Analysis
-
max time kernel
83s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 20:48
Static task
static1
Behavioral task
behavioral1
Sample
a9a1a9af1b236e2e254baca78f8bfb3883060b5ac50c35fa63cfa3a6c840ad1bN.dll
Resource
win7-20240903-en
General
-
Target
a9a1a9af1b236e2e254baca78f8bfb3883060b5ac50c35fa63cfa3a6c840ad1bN.dll
-
Size
120KB
-
MD5
9e5233f37a12ef01a5e6d5ce052ec3f0
-
SHA1
b0d053b7f1f9277799c0c37c766e097a004df713
-
SHA256
a9a1a9af1b236e2e254baca78f8bfb3883060b5ac50c35fa63cfa3a6c840ad1b
-
SHA512
1325f5be443a5e40bd094e2aba7ec0741db072f31834cf045a893c8379d5db5ddf74df3c69d8cd35dab1a55f617f2e06b54e1fc0518a34640579585bfc8e7750
-
SSDEEP
3072:CJ4TniKE35L+2AZJk+dUz8LTDBBWXSA9C2lW:CJun1i2Z0zqBBOSAfW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76db03.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f863.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f863.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76db03.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76db03.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f863.exe -
Executes dropped EXE 3 IoCs
pid Process 2128 f76db03.exe 2568 f76dc7a.exe 2584 f76f863.exe -
Loads dropped DLL 6 IoCs
pid Process 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76db03.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f863.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f863.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f863.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f863.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: f76db03.exe File opened (read-only) \??\J: f76db03.exe File opened (read-only) \??\K: f76db03.exe File opened (read-only) \??\M: f76db03.exe File opened (read-only) \??\H: f76db03.exe File opened (read-only) \??\O: f76db03.exe File opened (read-only) \??\P: f76db03.exe File opened (read-only) \??\Q: f76db03.exe File opened (read-only) \??\N: f76db03.exe File opened (read-only) \??\E: f76f863.exe File opened (read-only) \??\L: f76db03.exe File opened (read-only) \??\G: f76db03.exe File opened (read-only) \??\G: f76f863.exe File opened (read-only) \??\E: f76db03.exe -
resource yara_rule behavioral1/memory/2128-12-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-63-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-67-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-107-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-108-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2128-154-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2584-175-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2584-211-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76db71 f76db03.exe File opened for modification C:\Windows\SYSTEM.INI f76db03.exe File created C:\Windows\f772b16 f76f863.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76db03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f863.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2128 f76db03.exe 2128 f76db03.exe 2584 f76f863.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2128 f76db03.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe Token: SeDebugPrivilege 2584 f76f863.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 1648 wrote to memory of 2024 1648 rundll32.exe 31 PID 2024 wrote to memory of 2128 2024 rundll32.exe 32 PID 2024 wrote to memory of 2128 2024 rundll32.exe 32 PID 2024 wrote to memory of 2128 2024 rundll32.exe 32 PID 2024 wrote to memory of 2128 2024 rundll32.exe 32 PID 2128 wrote to memory of 1120 2128 f76db03.exe 19 PID 2128 wrote to memory of 1168 2128 f76db03.exe 20 PID 2128 wrote to memory of 1212 2128 f76db03.exe 21 PID 2128 wrote to memory of 1540 2128 f76db03.exe 23 PID 2128 wrote to memory of 1648 2128 f76db03.exe 30 PID 2128 wrote to memory of 2024 2128 f76db03.exe 31 PID 2128 wrote to memory of 2024 2128 f76db03.exe 31 PID 2024 wrote to memory of 2568 2024 rundll32.exe 33 PID 2024 wrote to memory of 2568 2024 rundll32.exe 33 PID 2024 wrote to memory of 2568 2024 rundll32.exe 33 PID 2024 wrote to memory of 2568 2024 rundll32.exe 33 PID 2024 wrote to memory of 2584 2024 rundll32.exe 34 PID 2024 wrote to memory of 2584 2024 rundll32.exe 34 PID 2024 wrote to memory of 2584 2024 rundll32.exe 34 PID 2024 wrote to memory of 2584 2024 rundll32.exe 34 PID 2128 wrote to memory of 1120 2128 f76db03.exe 19 PID 2128 wrote to memory of 1168 2128 f76db03.exe 20 PID 2128 wrote to memory of 1212 2128 f76db03.exe 21 PID 2128 wrote to memory of 1540 2128 f76db03.exe 23 PID 2128 wrote to memory of 2568 2128 f76db03.exe 33 PID 2128 wrote to memory of 2568 2128 f76db03.exe 33 PID 2128 wrote to memory of 2584 2128 f76db03.exe 34 PID 2128 wrote to memory of 2584 2128 f76db03.exe 34 PID 2584 wrote to memory of 1120 2584 f76f863.exe 19 PID 2584 wrote to memory of 1168 2584 f76f863.exe 20 PID 2584 wrote to memory of 1212 2584 f76f863.exe 21 PID 2584 wrote to memory of 1540 2584 f76f863.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76db03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f863.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9a1a9af1b236e2e254baca78f8bfb3883060b5ac50c35fa63cfa3a6c840ad1bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9a1a9af1b236e2e254baca78f8bfb3883060b5ac50c35fa63cfa3a6c840ad1bN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\f76db03.exeC:\Users\Admin\AppData\Local\Temp\f76db03.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\f76dc7a.exeC:\Users\Admin\AppData\Local\Temp\f76dc7a.exe4⤵
- Executes dropped EXE
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\f76f863.exeC:\Users\Admin\AppData\Local\Temp\f76f863.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2584
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD5175f6eebecfcafb93059d8fbd6c1dbdb
SHA147ba070a064a044b599097f0aa985c7dc3b2a652
SHA2566ff89f6c9ea4b053f83d272e3554395360d03bd2483978f0e1ddaea9bd6c0ef3
SHA51261c3342f3ecd6b70d36d895c7552ea312f34991a78136835f75648c9253f547fb813a07e18bef5033fd2810e5b2fc9033f546715bba38ed6fb84db2ea590d73c
-
Filesize
97KB
MD58a4e5a37bff33a43045fdea57414f4b0
SHA175e20d785cd0ad6ebd894b78ca9271a057cdb0b8
SHA256c55039cf3b039a0ac771c658f1566c79e93cc3c74d4d6e9595da7a470ce6259d
SHA512d243e196b0baffa7363add01139e90b45b30dd1e854c0349eaa25718c1dc28877f651e48f007335970583c60cfb1b23a50c6ddae9cbdc3b17687546fc7efe9ab