Analysis
-
max time kernel
78s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
3030d3dbae471dbdfee6e02fa9ec559b2e615fde156addd18ac335e5e7ada673N.dll
Resource
win7-20241010-en
General
-
Target
3030d3dbae471dbdfee6e02fa9ec559b2e615fde156addd18ac335e5e7ada673N.dll
-
Size
120KB
-
MD5
001eff5d1d0581c76be5521fb1403fb0
-
SHA1
69d0dfa0be880a50463d2ad74e8cf9a899a94793
-
SHA256
3030d3dbae471dbdfee6e02fa9ec559b2e615fde156addd18ac335e5e7ada673
-
SHA512
29811f9c65e6721607bd7b92914f5c7241e5b63819da964ad99515ad2aea60b2b813423bdf84740d4f4defd8cf7198e8c28ee72e96cc09a94ac1e50438fbe92a
-
SSDEEP
3072:lh6NDIOl7m2m5nD095Gq7lB2Z8FFTBHUlH:l0I6m5nDk5JhB2qbTB0R
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f772f89.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f772f89.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772f89.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772f89.exe -
Executes dropped EXE 3 IoCs
pid Process 2792 f772c4e.exe 2476 f772f89.exe 2256 f7746ef.exe -
Loads dropped DLL 6 IoCs
pid Process 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe 2848 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772f89.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f772c4e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f772f89.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f772f89.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772f89.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f772c4e.exe File opened (read-only) \??\P: f772c4e.exe File opened (read-only) \??\S: f772c4e.exe File opened (read-only) \??\G: f772c4e.exe File opened (read-only) \??\Q: f772c4e.exe File opened (read-only) \??\R: f772c4e.exe File opened (read-only) \??\E: f772c4e.exe File opened (read-only) \??\H: f772c4e.exe File opened (read-only) \??\J: f772c4e.exe File opened (read-only) \??\L: f772c4e.exe File opened (read-only) \??\M: f772c4e.exe File opened (read-only) \??\N: f772c4e.exe File opened (read-only) \??\I: f772c4e.exe File opened (read-only) \??\K: f772c4e.exe -
resource yara_rule behavioral1/memory/2792-13-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-20-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-16-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-56-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-19-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-23-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-22-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-18-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-17-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-15-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-21-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-61-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-62-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-63-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-65-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-64-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-67-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-68-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-82-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-87-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-86-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-89-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2792-158-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2476-171-0x0000000000A00000-0x0000000001ABA000-memory.dmp upx behavioral1/memory/2476-185-0x0000000000A00000-0x0000000001ABA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f772d19 f772c4e.exe File opened for modification C:\Windows\SYSTEM.INI f772c4e.exe File created C:\Windows\f777db8 f772f89.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f772c4e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2792 f772c4e.exe 2792 f772c4e.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe Token: SeDebugPrivilege 2792 f772c4e.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2872 wrote to memory of 2848 2872 rundll32.exe 30 PID 2848 wrote to memory of 2792 2848 rundll32.exe 31 PID 2848 wrote to memory of 2792 2848 rundll32.exe 31 PID 2848 wrote to memory of 2792 2848 rundll32.exe 31 PID 2848 wrote to memory of 2792 2848 rundll32.exe 31 PID 2792 wrote to memory of 1220 2792 f772c4e.exe 19 PID 2792 wrote to memory of 1308 2792 f772c4e.exe 20 PID 2792 wrote to memory of 1352 2792 f772c4e.exe 21 PID 2792 wrote to memory of 796 2792 f772c4e.exe 25 PID 2792 wrote to memory of 2872 2792 f772c4e.exe 29 PID 2792 wrote to memory of 2848 2792 f772c4e.exe 30 PID 2792 wrote to memory of 2848 2792 f772c4e.exe 30 PID 2848 wrote to memory of 2476 2848 rundll32.exe 32 PID 2848 wrote to memory of 2476 2848 rundll32.exe 32 PID 2848 wrote to memory of 2476 2848 rundll32.exe 32 PID 2848 wrote to memory of 2476 2848 rundll32.exe 32 PID 2848 wrote to memory of 2256 2848 rundll32.exe 33 PID 2848 wrote to memory of 2256 2848 rundll32.exe 33 PID 2848 wrote to memory of 2256 2848 rundll32.exe 33 PID 2848 wrote to memory of 2256 2848 rundll32.exe 33 PID 2792 wrote to memory of 1220 2792 f772c4e.exe 19 PID 2792 wrote to memory of 1308 2792 f772c4e.exe 20 PID 2792 wrote to memory of 1352 2792 f772c4e.exe 21 PID 2792 wrote to memory of 796 2792 f772c4e.exe 25 PID 2792 wrote to memory of 2476 2792 f772c4e.exe 32 PID 2792 wrote to memory of 2476 2792 f772c4e.exe 32 PID 2792 wrote to memory of 2256 2792 f772c4e.exe 33 PID 2792 wrote to memory of 2256 2792 f772c4e.exe 33 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772c4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f772f89.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1220
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1308
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1352
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3030d3dbae471dbdfee6e02fa9ec559b2e615fde156addd18ac335e5e7ada673N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3030d3dbae471dbdfee6e02fa9ec559b2e615fde156addd18ac335e5e7ada673N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\f772c4e.exeC:\Users\Admin\AppData\Local\Temp\f772c4e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\f772f89.exeC:\Users\Admin\AppData\Local\Temp\f772f89.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\f7746ef.exeC:\Users\Admin\AppData\Local\Temp\f7746ef.exe4⤵
- Executes dropped EXE
PID:2256
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:796
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD51b8343c1b916e5155f29bbb55202f579
SHA1913f9e56e275a643f478d7477dfe32f15cb86569
SHA256fc3b399baae220b148a4962a5d45c5f27532c7dfd719c89b12aa31276e5a8cbc
SHA512d4977783d98ba75c2690a4e5df96791c360ca0dd1654a3ff59fd6b70f5f74784ce07159401bb2ea8a2140ac3efd897374d130a30368ff7146b67ef106509d959
-
Filesize
97KB
MD501b55ebd2ce45479eba349f0f2b4203d
SHA1f514126325ef4f15bd635f5bfb30ef3caa084d28
SHA256b042b98e39d96b9de3999e5ca0470c034a563f0970b2f9d80913bbf0dff3c2e7
SHA512251e6853e38159a401c5ad350e0d24d1d014c26552b4b388834643e7bc9b0b42622738c27545b9c844d156fd4ed8e7aaa262a536f67ea0f6c09209f3ad94ceec