Analysis
-
max time kernel
28s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
1b8045b7ce5aa354ac5e42de8a4545cc1de77f97cf6f31dbee57923a99bc1800.dll
Resource
win7-20241010-en
General
-
Target
1b8045b7ce5aa354ac5e42de8a4545cc1de77f97cf6f31dbee57923a99bc1800.dll
-
Size
120KB
-
MD5
0345b75547189cf9afdb03ca3815a218
-
SHA1
30d88098c8728f93608d9e6ac23bcae0148f143e
-
SHA256
1b8045b7ce5aa354ac5e42de8a4545cc1de77f97cf6f31dbee57923a99bc1800
-
SHA512
cd9559d458a582f60daa6e09c7c985461017c5b4f98c0130612851e1b0fcc2e89870450fef1e708336bfc7d0237e506779b7e19e94b71af323095afd26ac9348
-
SSDEEP
1536:djse0fRGwfJBkSbO8+7OQKwKk+ZzOXdwYh5ts0CQN+Sa3ish189uYc8gx:dj8f04JBs8LcKkqKdwkA0CQN+Sax78Y
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76894c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76894c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76894c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a4f6.exe -
Executes dropped EXE 3 IoCs
pid Process 1664 f76894c.exe 2852 f768cb5.exe 2804 f76a4f6.exe -
Loads dropped DLL 6 IoCs
pid Process 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76894c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a4f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76894c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a4f6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76894c.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f76894c.exe File opened (read-only) \??\P: f76894c.exe File opened (read-only) \??\Q: f76894c.exe File opened (read-only) \??\E: f76894c.exe File opened (read-only) \??\I: f76894c.exe File opened (read-only) \??\J: f76894c.exe File opened (read-only) \??\L: f76894c.exe File opened (read-only) \??\E: f76a4f6.exe File opened (read-only) \??\G: f76894c.exe File opened (read-only) \??\N: f76894c.exe File opened (read-only) \??\O: f76894c.exe File opened (read-only) \??\R: f76894c.exe File opened (read-only) \??\S: f76894c.exe File opened (read-only) \??\H: f76894c.exe File opened (read-only) \??\M: f76894c.exe -
resource yara_rule behavioral1/memory/1664-16-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-14-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-18-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-20-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-23-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-22-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-21-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-19-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-17-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-15-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-59-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-60-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-61-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-62-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-63-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-65-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-67-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-81-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-83-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-85-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-86-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-106-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/1664-152-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2804-168-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2804-207-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7689b9 f76894c.exe File opened for modification C:\Windows\SYSTEM.INI f76894c.exe File created C:\Windows\f76dc0d f76a4f6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a4f6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76894c.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1664 f76894c.exe 1664 f76894c.exe 2804 f76a4f6.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 1664 f76894c.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe Token: SeDebugPrivilege 2804 f76a4f6.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2548 wrote to memory of 2372 2548 rundll32.exe 30 PID 2372 wrote to memory of 1664 2372 rundll32.exe 31 PID 2372 wrote to memory of 1664 2372 rundll32.exe 31 PID 2372 wrote to memory of 1664 2372 rundll32.exe 31 PID 2372 wrote to memory of 1664 2372 rundll32.exe 31 PID 1664 wrote to memory of 1108 1664 f76894c.exe 19 PID 1664 wrote to memory of 1168 1664 f76894c.exe 20 PID 1664 wrote to memory of 1204 1664 f76894c.exe 21 PID 1664 wrote to memory of 844 1664 f76894c.exe 23 PID 1664 wrote to memory of 2548 1664 f76894c.exe 29 PID 1664 wrote to memory of 2372 1664 f76894c.exe 30 PID 1664 wrote to memory of 2372 1664 f76894c.exe 30 PID 2372 wrote to memory of 2852 2372 rundll32.exe 32 PID 2372 wrote to memory of 2852 2372 rundll32.exe 32 PID 2372 wrote to memory of 2852 2372 rundll32.exe 32 PID 2372 wrote to memory of 2852 2372 rundll32.exe 32 PID 2372 wrote to memory of 2804 2372 rundll32.exe 33 PID 2372 wrote to memory of 2804 2372 rundll32.exe 33 PID 2372 wrote to memory of 2804 2372 rundll32.exe 33 PID 2372 wrote to memory of 2804 2372 rundll32.exe 33 PID 1664 wrote to memory of 1108 1664 f76894c.exe 19 PID 1664 wrote to memory of 1168 1664 f76894c.exe 20 PID 1664 wrote to memory of 1204 1664 f76894c.exe 21 PID 1664 wrote to memory of 844 1664 f76894c.exe 23 PID 1664 wrote to memory of 2852 1664 f76894c.exe 32 PID 1664 wrote to memory of 2852 1664 f76894c.exe 32 PID 1664 wrote to memory of 2804 1664 f76894c.exe 33 PID 1664 wrote to memory of 2804 1664 f76894c.exe 33 PID 2804 wrote to memory of 1108 2804 f76a4f6.exe 19 PID 2804 wrote to memory of 1168 2804 f76a4f6.exe 20 PID 2804 wrote to memory of 1204 2804 f76a4f6.exe 21 PID 2804 wrote to memory of 844 2804 f76a4f6.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a4f6.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b8045b7ce5aa354ac5e42de8a4545cc1de77f97cf6f31dbee57923a99bc1800.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b8045b7ce5aa354ac5e42de8a4545cc1de77f97cf6f31dbee57923a99bc1800.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\f76894c.exeC:\Users\Admin\AppData\Local\Temp\f76894c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\f768cb5.exeC:\Users\Admin\AppData\Local\Temp\f768cb5.exe4⤵
- Executes dropped EXE
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\f76a4f6.exeC:\Users\Admin\AppData\Local\Temp\f76a4f6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:844
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD572cde4de474793299f49015c5cca89ef
SHA1b8a8b64a5948bedf0b0351ef2ccd249971cb78aa
SHA2560aa0b675f160d074f468e81cb82fd2ec50ce95ff7835b47a1b68e2b73fcc36bd
SHA512215086a553ed8f112acbf3517b24ca11d1fb16178073d21b5ed434b6919403a94739e65061014a44af337a57e83c57ca8ee87556468154d4a272cd1592b09699
-
Filesize
97KB
MD5cae5434dbf9ef47714694ebbb163d2cd
SHA1432133c988f215cbc52b340aa1c12a553f697be9
SHA25604057201af09406f5e55f2ca85f25d8baebade20cc48d63d2b459d258b5148aa
SHA5129bd4b567ca85e0b286a026685c568263e86a5791ea62d0a65d5d4b3fe6963530dbb2b11ec14857b1b8a328b23ca3582cca24e2187f93e332b26889bce7f5d2eb