Analysis
-
max time kernel
28s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 15:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5baa5ddfee97dad17eef379d7e23d10e42793222e3823198d98ca36fcc227c12.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
5baa5ddfee97dad17eef379d7e23d10e42793222e3823198d98ca36fcc227c12.dll
-
Size
120KB
-
MD5
760f96fdc6187781f530278bf4551121
-
SHA1
c6c662f0567e7690ea6192fe850591369be17095
-
SHA256
5baa5ddfee97dad17eef379d7e23d10e42793222e3823198d98ca36fcc227c12
-
SHA512
5bf319452943677ad3d8b8d2cb0d2f2bd92d8d3476f2677ecaf22af56928c8365462a56060fae511268ac2824cf626ec927139ddcfaf91263394efb1064770c4
-
SSDEEP
3072:zjvWWeYkxd7aJpC4TSZKRcf37GCqH/slKw/dr1:zvLEGpNeYRcf3KkKSV1
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76b941.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76b941.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76baf6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76baf6.exe -
Executes dropped EXE 3 IoCs
pid Process 2192 f76b941.exe 1048 f76baf6.exe 2672 f76d77b.exe -
Loads dropped DLL 6 IoCs
pid Process 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76b941.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76b941.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76baf6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b941.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76baf6.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: f76b941.exe File opened (read-only) \??\T: f76b941.exe File opened (read-only) \??\E: f76b941.exe File opened (read-only) \??\H: f76b941.exe File opened (read-only) \??\M: f76b941.exe File opened (read-only) \??\I: f76b941.exe File opened (read-only) \??\O: f76b941.exe File opened (read-only) \??\S: f76b941.exe File opened (read-only) \??\P: f76b941.exe File opened (read-only) \??\J: f76b941.exe File opened (read-only) \??\L: f76b941.exe File opened (read-only) \??\N: f76b941.exe File opened (read-only) \??\G: f76b941.exe File opened (read-only) \??\K: f76b941.exe File opened (read-only) \??\R: f76b941.exe -
resource yara_rule behavioral1/memory/2192-16-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-14-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-21-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-20-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-19-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-17-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-15-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-23-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-22-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-18-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-64-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-65-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-66-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-67-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-69-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-70-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-71-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-72-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-73-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-90-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-91-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/2192-155-0x0000000000700000-0x00000000017BA000-memory.dmp upx behavioral1/memory/1048-167-0x0000000000920000-0x00000000019DA000-memory.dmp upx behavioral1/memory/1048-193-0x0000000000920000-0x00000000019DA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76b9ae f76b941.exe File opened for modification C:\Windows\SYSTEM.INI f76b941.exe File created C:\Windows\f7709c1 f76baf6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76b941.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76baf6.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2192 f76b941.exe 2192 f76b941.exe 1048 f76baf6.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 2192 f76b941.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe Token: SeDebugPrivilege 1048 f76baf6.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2512 wrote to memory of 2292 2512 rundll32.exe 30 PID 2292 wrote to memory of 2192 2292 rundll32.exe 31 PID 2292 wrote to memory of 2192 2292 rundll32.exe 31 PID 2292 wrote to memory of 2192 2292 rundll32.exe 31 PID 2292 wrote to memory of 2192 2292 rundll32.exe 31 PID 2192 wrote to memory of 1112 2192 f76b941.exe 19 PID 2192 wrote to memory of 1164 2192 f76b941.exe 20 PID 2192 wrote to memory of 1232 2192 f76b941.exe 21 PID 2192 wrote to memory of 632 2192 f76b941.exe 25 PID 2192 wrote to memory of 2512 2192 f76b941.exe 29 PID 2192 wrote to memory of 2292 2192 f76b941.exe 30 PID 2192 wrote to memory of 2292 2192 f76b941.exe 30 PID 2292 wrote to memory of 1048 2292 rundll32.exe 32 PID 2292 wrote to memory of 1048 2292 rundll32.exe 32 PID 2292 wrote to memory of 1048 2292 rundll32.exe 32 PID 2292 wrote to memory of 1048 2292 rundll32.exe 32 PID 2292 wrote to memory of 2672 2292 rundll32.exe 34 PID 2292 wrote to memory of 2672 2292 rundll32.exe 34 PID 2292 wrote to memory of 2672 2292 rundll32.exe 34 PID 2292 wrote to memory of 2672 2292 rundll32.exe 34 PID 2192 wrote to memory of 1112 2192 f76b941.exe 19 PID 2192 wrote to memory of 1164 2192 f76b941.exe 20 PID 2192 wrote to memory of 1232 2192 f76b941.exe 21 PID 2192 wrote to memory of 632 2192 f76b941.exe 25 PID 2192 wrote to memory of 1048 2192 f76b941.exe 32 PID 2192 wrote to memory of 1048 2192 f76b941.exe 32 PID 2192 wrote to memory of 2672 2192 f76b941.exe 34 PID 2192 wrote to memory of 2672 2192 f76b941.exe 34 PID 1048 wrote to memory of 1112 1048 f76baf6.exe 19 PID 1048 wrote to memory of 1164 1048 f76baf6.exe 20 PID 1048 wrote to memory of 1232 1048 f76baf6.exe 21 PID 1048 wrote to memory of 632 1048 f76baf6.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76baf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76b941.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5baa5ddfee97dad17eef379d7e23d10e42793222e3823198d98ca36fcc227c12.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5baa5ddfee97dad17eef379d7e23d10e42793222e3823198d98ca36fcc227c12.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\f76b941.exeC:\Users\Admin\AppData\Local\Temp\f76b941.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\f76baf6.exeC:\Users\Admin\AppData\Local\Temp\f76baf6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\f76d77b.exeC:\Users\Admin\AppData\Local\Temp\f76d77b.exe4⤵
- Executes dropped EXE
PID:2672
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:632
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5a7b722975f7320311eeb52f3cbe4b2b5
SHA11cd2cf6c8b9bb0a496aeee4f2ce063e2bdb35d5f
SHA256cbd909acb7bd3fce9ee50b3d81abb22789d7fe2074f5530663d9a1348952c88c
SHA512ff0aeda868fb426774558cf622b1566dec0aff75833606521424f91029e4b4de95e401170038a7105cdd6e270108a2bc3a2de31760ff06f02aaef49a72a8bce1
-
Filesize
257B
MD5c04c5e3cfa564a733472b28bbe998e5e
SHA1a5709a38d9c313641fd363c3076c148af457b0ac
SHA256d5a8f1d3599f97b4925e2a2e2f22dc3006dbee09e691da18c62260b024cef307
SHA512ee4e18a3d0ab3f60a4d0d33b98bc870ffc16a7882f546a35196144cd9b2c1fcf09cbe62c2cb2e2e29a73e0c58b0cd56688044d3b5a74c745b868787ca1c3a921