Analysis
-
max time kernel
28s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 10:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll
-
Size
120KB
-
MD5
fc800e7af06a725d097500a38222d720
-
SHA1
6560b6b99711b8fb0c87dc3ad0c7f47ea1a7ce0b
-
SHA256
27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5
-
SHA512
32d88e7cfa180507fbc23293a129163626421f92903afbdef3f8225dc3f47b19df85d3fa8bf04aa527fbddc253d93e9067b5aff742a29133ace927ee11c3216c
-
SSDEEP
3072:+XK5GMYqO3NT0aEO4eXXBQdzmKcuiYsqJ3frne:+0/uV3nXMZcuLV3frn
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769cfb.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769eaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769cfb.exe -
Executes dropped EXE 3 IoCs
pid Process 2476 f769cfb.exe 2840 f769eaf.exe 3036 f76bd85.exe -
Loads dropped DLL 6 IoCs
pid Process 2688 rundll32.exe 2688 rundll32.exe 2688 rundll32.exe 2688 rundll32.exe 2688 rundll32.exe 2688 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769eaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769cfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769eaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769cfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769eaf.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f769cfb.exe File opened (read-only) \??\K: f769cfb.exe File opened (read-only) \??\N: f769cfb.exe File opened (read-only) \??\Q: f769cfb.exe File opened (read-only) \??\M: f769cfb.exe File opened (read-only) \??\S: f769cfb.exe File opened (read-only) \??\O: f769cfb.exe File opened (read-only) \??\R: f769cfb.exe File opened (read-only) \??\T: f769cfb.exe File opened (read-only) \??\G: f769cfb.exe File opened (read-only) \??\H: f769cfb.exe File opened (read-only) \??\I: f769cfb.exe File opened (read-only) \??\J: f769cfb.exe File opened (read-only) \??\L: f769cfb.exe File opened (read-only) \??\P: f769cfb.exe -
resource yara_rule behavioral1/memory/2476-17-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-19-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-22-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-21-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-20-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-18-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-16-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-23-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-15-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-14-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-63-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-64-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-65-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-66-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-68-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-69-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-70-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-71-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-72-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-87-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-88-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2476-152-0x0000000000670000-0x000000000172A000-memory.dmp upx behavioral1/memory/2840-165-0x00000000009A0000-0x0000000001A5A000-memory.dmp upx behavioral1/memory/2840-191-0x00000000009A0000-0x0000000001A5A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76edf7 f769eaf.exe File created C:\Windows\f769d49 f769cfb.exe File opened for modification C:\Windows\SYSTEM.INI f769cfb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769cfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769eaf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2476 f769cfb.exe 2476 f769cfb.exe 2840 f769eaf.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2476 f769cfb.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe Token: SeDebugPrivilege 2840 f769eaf.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2268 wrote to memory of 2688 2268 rundll32.exe 30 PID 2688 wrote to memory of 2476 2688 rundll32.exe 31 PID 2688 wrote to memory of 2476 2688 rundll32.exe 31 PID 2688 wrote to memory of 2476 2688 rundll32.exe 31 PID 2688 wrote to memory of 2476 2688 rundll32.exe 31 PID 2476 wrote to memory of 1032 2476 f769cfb.exe 17 PID 2476 wrote to memory of 1048 2476 f769cfb.exe 18 PID 2476 wrote to memory of 1112 2476 f769cfb.exe 20 PID 2476 wrote to memory of 1420 2476 f769cfb.exe 25 PID 2476 wrote to memory of 2268 2476 f769cfb.exe 29 PID 2476 wrote to memory of 2688 2476 f769cfb.exe 30 PID 2476 wrote to memory of 2688 2476 f769cfb.exe 30 PID 2688 wrote to memory of 2840 2688 rundll32.exe 32 PID 2688 wrote to memory of 2840 2688 rundll32.exe 32 PID 2688 wrote to memory of 2840 2688 rundll32.exe 32 PID 2688 wrote to memory of 2840 2688 rundll32.exe 32 PID 2688 wrote to memory of 3036 2688 rundll32.exe 33 PID 2688 wrote to memory of 3036 2688 rundll32.exe 33 PID 2688 wrote to memory of 3036 2688 rundll32.exe 33 PID 2688 wrote to memory of 3036 2688 rundll32.exe 33 PID 2476 wrote to memory of 1032 2476 f769cfb.exe 17 PID 2476 wrote to memory of 1048 2476 f769cfb.exe 18 PID 2476 wrote to memory of 1112 2476 f769cfb.exe 20 PID 2476 wrote to memory of 1420 2476 f769cfb.exe 25 PID 2476 wrote to memory of 2840 2476 f769cfb.exe 32 PID 2476 wrote to memory of 2840 2476 f769cfb.exe 32 PID 2476 wrote to memory of 3036 2476 f769cfb.exe 33 PID 2476 wrote to memory of 3036 2476 f769cfb.exe 33 PID 2840 wrote to memory of 1032 2840 f769eaf.exe 17 PID 2840 wrote to memory of 1048 2840 f769eaf.exe 18 PID 2840 wrote to memory of 1112 2840 f769eaf.exe 20 PID 2840 wrote to memory of 1420 2840 f769eaf.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769eaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769cfb.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1032
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1048
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1112
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27e1e32462256dbac2d9424a13f2ba083255fc4810d2baaf276cd12482dd44f5N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\f769cfb.exeC:\Users\Admin\AppData\Local\Temp\f769cfb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\f769eaf.exeC:\Users\Admin\AppData\Local\Temp\f769eaf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\f76bd85.exeC:\Users\Admin\AppData\Local\Temp\f76bd85.exe4⤵
- Executes dropped EXE
PID:3036
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1420
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58235519fb109f89b832650647fe39530
SHA1816b47d09190a4dde42872f54d76dce97e67d22f
SHA256fd5f402d2461e5e2fa253d26a39923e2ff94f1d8005114679275fd97f51cde1e
SHA5129bbe823a86394ef15a523ebb5346a2fab484e136d5adcd96bcf35aa1154b8f42c3c23323054bf6a9ab3cf39895b767e4e79a64db4d5a9bdcb1abe468722687f7
-
Filesize
256B
MD56041ea75b3dfc8f2a9d82f2e99d08984
SHA1aebcbc05451d63ece46fbc0e7800f750c9b83527
SHA25659c11801594ada505b7b2c1504f689d61b29126b80295b5ad56a3400e114e62f
SHA512aba9159f66f3d67133725ecd58866474a39174931be7ab1de402a6cafd240436219253927cb5e017ae934ee8aff7c276481c84d26232d929f99d3907c1aadaf2