Analysis
-
max time kernel
28s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 13:47
Static task
static1
Behavioral task
behavioral1
Sample
678aa3def89313b2cc54db583fbc3e78f8defde20fea7a1f819ed8d54be5d992.dll
Resource
win7-20241010-en
General
-
Target
678aa3def89313b2cc54db583fbc3e78f8defde20fea7a1f819ed8d54be5d992.dll
-
Size
120KB
-
MD5
8110b6d591402fbd4a3db406b67d6a92
-
SHA1
b283410dad0aa1724261b6d6e68ffab0d264fc92
-
SHA256
678aa3def89313b2cc54db583fbc3e78f8defde20fea7a1f819ed8d54be5d992
-
SHA512
121665158f89fbda9b421275720f647cf85da34d81c6ec17d2730bf32c231046f51b2137a7ea8bb5608c145e06780b8b59a01bba2d1146aebb39f658056855dc
-
SSDEEP
1536:48mBsobH7Py8kFWQPbg09WkAniKUqJUnmcfEv/yh17qV+pIQcl0VmZPSVp:4XsZNFW+gcWqqJ4sCn7qsIZ/ZqX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f78894c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f78894c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f786f08.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f786f08.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f786f08.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f78894c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f786f08.exe -
Executes dropped EXE 3 IoCs
pid Process 2288 f786f08.exe 2980 f7871a7.exe 2752 f78894c.exe -
Loads dropped DLL 6 IoCs
pid Process 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f78894c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f786f08.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f78894c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f78894c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f786f08.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: f786f08.exe File opened (read-only) \??\K: f786f08.exe File opened (read-only) \??\E: f786f08.exe File opened (read-only) \??\G: f786f08.exe File opened (read-only) \??\H: f786f08.exe File opened (read-only) \??\I: f786f08.exe -
resource yara_rule behavioral1/memory/2288-39-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-11-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-60-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-62-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-78-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-80-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-81-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-83-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-84-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-92-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-108-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-109-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2288-143-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2752-150-0x0000000000970000-0x0000000001A2A000-memory.dmp upx behavioral1/memory/2752-183-0x0000000000970000-0x0000000001A2A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f786f95 f786f08.exe File opened for modification C:\Windows\SYSTEM.INI f786f08.exe File created C:\Windows\f78c9b5 f78894c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f78894c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f786f08.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2288 f786f08.exe 2288 f786f08.exe 2752 f78894c.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2288 f786f08.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe Token: SeDebugPrivilege 2752 f78894c.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2060 wrote to memory of 2148 2060 rundll32.exe 29 PID 2148 wrote to memory of 2288 2148 rundll32.exe 30 PID 2148 wrote to memory of 2288 2148 rundll32.exe 30 PID 2148 wrote to memory of 2288 2148 rundll32.exe 30 PID 2148 wrote to memory of 2288 2148 rundll32.exe 30 PID 2288 wrote to memory of 1088 2288 f786f08.exe 17 PID 2288 wrote to memory of 1160 2288 f786f08.exe 19 PID 2288 wrote to memory of 1192 2288 f786f08.exe 20 PID 2288 wrote to memory of 1440 2288 f786f08.exe 22 PID 2288 wrote to memory of 2060 2288 f786f08.exe 28 PID 2288 wrote to memory of 2148 2288 f786f08.exe 29 PID 2288 wrote to memory of 2148 2288 f786f08.exe 29 PID 2148 wrote to memory of 2980 2148 rundll32.exe 31 PID 2148 wrote to memory of 2980 2148 rundll32.exe 31 PID 2148 wrote to memory of 2980 2148 rundll32.exe 31 PID 2148 wrote to memory of 2980 2148 rundll32.exe 31 PID 2148 wrote to memory of 2752 2148 rundll32.exe 32 PID 2148 wrote to memory of 2752 2148 rundll32.exe 32 PID 2148 wrote to memory of 2752 2148 rundll32.exe 32 PID 2148 wrote to memory of 2752 2148 rundll32.exe 32 PID 2288 wrote to memory of 1088 2288 f786f08.exe 17 PID 2288 wrote to memory of 1160 2288 f786f08.exe 19 PID 2288 wrote to memory of 1192 2288 f786f08.exe 20 PID 2288 wrote to memory of 1440 2288 f786f08.exe 22 PID 2288 wrote to memory of 2980 2288 f786f08.exe 31 PID 2288 wrote to memory of 2980 2288 f786f08.exe 31 PID 2288 wrote to memory of 2752 2288 f786f08.exe 32 PID 2288 wrote to memory of 2752 2288 f786f08.exe 32 PID 2752 wrote to memory of 1088 2752 f78894c.exe 17 PID 2752 wrote to memory of 1160 2752 f78894c.exe 19 PID 2752 wrote to memory of 1192 2752 f78894c.exe 20 PID 2752 wrote to memory of 1440 2752 f78894c.exe 22 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f786f08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f78894c.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\678aa3def89313b2cc54db583fbc3e78f8defde20fea7a1f819ed8d54be5d992.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\678aa3def89313b2cc54db583fbc3e78f8defde20fea7a1f819ed8d54be5d992.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\f786f08.exeC:\Users\Admin\AppData\Local\Temp\f786f08.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\f7871a7.exeC:\Users\Admin\AppData\Local\Temp\f7871a7.exe4⤵
- Executes dropped EXE
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\f78894c.exeC:\Users\Admin\AppData\Local\Temp\f78894c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2752
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1440
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5ac5b9492a1a97e7abebc67e3a3f27d43
SHA14b20af386a9e76eeab363167ba7e11c8fba1c9af
SHA256ef8eab1ec96bbbe571cf1cf6bb8bc1af865eca27518676ad360ceb9574ff861d
SHA512891a48da16611683d640c86b04d04e28296314f0d3fecf6505e6800aa49d8bcd02aae7086cdfcbe5a4bcbc162388725316f0bc04382ded7ad3c37bd0fb672336
-
Filesize
97KB
MD5f1b9ad7b3d076e04c2d9873e38d49fad
SHA18f50ed098ef2acb52d4464ca5992fae00c5e006b
SHA256b7c7a289ae5f5d6d2de70019caf81290178023d97d23b75eee8994b47ef42f58
SHA5121f0de85cdc7f7c5774d0103d4517df293bb1e83becae7b45cb122412b2c168fc37d535dc8e01ef372e481d990f6c679d48a36a29a0f4d320b1fc62546a3220d6