Analysis
-
max time kernel
27s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 06:29
Static task
static1
Behavioral task
behavioral1
Sample
f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll
Resource
win7-20241010-en
General
-
Target
f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll
-
Size
120KB
-
MD5
6d58ebb855a53c7d49ae3f9e82de0980
-
SHA1
6eba10167620bd6d7d5c4a602e898f7c0ac0ec34
-
SHA256
f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8
-
SHA512
03657beb2ffb8b3db6459c8f8a30539460288cc48d1885e0ad9ab146b93890fec6beea0718d7f1cdd983fa8ae884b09fbb3e657d141b3559d3a3cf8789d132e6
-
SSDEEP
3072:SeGoxa5LYHBZ5rZJDFiPyjx4toccPRFLBUxlBc6Q:EwiczBZGPyjxCoVNilT
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77debb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77debb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77debb.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77e39b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77e39b.exe -
Executes dropped EXE 3 IoCs
pid Process 2240 f77debb.exe 2812 f77e39b.exe 592 f77f96c.exe -
Loads dropped DLL 6 IoCs
pid Process 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77debb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77e39b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77e39b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77e39b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77debb.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f77debb.exe File opened (read-only) \??\J: f77debb.exe File opened (read-only) \??\O: f77debb.exe File opened (read-only) \??\P: f77debb.exe File opened (read-only) \??\N: f77debb.exe File opened (read-only) \??\Q: f77debb.exe File opened (read-only) \??\E: f77debb.exe File opened (read-only) \??\H: f77debb.exe File opened (read-only) \??\I: f77debb.exe File opened (read-only) \??\K: f77debb.exe File opened (read-only) \??\L: f77debb.exe File opened (read-only) \??\M: f77debb.exe File opened (read-only) \??\R: f77debb.exe -
resource yara_rule behavioral1/memory/2240-14-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-17-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-16-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-19-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-23-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-20-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-22-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-21-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-24-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-18-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-63-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-64-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-65-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-67-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-66-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-69-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-82-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-83-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-84-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-87-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-88-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2240-151-0x0000000000660000-0x000000000171A000-memory.dmp upx behavioral1/memory/2812-174-0x0000000000930000-0x00000000019EA000-memory.dmp upx behavioral1/memory/2812-188-0x0000000000930000-0x00000000019EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f77debb.exe File created C:\Windows\f783ade f77e39b.exe File created C:\Windows\f77dfb5 f77debb.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77debb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77e39b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2240 f77debb.exe 2240 f77debb.exe 2812 f77e39b.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2240 f77debb.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe Token: SeDebugPrivilege 2812 f77e39b.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2592 wrote to memory of 2936 2592 rundll32.exe 30 PID 2936 wrote to memory of 2240 2936 rundll32.exe 31 PID 2936 wrote to memory of 2240 2936 rundll32.exe 31 PID 2936 wrote to memory of 2240 2936 rundll32.exe 31 PID 2936 wrote to memory of 2240 2936 rundll32.exe 31 PID 2240 wrote to memory of 1252 2240 f77debb.exe 19 PID 2240 wrote to memory of 1348 2240 f77debb.exe 20 PID 2240 wrote to memory of 1412 2240 f77debb.exe 21 PID 2240 wrote to memory of 1264 2240 f77debb.exe 23 PID 2240 wrote to memory of 2592 2240 f77debb.exe 29 PID 2240 wrote to memory of 2936 2240 f77debb.exe 30 PID 2240 wrote to memory of 2936 2240 f77debb.exe 30 PID 2936 wrote to memory of 2812 2936 rundll32.exe 32 PID 2936 wrote to memory of 2812 2936 rundll32.exe 32 PID 2936 wrote to memory of 2812 2936 rundll32.exe 32 PID 2936 wrote to memory of 2812 2936 rundll32.exe 32 PID 2936 wrote to memory of 592 2936 rundll32.exe 33 PID 2936 wrote to memory of 592 2936 rundll32.exe 33 PID 2936 wrote to memory of 592 2936 rundll32.exe 33 PID 2936 wrote to memory of 592 2936 rundll32.exe 33 PID 2240 wrote to memory of 1252 2240 f77debb.exe 19 PID 2240 wrote to memory of 1348 2240 f77debb.exe 20 PID 2240 wrote to memory of 1412 2240 f77debb.exe 21 PID 2240 wrote to memory of 1264 2240 f77debb.exe 23 PID 2240 wrote to memory of 2812 2240 f77debb.exe 32 PID 2240 wrote to memory of 2812 2240 f77debb.exe 32 PID 2240 wrote to memory of 592 2240 f77debb.exe 33 PID 2240 wrote to memory of 592 2240 f77debb.exe 33 PID 2812 wrote to memory of 1252 2812 f77e39b.exe 19 PID 2812 wrote to memory of 1348 2812 f77e39b.exe 20 PID 2812 wrote to memory of 1412 2812 f77e39b.exe 21 PID 2812 wrote to memory of 1264 2812 f77e39b.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77debb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77e39b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1252
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1412
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9c50599458b626164810b55d7e9486c3bee67e201f73d71d364d0c36f5475c8N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\f77debb.exeC:\Users\Admin\AppData\Local\Temp\f77debb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
-
-
C:\Users\Admin\AppData\Local\Temp\f77e39b.exeC:\Users\Admin\AppData\Local\Temp\f77e39b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\f77f96c.exeC:\Users\Admin\AppData\Local\Temp\f77f96c.exe4⤵
- Executes dropped EXE
PID:592
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1264
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD578ca3f99fda5a9996ae49633f472a607
SHA1454f0a94146e4a8cd137bcda13e71bbb011a2fc1
SHA256a5f9a0eaf84dc85a3c5f6b01fd8785383a43790ce24947de5ae44c045ff48939
SHA5120e56c2c62d7d0df12c950e8ef0ce8eb7040bf13bb90b43dd48b6c1469643756194a0dfb5fb85ffdf1b01c6eb3c5fbd38b9c67ad0d9db5dbe09283e9c6e8a4a5e
-
Filesize
97KB
MD5b6a4b388c9a8f52c28529ed945b4e3e1
SHA13527c992772ba444151a0db925bd4a7cfe557123
SHA256b70b13a58f73a5c3a4dc8ea762ec9067c25de448926aa8699ab16d52086b7e01
SHA512a378a36c0e2f8957f04fdf925173833e61d68155ff660dc4ec1399c25384935fb637ce38417916952647a67a0ef405fa7b39c4f8fc50b95a8f50b4fc6d0cfdd4