712 wrote to memory of 1080 2712 f76447f.exe 17 PID 2712 wrote to memory of 1096 2712 f76447f.exe 19 PID 2712 wrote to memory of 1160 2712 f76447f.exe 20 PID 2712 wrote to memory of 1488 2712 f76447f.exe 25 PID 2712 wrote to memory of 2848 2712 f76447f.exe 32 PID 2712 wrote to memory of 2848 2712 f76447f.exe 32 PID 2712 wrote to memory of 2652 2712 f76447f.exe 33 PID 2712 wrote to memory of 2652 2712 f76447f.exe 33 PID 2652 wrote to memory of 1080 2652 f76621d.exe 17 PID 2652 wrote to memory of 1096 2652 f76621d.exe 19 PID 2652 wrote to memory of 1160 2652 f76621d.exe 20 PID 2652 wrote to memory of 1488 2652 f76621d.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76447f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76621d.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1080
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1160
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\216325d52a456244458de3c1abf7c06f8d6cd4c581e69246beabdfdecb7fce36.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\216325d52a456244458de3c1abf7c06f8d6cd4c581e69246beabdfdecb7fce36.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\f76447f.exeC:\Users\Admin\AppData\Local\Temp\f76447f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\f764644.exeC:\Users\Admin\AppData\Local\Temp\f764644.exe4⤵
- Executes dropped EXE
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\f76621d.exeC:\Users\Admin\AppData\Local\Temp\f76621d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1488
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD55ac0b774ece11ec2fee71dd5f001417f
SHA145ca3c05d2df730a59ba8cb7a2ed0d860deab54b
SHA256d0b1598560133d0d53c74d1e296bb1f1509a6bf80bf8ef390e6c5288fc23b374
SHA5125c8aee3d0842bbacf927e8d4ef4e5a1d193b8ec51a99c39028945d03ba7ffb45fabf4c9e9f189481a9fbaf309c2ec30b06be0fa7fe2ef300ec084bec4a3612a4
-
Filesize
97KB
MD5e906cb0acf1bdf0de134b82514f66c4c
SHA19daf453f885e4aa24d6c62a682c9a37aec8ab0ef
SHA256e5dcaee152ed2db9ba70d5b3ef589ff1df05ad70bc8a39a5cc20e29cbd99f9b2
SHA512a6572f006c0c64021b6266e511cd767425c6e61105f1d22ffda9bf84599ebc6fe023e536398a072ea965fb7ec542e1e5c91b6cfe8f42f5f4b0f40e673e8a2e03