Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll
Resource
win7-20241010-en
General
-
Target
f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll
-
Size
120KB
-
MD5
22d86575345e994d970f0c5bf6c73360
-
SHA1
f48468e772e1db2285fb2d4e618111795852102e
-
SHA256
f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcac
-
SHA512
bc6266fe685edad539e1174da7a37722c70234172cc62dd70119805f441a47d5d03265aff0b3e74092f5adba3e1dc3edf9b2c99a5f4c00050fa0bb1f694e6b2f
-
SSDEEP
1536:SFnXP98ynlLUCc4iNMjwlQxTSdHrYftixOgQst79TNYCrf8MeZ4P10+f:8qlf4WMwliTSdLYfcgzO9Jvf8ei+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d079.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d079.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d079.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d079.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d079.exe -
Executes dropped EXE 3 IoCs
pid Process 2056 f76b4bf.exe 3004 f76b683.exe 1888 f76d079.exe -
Loads dropped DLL 6 IoCs
pid Process 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe 1664 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d079.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b4bf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d079.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d079.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d079.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: f76b4bf.exe File opened (read-only) \??\O: f76b4bf.exe File opened (read-only) \??\T: f76b4bf.exe File opened (read-only) \??\G: f76d079.exe File opened (read-only) \??\H: f76b4bf.exe File opened (read-only) \??\J: f76b4bf.exe File opened (read-only) \??\K: f76b4bf.exe File opened (read-only) \??\E: f76d079.exe File opened (read-only) \??\I: f76b4bf.exe File opened (read-only) \??\R: f76b4bf.exe File opened (read-only) \??\S: f76b4bf.exe File opened (read-only) \??\N: f76b4bf.exe File opened (read-only) \??\G: f76b4bf.exe File opened (read-only) \??\L: f76b4bf.exe File opened (read-only) \??\P: f76b4bf.exe File opened (read-only) \??\Q: f76b4bf.exe File opened (read-only) \??\E: f76b4bf.exe -
resource yara_rule behavioral1/memory/2056-18-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-25-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-23-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-22-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-20-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-17-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-24-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-65-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-66-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-67-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-68-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-69-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-71-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-72-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-87-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-89-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-92-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-113-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2056-157-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/1888-169-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx behavioral1/memory/1888-214-0x00000000009B0000-0x0000000001A6A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76b53b f76b4bf.exe File opened for modification C:\Windows\SYSTEM.INI f76b4bf.exe File created C:\Windows\f77054e f76d079.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b4bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d079.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2056 f76b4bf.exe 2056 f76b4bf.exe 1888 f76d079.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 2056 f76b4bf.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe Token: SeDebugPrivilege 1888 f76d079.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 2636 wrote to memory of 1664 2636 rundll32.exe 30 PID 1664 wrote to memory of 2056 1664 rundll32.exe 31 PID 1664 wrote to memory of 2056 1664 rundll32.exe 31 PID 1664 wrote to memory of 2056 1664 rundll32.exe 31 PID 1664 wrote to memory of 2056 1664 rundll32.exe 31 PID 2056 wrote to memory of 1052 2056 f76b4bf.exe 18 PID 2056 wrote to memory of 1120 2056 f76b4bf.exe 19 PID 2056 wrote to memory of 1184 2056 f76b4bf.exe 21 PID 2056 wrote to memory of 1492 2056 f76b4bf.exe 25 PID 2056 wrote to memory of 2636 2056 f76b4bf.exe 29 PID 2056 wrote to memory of 1664 2056 f76b4bf.exe 30 PID 2056 wrote to memory of 1664 2056 f76b4bf.exe 30 PID 1664 wrote to memory of 3004 1664 rundll32.exe 32 PID 1664 wrote to memory of 3004 1664 rundll32.exe 32 PID 1664 wrote to memory of 3004 1664 rundll32.exe 32 PID 1664 wrote to memory of 3004 1664 rundll32.exe 32 PID 1664 wrote to memory of 1888 1664 rundll32.exe 34 PID 1664 wrote to memory of 1888 1664 rundll32.exe 34 PID 1664 wrote to memory of 1888 1664 rundll32.exe 34 PID 1664 wrote to memory of 1888 1664 rundll32.exe 34 PID 2056 wrote to memory of 1052 2056 f76b4bf.exe 18 PID 2056 wrote to memory of 1120 2056 f76b4bf.exe 19 PID 2056 wrote to memory of 1184 2056 f76b4bf.exe 21 PID 2056 wrote to memory of 1492 2056 f76b4bf.exe 25 PID 2056 wrote to memory of 3004 2056 f76b4bf.exe 32 PID 2056 wrote to memory of 3004 2056 f76b4bf.exe 32 PID 2056 wrote to memory of 1888 2056 f76b4bf.exe 34 PID 2056 wrote to memory of 1888 2056 f76b4bf.exe 34 PID 1888 wrote to memory of 1052 1888 f76d079.exe 18 PID 1888 wrote to memory of 1120 1888 f76d079.exe 19 PID 1888 wrote to memory of 1184 1888 f76d079.exe 21 PID 1888 wrote to memory of 1492 1888 f76d079.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b4bf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d079.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1052
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1184
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f9fffc21a697febde4312cf0f2eddcd995c9239677a6f9c931473a44ef79bcacN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\f76b4bf.exeC:\Users\Admin\AppData\Local\Temp\f76b4bf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\f76b683.exeC:\Users\Admin\AppData\Local\Temp\f76b683.exe4⤵
- Executes dropped EXE
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\f76d079.exeC:\Users\Admin\AppData\Local\Temp\f76d079.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1888
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1492
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e44711c4e6ce7231020b5f9b1c89e0c8
SHA1a57605199667f41d7adfc1ced132d6f8ca82c00b
SHA2568555afedb5b03888fd89f7b2dde5d94fb731db197ef908e94b9a2c5590a27d1d
SHA5120d5aab4673a2fa56baab7f73473b5eb2785f117518276379f38a4929886d54b35d4a564905ee0326885111d5c404702fd17736ce24f7073afb841c9c442ece2b
-
Filesize
256B
MD50d476a9e91a09f50700c1cf4318b5b91
SHA1eb84ff4d5bf86e1c34d3e15037914dfd37a308f7
SHA25649159785311f632c22944b2667d218a663b070f8e401e214e5af4751238d4ec9
SHA512a7a08f76a9cc610a7968bfb92f228a080b3d8ef607e59a368e2dce3d1a2ea84be8548185c68ab04e47ca03c2ce580a9affe2605434ef5e8ce2bc3d79700fbeef