Analysis
-
max time kernel
31s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 04:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2e2b9fb582617033ebd83df1855077328dfd21d68b47d8b3ec4931a5bf9c71a0.dll
Resource
win7-20240729-en
windows7-x64
17 signatures
120 seconds
General
-
Target
2e2b9fb582617033ebd83df1855077328dfd21d68b47d8b3ec4931a5bf9c71a0.dll
-
Size
120KB
-
MD5
cd958efa21adbf8562161ab4b551a116
-
SHA1
94a2eb6970d718c985eb1d2a202ea8db4f380c0d
-
SHA256
2e2b9fb582617033ebd83df1855077328dfd21d68b47d8b3ec4931a5bf9c71a0
-
SHA512
7c59f861b00815bb90aabc4204bde0c6d92c4e2ead0b7412fb1218f5c3df8e27a42470230fabb10937bd549ddde7f233b66a2deb42055bfe0f91974f9531a923
-
SSDEEP
3072:9VIgjMrGSI6KVTRyTSML/dGyQfC4g/Abm:gbGSjKVTRySMLJQf1gwm
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f77dd45.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77dd45.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77b52c.exe -
Executes dropped EXE 3 IoCs
pid Process 2512 f77b52c.exe 2860 f77b6b2.exe 1896 f77dd45.exe -
Loads dropped DLL 6 IoCs
pid Process 2776 rundll32.exe 2776 rundll32.exe 2776 rundll32.exe 2776 rundll32.exe 2776 rundll32.exe 2776 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f77dd45.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f77dd45.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f77dd45.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77dd45.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: f77b52c.exe File opened (read-only) \??\P: f77b52c.exe File opened (read-only) \??\R: f77b52c.exe File opened (read-only) \??\S: f77b52c.exe File opened (read-only) \??\H: f77dd45.exe File opened (read-only) \??\I: f77dd45.exe File opened (read-only) \??\E: f77b52c.exe File opened (read-only) \??\K: f77b52c.exe File opened (read-only) \??\L: f77b52c.exe File opened (read-only) \??\G: f77b52c.exe File opened (read-only) \??\O: f77b52c.exe File opened (read-only) \??\T: f77b52c.exe File opened (read-only) \??\G: f77dd45.exe File opened (read-only) \??\J: f77b52c.exe File opened (read-only) \??\I: f77b52c.exe File opened (read-only) \??\M: f77b52c.exe File opened (read-only) \??\Q: f77b52c.exe File opened (read-only) \??\E: f77dd45.exe File opened (read-only) \??\J: f77dd45.exe File opened (read-only) \??\H: f77b52c.exe -
resource yara_rule behavioral1/memory/2512-11-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-15-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-18-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-20-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-16-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-14-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-13-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-19-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-17-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-21-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-58-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-60-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-59-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-61-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-63-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-64-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-65-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-66-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-67-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-69-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-71-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-104-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/2512-146-0x00000000005B0000-0x000000000166A000-memory.dmp upx behavioral1/memory/1896-163-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/1896-208-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f77b57a f77b52c.exe File opened for modification C:\Windows\SYSTEM.INI f77b52c.exe File created C:\Windows\f7804b2 f77dd45.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77b52c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f77dd45.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2512 f77b52c.exe 2512 f77b52c.exe 1896 f77dd45.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 2512 f77b52c.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe Token: SeDebugPrivilege 1896 f77dd45.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 1520 wrote to memory of 2776 1520 rundll32.exe 30 PID 2776 wrote to memory of 2512 2776 rundll32.exe 31 PID 2776 wrote to memory of 2512 2776 rundll32.exe 31 PID 2776 wrote to memory of 2512 2776 rundll32.exe 31 PID 2776 wrote to memory of 2512 2776 rundll32.exe 31 PID 2512 wrote to memory of 1152 2512 f77b52c.exe 19 PID 2512 wrote to memory of 1232 2512 f77b52c.exe 20 PID 2512 wrote to memory of 1284 2512 f77b52c.exe 21 PID 2512 wrote to memory of 1704 2512 f77b52c.exe 25 PID 2512 wrote to memory of 1520 2512 f77b52c.exe 29 PID 2512 wrote to memory of 2776 2512 f77b52c.exe 30 PID 2512 wrote to memory of 2776 2512 f77b52c.exe 30 PID 2776 wrote to memory of 2860 2776 rundll32.exe 32 PID 2776 wrote to memory of 2860 2776 rundll32.exe 32 PID 2776 wrote to memory of 2860 2776 rundll32.exe 32 PID 2776 wrote to memory of 2860 2776 rundll32.exe 32 PID 2776 wrote to memory of 1896 2776 rundll32.exe 33 PID 2776 wrote to memory of 1896 2776 rundll32.exe 33 PID 2776 wrote to memory of 1896 2776 rundll32.exe 33 PID 2776 wrote to memory of 1896 2776 rundll32.exe 33 PID 2512 wrote to memory of 1152 2512 f77b52c.exe 19 PID 2512 wrote to memory of 1232 2512 f77b52c.exe 20 PID 2512 wrote to memory of 1284 2512 f77b52c.exe 21 PID 2512 wrote to memory of 1704 2512 f77b52c.exe 25 PID 2512 wrote to memory of 2860 2512 f77b52c.exe 32 PID 2512 wrote to memory of 2860 2512 f77b52c.exe 32 PID 2512 wrote to memory of 1896 2512 f77b52c.exe 33 PID 2512 wrote to memory of 1896 2512 f77b52c.exe 33 PID 1896 wrote to memory of 1152 1896 f77dd45.exe 19 PID 1896 wrote to memory of 1232 1896 f77dd45.exe 20 PID 1896 wrote to memory of 1284 1896 f77dd45.exe 21 PID 1896 wrote to memory of 1704 1896 f77dd45.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77b52c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f77dd45.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1152
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1232
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1284
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e2b9fb582617033ebd83df1855077328dfd21d68b47d8b3ec4931a5bf9c71a0.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e2b9fb582617033ebd83df1855077328dfd21d68b47d8b3ec4931a5bf9c71a0.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\f77b52c.exeC:\Users\Admin\AppData\Local\Temp\f77b52c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\f77b6b2.exeC:\Users\Admin\AppData\Local\Temp\f77b6b2.exe4⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\f77dd45.exeC:\Users\Admin\AppData\Local\Temp\f77dd45.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1896
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1704
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5c1e620b9f9e2f2db8345d9e973d77f2d
SHA17d7f3dd6fe1ed4d1e86b623b80f5eb86a69c8218
SHA2569f628c08dc8f70e958f97d492ea785c35d0bbd00efa95e538ecc4719b19c4a65
SHA512bae30c07f4806552d89d8f12f787190260777985862648ba0cb1b3d8640d9ad68e95dbce578c674c419b9fff60fa59937d6cac80721c56cdc2264b03ba1a3740
-
Filesize
97KB
MD5e922875a2cb0e46f1c3aac48609172e1
SHA1a7cc6668fea5513093971433b6f035989cbe0a76
SHA2567bebec8a5b011ce2d0a11365e3fb36dfb484b1ff0d507d9add9ba39a0f5d977e
SHA5120a7cddd0106a2efa0f7276e96f3160532f2b04bba4d133557d42f0d26e93fa9b076bb7a6b5477ef535c6ca1f28b535a06c370591ec1ed44d59dacbc10d6616c3