Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
a0aad044624bd7fcf04b980d56e3a760ed5c40def10270eb383bc07899b93230N.dll
Resource
win7-20240903-en
General
-
Target
a0aad044624bd7fcf04b980d56e3a760ed5c40def10270eb383bc07899b93230N.dll
-
Size
120KB
-
MD5
ba84d20d3ae1aaee8c0056175c687c60
-
SHA1
97cce977ec0fb7ea6d371a0b2626587d53a3d76f
-
SHA256
a0aad044624bd7fcf04b980d56e3a760ed5c40def10270eb383bc07899b93230
-
SHA512
f137c329749cf60ee93258c944fd54055b847123e6787f829566e5ae14e46adc9fa581d9fc5f7c3929f5f7ddb11578ed7a73ab5afa95884c479289352185bc8c
-
SSDEEP
1536:ZIdrNcPnh0c23d7KLzLuvU9nGCfcP5t7rP+LqxhEA6tddQ0aocWsDpO0wdCSG/ub:ZIxN+h0lNRvkmP7DEI8Q0JVi9zE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f767159.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f767159.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76558f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76558f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767159.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76558f.exe -
Executes dropped EXE 3 IoCs
pid Process 2912 f76558f.exe 2784 f765715.exe 2524 f767159.exe -
Loads dropped DLL 6 IoCs
pid Process 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe 2416 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76558f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f767159.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f767159.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f767159.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767159.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: f76558f.exe File opened (read-only) \??\H: f76558f.exe File opened (read-only) \??\K: f76558f.exe File opened (read-only) \??\Q: f76558f.exe File opened (read-only) \??\M: f76558f.exe File opened (read-only) \??\T: f76558f.exe File opened (read-only) \??\E: f767159.exe File opened (read-only) \??\P: f76558f.exe File opened (read-only) \??\S: f76558f.exe File opened (read-only) \??\E: f76558f.exe File opened (read-only) \??\G: f76558f.exe File opened (read-only) \??\J: f76558f.exe File opened (read-only) \??\O: f76558f.exe File opened (read-only) \??\G: f767159.exe File opened (read-only) \??\I: f76558f.exe File opened (read-only) \??\L: f76558f.exe File opened (read-only) \??\N: f76558f.exe -
resource yara_rule behavioral1/memory/2912-13-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-18-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-15-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-17-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-23-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-20-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-22-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-21-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-19-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-16-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-60-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-61-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-62-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-64-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-63-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-66-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-67-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-83-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-85-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-87-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-110-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-111-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2912-153-0x0000000000520000-0x00000000015DA000-memory.dmp upx behavioral1/memory/2524-163-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2524-210-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7655fc f76558f.exe File opened for modification C:\Windows\SYSTEM.INI f76558f.exe File created C:\Windows\f76a5ff f767159.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76558f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f767159.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2912 f76558f.exe 2912 f76558f.exe 2524 f767159.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2912 f76558f.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe Token: SeDebugPrivilege 2524 f767159.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 1852 wrote to memory of 2416 1852 rundll32.exe 28 PID 2416 wrote to memory of 2912 2416 rundll32.exe 29 PID 2416 wrote to memory of 2912 2416 rundll32.exe 29 PID 2416 wrote to memory of 2912 2416 rundll32.exe 29 PID 2416 wrote to memory of 2912 2416 rundll32.exe 29 PID 2912 wrote to memory of 1120 2912 f76558f.exe 19 PID 2912 wrote to memory of 1164 2912 f76558f.exe 20 PID 2912 wrote to memory of 1200 2912 f76558f.exe 21 PID 2912 wrote to memory of 1624 2912 f76558f.exe 23 PID 2912 wrote to memory of 1852 2912 f76558f.exe 27 PID 2912 wrote to memory of 2416 2912 f76558f.exe 28 PID 2912 wrote to memory of 2416 2912 f76558f.exe 28 PID 2416 wrote to memory of 2784 2416 rundll32.exe 30 PID 2416 wrote to memory of 2784 2416 rundll32.exe 30 PID 2416 wrote to memory of 2784 2416 rundll32.exe 30 PID 2416 wrote to memory of 2784 2416 rundll32.exe 30 PID 2416 wrote to memory of 2524 2416 rundll32.exe 31 PID 2416 wrote to memory of 2524 2416 rundll32.exe 31 PID 2416 wrote to memory of 2524 2416 rundll32.exe 31 PID 2416 wrote to memory of 2524 2416 rundll32.exe 31 PID 2912 wrote to memory of 1120 2912 f76558f.exe 19 PID 2912 wrote to memory of 1164 2912 f76558f.exe 20 PID 2912 wrote to memory of 1200 2912 f76558f.exe 21 PID 2912 wrote to memory of 1624 2912 f76558f.exe 23 PID 2912 wrote to memory of 2784 2912 f76558f.exe 30 PID 2912 wrote to memory of 2784 2912 f76558f.exe 30 PID 2912 wrote to memory of 2524 2912 f76558f.exe 31 PID 2912 wrote to memory of 2524 2912 f76558f.exe 31 PID 2524 wrote to memory of 1120 2524 f767159.exe 19 PID 2524 wrote to memory of 1164 2524 f767159.exe 20 PID 2524 wrote to memory of 1200 2524 f767159.exe 21 PID 2524 wrote to memory of 1624 2524 f767159.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76558f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f767159.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0aad044624bd7fcf04b980d56e3a760ed5c40def10270eb383bc07899b93230N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a0aad044624bd7fcf04b980d56e3a760ed5c40def10270eb383bc07899b93230N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\f76558f.exeC:\Users\Admin\AppData\Local\Temp\f76558f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\f765715.exeC:\Users\Admin\AppData\Local\Temp\f765715.exe4⤵
- Executes dropped EXE
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\f767159.exeC:\Users\Admin\AppData\Local\Temp\f767159.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD5c5248ad0934e91cb1c1dbd4b24c3b5f9
SHA1645a7aa46a9156f1a99978174556c632d6e85611
SHA256083962d3f19840bf0b390e435b9b50e4ec5fe05ddba746ed0f0f81ac971ef248
SHA512e1c57a154f9ad901c89b6dc65be6b9f980aceccd4c57c8e7397e332e007b10ebf74aad36cdab260edb771c90632db920f8a0aa259ec05b44253b10a071356d67
-
Filesize
97KB
MD54c0b8029de8f9bad0819c705382c324e
SHA1c6b1d57e9ac51f15a667ad297bd01bf7d2a5421b
SHA256edd0d498cbef9a2ac1f12bdc1fd20df5f8bb0221f93a6348e6f5597d6cf9ee4d
SHA5127cffcd4e79b6471bfa1b76f408082e901f409a74089c6666b7a0b728425433f3b015068abedc271a23f9eaf15784acec5bc02c0afd1e4315d4854d9a7e610314