Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 07:03
Static task
static1
Behavioral task
behavioral1
Sample
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll
Resource
win7-20241010-en
General
-
Target
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll
-
Size
120KB
-
MD5
32654fe2ae581a72e9aa91401c2aab82
-
SHA1
253c854372ad84dc78e925659cb94a57adc8b1ed
-
SHA256
703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16
-
SHA512
dd9f8e2a4344607b6197fba025b1237c6e8f85b5e85656d810ff988a7dacec4003b7b98b44a4b28981668c56c06af79d075071a1ec4797a999cdb841bdd7eb62
-
SSDEEP
3072:Ho+CyN4Xnld4YwjcNi+g4dzAm8Ws4Py7+14:7Cyanld4HGPJdznjDPy04
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a86f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c3eb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c3eb.exe -
Executes dropped EXE 3 IoCs
pid Process 3008 f76a86f.exe 2716 f76adfb.exe 1868 f76c3eb.exe -
Loads dropped DLL 6 IoCs
pid Process 2440 rundll32.exe 2440 rundll32.exe 2440 rundll32.exe 2440 rundll32.exe 2440 rundll32.exe 2440 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c3eb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c3eb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a86f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c3eb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c3eb.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f76a86f.exe File opened (read-only) \??\M: f76a86f.exe File opened (read-only) \??\Q: f76a86f.exe File opened (read-only) \??\L: f76a86f.exe File opened (read-only) \??\N: f76a86f.exe File opened (read-only) \??\R: f76a86f.exe File opened (read-only) \??\S: f76a86f.exe File opened (read-only) \??\E: f76a86f.exe File opened (read-only) \??\G: f76a86f.exe File opened (read-only) \??\H: f76a86f.exe File opened (read-only) \??\P: f76a86f.exe File opened (read-only) \??\E: f76c3eb.exe File opened (read-only) \??\I: f76a86f.exe File opened (read-only) \??\J: f76a86f.exe File opened (read-only) \??\O: f76a86f.exe -
resource yara_rule behavioral1/memory/3008-15-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-19-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-21-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-17-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-23-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-24-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-22-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-20-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-18-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-25-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-65-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-64-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-66-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-67-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-68-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-70-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-71-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-86-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-88-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-90-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-92-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-111-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/3008-150-0x00000000006B0000-0x000000000176A000-memory.dmp upx behavioral1/memory/1868-155-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/1868-199-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76a91b f76a86f.exe File opened for modification C:\Windows\SYSTEM.INI f76a86f.exe File created C:\Windows\f76fd81 f76c3eb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a86f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c3eb.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3008 f76a86f.exe 3008 f76a86f.exe 1868 f76c3eb.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 3008 f76a86f.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe Token: SeDebugPrivilege 1868 f76c3eb.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2036 wrote to memory of 2440 2036 rundll32.exe 30 PID 2440 wrote to memory of 3008 2440 rundll32.exe 31 PID 2440 wrote to memory of 3008 2440 rundll32.exe 31 PID 2440 wrote to memory of 3008 2440 rundll32.exe 31 PID 2440 wrote to memory of 3008 2440 rundll32.exe 31 PID 3008 wrote to memory of 1100 3008 f76a86f.exe 19 PID 3008 wrote to memory of 1172 3008 f76a86f.exe 20 PID 3008 wrote to memory of 1200 3008 f76a86f.exe 21 PID 3008 wrote to memory of 464 3008 f76a86f.exe 23 PID 3008 wrote to memory of 2036 3008 f76a86f.exe 29 PID 3008 wrote to memory of 2440 3008 f76a86f.exe 30 PID 3008 wrote to memory of 2440 3008 f76a86f.exe 30 PID 2440 wrote to memory of 2716 2440 rundll32.exe 32 PID 2440 wrote to memory of 2716 2440 rundll32.exe 32 PID 2440 wrote to memory of 2716 2440 rundll32.exe 32 PID 2440 wrote to memory of 2716 2440 rundll32.exe 32 PID 2440 wrote to memory of 1868 2440 rundll32.exe 33 PID 2440 wrote to memory of 1868 2440 rundll32.exe 33 PID 2440 wrote to memory of 1868 2440 rundll32.exe 33 PID 2440 wrote to memory of 1868 2440 rundll32.exe 33 PID 3008 wrote to memory of 1100 3008 f76a86f.exe 19 PID 3008 wrote to memory of 1172 3008 f76a86f.exe 20 PID 3008 wrote to memory of 1200 3008 f76a86f.exe 21 PID 3008 wrote to memory of 464 3008 f76a86f.exe 23 PID 3008 wrote to memory of 2716 3008 f76a86f.exe 32 PID 3008 wrote to memory of 2716 3008 f76a86f.exe 32 PID 3008 wrote to memory of 1868 3008 f76a86f.exe 33 PID 3008 wrote to memory of 1868 3008 f76a86f.exe 33 PID 1868 wrote to memory of 1100 1868 f76c3eb.exe 19 PID 1868 wrote to memory of 1172 1868 f76c3eb.exe 20 PID 1868 wrote to memory of 1200 1868 f76c3eb.exe 21 PID 1868 wrote to memory of 464 1868 f76c3eb.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a86f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c3eb.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\703fa21d406b5e4382cc471163af2fe391a0b57f84ec1117824b2d999a256c16.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\f76a86f.exeC:\Users\Admin\AppData\Local\Temp\f76a86f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\f76adfb.exeC:\Users\Admin\AppData\Local\Temp\f76adfb.exe4⤵
- Executes dropped EXE
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\f76c3eb.exeC:\Users\Admin\AppData\Local\Temp\f76c3eb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1868
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:464
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD59f6dc47fa19382690d19ed8a359696f1
SHA10a673df77cb1219e5372db041ddcf9fafe31328a
SHA256bc2793599caa0e6703b7370c3508de4543ef98e7581be1ed55acd4731ab59148
SHA51283c673802c192a7866faef2e077fa1b85bde25429a0efc9df48471bf0431617b0c24a03f11574c012dc83e5ab145ea86dad736439324724dc7a9a3a002b8c450
-
Filesize
257B
MD5a432e14a5a234b7864371c21ad9aaca5
SHA1d5a95770c0bd8f0ae1bfeacf11c2ed6a20d530ac
SHA256fb13c092527c7e9a6e21f1e2852ad28da799777b53c81efed29020da903f601a
SHA512b1f8f4ce2962c30e6c3e0068d0e45404f7a51922df0b488751552fce46fd66b262e8e4a4c13bd2b5e0f2cd5411c40123499ca7b5207b49578c4e6b7a344c9ba7