Analysis
-
max time kernel
29s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 16:02
Static task
static1
Behavioral task
behavioral1
Sample
f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll
Resource
win7-20240903-en
General
-
Target
f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll
-
Size
120KB
-
MD5
f6cea54b75384f0168d211e027268f07
-
SHA1
2796a3934e2d01dc3a6b41bb1dba9dbddbdb923e
-
SHA256
f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621
-
SHA512
15218b346f0a9c3e94a2e982e0d0ef1cbb20655ab61403b6fe1b4d89f2b98b2551f7df4af811302477f5ffc7918a17b9ae7c4859448cb1334d62103a04392e3f
-
SSDEEP
1536:LwtOSfz3LXx23MUUXVXgSm7ATzanT1oK6dD2VNLHeo7MqXCajYZILjedgfbUPl1N:W3AM9LmE+v6dDYNLHPMIj8dgfWK5Y
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76d1ef.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f21c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f21c.exe -
Executes dropped EXE 3 IoCs
pid Process 2524 f76d1ef.exe 2008 f76d346.exe 2592 f76f21c.exe -
Loads dropped DLL 6 IoCs
pid Process 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe 2492 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76d1ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f21c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76d1ef.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f21c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d1ef.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: f76d1ef.exe File opened (read-only) \??\Q: f76d1ef.exe File opened (read-only) \??\J: f76d1ef.exe File opened (read-only) \??\K: f76d1ef.exe File opened (read-only) \??\M: f76d1ef.exe File opened (read-only) \??\E: f76d1ef.exe File opened (read-only) \??\H: f76d1ef.exe File opened (read-only) \??\G: f76f21c.exe File opened (read-only) \??\G: f76d1ef.exe File opened (read-only) \??\L: f76d1ef.exe File opened (read-only) \??\P: f76d1ef.exe File opened (read-only) \??\E: f76f21c.exe File opened (read-only) \??\H: f76f21c.exe File opened (read-only) \??\I: f76d1ef.exe File opened (read-only) \??\O: f76d1ef.exe -
resource yara_rule behavioral1/memory/2524-16-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-11-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-15-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-18-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-17-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-13-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-20-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-21-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-19-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-14-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-60-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-61-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-63-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-64-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-65-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-81-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-82-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-100-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-102-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-104-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-106-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-107-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2524-149-0x0000000000630000-0x00000000016EA000-memory.dmp upx behavioral1/memory/2592-168-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2592-208-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76d23d f76d1ef.exe File opened for modification C:\Windows\SYSTEM.INI f76d1ef.exe File created C:\Windows\f77227e f76f21c.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76d1ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f21c.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2524 f76d1ef.exe 2524 f76d1ef.exe 2592 f76f21c.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2524 f76d1ef.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe Token: SeDebugPrivilege 2592 f76f21c.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 1236 wrote to memory of 2492 1236 rundll32.exe 31 PID 2492 wrote to memory of 2524 2492 rundll32.exe 32 PID 2492 wrote to memory of 2524 2492 rundll32.exe 32 PID 2492 wrote to memory of 2524 2492 rundll32.exe 32 PID 2492 wrote to memory of 2524 2492 rundll32.exe 32 PID 2524 wrote to memory of 1108 2524 f76d1ef.exe 19 PID 2524 wrote to memory of 1172 2524 f76d1ef.exe 20 PID 2524 wrote to memory of 1212 2524 f76d1ef.exe 21 PID 2524 wrote to memory of 792 2524 f76d1ef.exe 25 PID 2524 wrote to memory of 1236 2524 f76d1ef.exe 30 PID 2524 wrote to memory of 2492 2524 f76d1ef.exe 31 PID 2524 wrote to memory of 2492 2524 f76d1ef.exe 31 PID 2492 wrote to memory of 2008 2492 rundll32.exe 33 PID 2492 wrote to memory of 2008 2492 rundll32.exe 33 PID 2492 wrote to memory of 2008 2492 rundll32.exe 33 PID 2492 wrote to memory of 2008 2492 rundll32.exe 33 PID 2492 wrote to memory of 2592 2492 rundll32.exe 34 PID 2492 wrote to memory of 2592 2492 rundll32.exe 34 PID 2492 wrote to memory of 2592 2492 rundll32.exe 34 PID 2492 wrote to memory of 2592 2492 rundll32.exe 34 PID 2524 wrote to memory of 1108 2524 f76d1ef.exe 19 PID 2524 wrote to memory of 1172 2524 f76d1ef.exe 20 PID 2524 wrote to memory of 1212 2524 f76d1ef.exe 21 PID 2524 wrote to memory of 792 2524 f76d1ef.exe 25 PID 2524 wrote to memory of 2008 2524 f76d1ef.exe 33 PID 2524 wrote to memory of 2008 2524 f76d1ef.exe 33 PID 2524 wrote to memory of 2592 2524 f76d1ef.exe 34 PID 2524 wrote to memory of 2592 2524 f76d1ef.exe 34 PID 2592 wrote to memory of 1108 2592 f76f21c.exe 19 PID 2592 wrote to memory of 1172 2592 f76f21c.exe 20 PID 2592 wrote to memory of 1212 2592 f76f21c.exe 21 PID 2592 wrote to memory of 792 2592 f76f21c.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76d1ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f21c.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f37837c6de04f26cec7036b3627991854927fd1731e6ffe2c353040173917621.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\f76d1ef.exeC:\Users\Admin\AppData\Local\Temp\f76d1ef.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524
-
-
C:\Users\Admin\AppData\Local\Temp\f76d346.exeC:\Users\Admin\AppData\Local\Temp\f76d346.exe4⤵
- Executes dropped EXE
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\f76f21c.exeC:\Users\Admin\AppData\Local\Temp\f76f21c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2592
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:792
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5fb4e48b9d496385bbd771d6f1904dc18
SHA199eee6583e1c8ce473e6661fe8e13cfaf710fbf4
SHA2567cdd27c69b5b168ea5532de6a6c5534f256792002c4752f583f6504f5f0bbce4
SHA512b1796ecde3c28b31093ecfa2d18361918a636f60dc1afb38d88fea7d019c9d5cee2b72fbb678751d02ea3225f8ea5137c8979fed4264033340f003a5f51b5669
-
Filesize
257B
MD5b51f38c0a44911940b5f79ea485a1d4f
SHA142c407c456d58ff20002f6892e750f54df9cfb1f
SHA2563121d7d892c36106cc1d7f26a3c6efe65b9e26b6d3e30ba588c320d397c45853
SHA51208d1e4dadc7008da02d4b727674ec66bc071b77fa27c4848a15dd0d846dc530cbf4b5904238b1bc28435aa1bfacf5c5fbfda1704e89b91870306d3992a3e348f