Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 11:47
Static task
static1
Behavioral task
behavioral1
Sample
9b3b170bbb3f39d42d115b2fad701689f154cddb2e3657648d60001adc3e0e3a.dll
Resource
win7-20240903-en
General
-
Target
9b3b170bbb3f39d42d115b2fad701689f154cddb2e3657648d60001adc3e0e3a.dll
-
Size
120KB
-
MD5
86aeb089a2395c21afa40275c472ab1f
-
SHA1
20ca0aeb17cebe9d7859420f48597255dd58c11f
-
SHA256
9b3b170bbb3f39d42d115b2fad701689f154cddb2e3657648d60001adc3e0e3a
-
SHA512
4d19dc140b0b4b07644586091a881e8c9d635c0b6f41d3d2966e63391efaf7b1731c8ddd7186216c8e5c9012871ef5644d7e2e510820880cca5cd749d472cdbc
-
SSDEEP
3072:tmF5Mklw0j5u0SOKfCbS0ucOGIPYS+hhN1hDnSqmQnbHRC:tm5l7be9EJLSqJbxC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76be7f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769f7a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76be7f.exe -
Executes dropped EXE 3 IoCs
pid Process 316 f769f7a.exe 2128 f76a14e.exe 2720 f76be7f.exe -
Loads dropped DLL 6 IoCs
pid Process 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76be7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76be7f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769f7a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76be7f.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: f769f7a.exe File opened (read-only) \??\E: f76be7f.exe File opened (read-only) \??\L: f769f7a.exe File opened (read-only) \??\J: f769f7a.exe File opened (read-only) \??\T: f769f7a.exe File opened (read-only) \??\G: f76be7f.exe File opened (read-only) \??\I: f769f7a.exe File opened (read-only) \??\H: f769f7a.exe File opened (read-only) \??\N: f769f7a.exe File opened (read-only) \??\P: f769f7a.exe File opened (read-only) \??\Q: f769f7a.exe File opened (read-only) \??\R: f769f7a.exe File opened (read-only) \??\G: f769f7a.exe File opened (read-only) \??\K: f769f7a.exe File opened (read-only) \??\M: f769f7a.exe File opened (read-only) \??\O: f769f7a.exe File opened (read-only) \??\H: f76be7f.exe File opened (read-only) \??\E: f769f7a.exe -
resource yara_rule behavioral1/memory/316-14-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-19-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-22-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-23-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-21-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-20-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-17-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-16-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-18-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-64-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-24-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-65-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-66-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-67-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-69-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-70-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-71-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-72-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-76-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-88-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-90-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/316-153-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2720-166-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2720-211-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f769ff7 f769f7a.exe File opened for modification C:\Windows\SYSTEM.INI f769f7a.exe File created C:\Windows\f76f038 f76be7f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769f7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76be7f.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 316 f769f7a.exe 316 f769f7a.exe 2720 f76be7f.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 316 f769f7a.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe Token: SeDebugPrivilege 2720 f76be7f.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2896 wrote to memory of 2908 2896 rundll32.exe 28 PID 2908 wrote to memory of 316 2908 rundll32.exe 29 PID 2908 wrote to memory of 316 2908 rundll32.exe 29 PID 2908 wrote to memory of 316 2908 rundll32.exe 29 PID 2908 wrote to memory of 316 2908 rundll32.exe 29 PID 316 wrote to memory of 1116 316 f769f7a.exe 19 PID 316 wrote to memory of 1160 316 f769f7a.exe 20 PID 316 wrote to memory of 1196 316 f769f7a.exe 21 PID 316 wrote to memory of 1048 316 f769f7a.exe 23 PID 316 wrote to memory of 2896 316 f769f7a.exe 27 PID 316 wrote to memory of 2908 316 f769f7a.exe 28 PID 316 wrote to memory of 2908 316 f769f7a.exe 28 PID 2908 wrote to memory of 2128 2908 rundll32.exe 30 PID 2908 wrote to memory of 2128 2908 rundll32.exe 30 PID 2908 wrote to memory of 2128 2908 rundll32.exe 30 PID 2908 wrote to memory of 2128 2908 rundll32.exe 30 PID 2908 wrote to memory of 2720 2908 rundll32.exe 31 PID 2908 wrote to memory of 2720 2908 rundll32.exe 31 PID 2908 wrote to memory of 2720 2908 rundll32.exe 31 PID 2908 wrote to memory of 2720 2908 rundll32.exe 31 PID 316 wrote to memory of 1116 316 f769f7a.exe 19 PID 316 wrote to memory of 1160 316 f769f7a.exe 20 PID 316 wrote to memory of 1196 316 f769f7a.exe 21 PID 316 wrote to memory of 1048 316 f769f7a.exe 23 PID 316 wrote to memory of 2128 316 f769f7a.exe 30 PID 316 wrote to memory of 2128 316 f769f7a.exe 30 PID 316 wrote to memory of 2720 316 f769f7a.exe 31 PID 316 wrote to memory of 2720 316 f769f7a.exe 31 PID 2720 wrote to memory of 1116 2720 f76be7f.exe 19 PID 2720 wrote to memory of 1160 2720 f76be7f.exe 20 PID 2720 wrote to memory of 1196 2720 f76be7f.exe 21 PID 2720 wrote to memory of 1048 2720 f76be7f.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76be7f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769f7a.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b3b170bbb3f39d42d115b2fad701689f154cddb2e3657648d60001adc3e0e3a.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b3b170bbb3f39d42d115b2fad701689f154cddb2e3657648d60001adc3e0e3a.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\f769f7a.exeC:\Users\Admin\AppData\Local\Temp\f769f7a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\f76a14e.exeC:\Users\Admin\AppData\Local\Temp\f76a14e.exe4⤵
- Executes dropped EXE
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\f76be7f.exeC:\Users\Admin\AppData\Local\Temp\f76be7f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1048
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD51019796fef13d28785514853deaf0925
SHA1a0144760ca790274d4d304532eadaf057721d11f
SHA256175f1125eb1b7ade43a3b80e9e4072fd88a5c819db1162126cd5c62df811914c
SHA512d6b71273b2c2710418c2894e0f76c16415e659185a7623cae19b24e1505086bb70b7ba287b507e6905edfa0cbc0e65043be0765a5219706d2253e1b925adf7a2
-
Filesize
97KB
MD53737e71afb6f2bb2581baf33d0d1480b
SHA19f1e0831c229df901ef95e3f41fdc476eaca0152
SHA256cc9820428c01f5e3bed586e85727be81269a3a746f5fff7dd65882cc7f31ff81
SHA512b6098c3fa29f3965de2c25472a633779c035a9d65466c33d41c97bd000ad067d8252ce009e990d96505fed0729cbffb283da78def32b57e991ca5bdf533d6ba7