Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 23:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c0d192d4bc6fcb6942f678b312e884c2fe6c1675d30c958bedc304aab1dfe9eN.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
4c0d192d4bc6fcb6942f678b312e884c2fe6c1675d30c958bedc304aab1dfe9eN.dll
-
Size
120KB
-
MD5
c9a938207e18429730fc615aed796290
-
SHA1
4981d4e1868e801bb046537c4f9b46fe32ec421c
-
SHA256
4c0d192d4bc6fcb6942f678b312e884c2fe6c1675d30c958bedc304aab1dfe9e
-
SHA512
2ec7c34dcdd7aa2a5321ff1bc15092ff10e55057b5a14cc7a59fccf8cdb603cb09738d4ccf270fc7052c292a57ebfa45baee0f3b27aa98f3093e9633a4f66c68
-
SSDEEP
1536:A+NXsattc/Gb+99f//CHSr9LCakENI/Z3MthEVB7hhD2iq1TntNHei4pA0ON:A+NpfcJflr92MiNeEVDhD2VBneB3O
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76ad4f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cf02.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ad4f.exe -
Executes dropped EXE 3 IoCs
pid Process 3064 f76ad4f.exe 2668 f76aef5.exe 2364 f76cf02.exe -
Loads dropped DLL 6 IoCs
pid Process 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe 2092 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76cf02.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76ad4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76ad4f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ad4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cf02.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: f76ad4f.exe File opened (read-only) \??\T: f76ad4f.exe File opened (read-only) \??\E: f76cf02.exe File opened (read-only) \??\K: f76ad4f.exe File opened (read-only) \??\Q: f76ad4f.exe File opened (read-only) \??\I: f76ad4f.exe File opened (read-only) \??\H: f76cf02.exe File opened (read-only) \??\J: f76ad4f.exe File opened (read-only) \??\M: f76ad4f.exe File opened (read-only) \??\N: f76ad4f.exe File opened (read-only) \??\P: f76ad4f.exe File opened (read-only) \??\E: f76ad4f.exe File opened (read-only) \??\G: f76ad4f.exe File opened (read-only) \??\O: f76ad4f.exe File opened (read-only) \??\S: f76ad4f.exe File opened (read-only) \??\G: f76cf02.exe File opened (read-only) \??\H: f76ad4f.exe File opened (read-only) \??\L: f76ad4f.exe -
resource yara_rule behavioral1/memory/3064-14-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-18-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-21-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-17-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-19-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-16-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-23-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-22-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-20-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-24-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-61-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-60-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-62-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-63-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-64-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-66-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-67-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-68-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-69-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-84-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-85-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-104-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/3064-147-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2364-168-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2364-202-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76adcc f76ad4f.exe File opened for modification C:\Windows\SYSTEM.INI f76ad4f.exe File created C:\Windows\f76fdfe f76cf02.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76ad4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76cf02.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3064 f76ad4f.exe 3064 f76ad4f.exe 2364 f76cf02.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 3064 f76ad4f.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe Token: SeDebugPrivilege 2364 f76cf02.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2084 wrote to memory of 2092 2084 rundll32.exe 30 PID 2092 wrote to memory of 3064 2092 rundll32.exe 31 PID 2092 wrote to memory of 3064 2092 rundll32.exe 31 PID 2092 wrote to memory of 3064 2092 rundll32.exe 31 PID 2092 wrote to memory of 3064 2092 rundll32.exe 31 PID 3064 wrote to memory of 1124 3064 f76ad4f.exe 19 PID 3064 wrote to memory of 1192 3064 f76ad4f.exe 20 PID 3064 wrote to memory of 1216 3064 f76ad4f.exe 21 PID 3064 wrote to memory of 1664 3064 f76ad4f.exe 25 PID 3064 wrote to memory of 2084 3064 f76ad4f.exe 29 PID 3064 wrote to memory of 2092 3064 f76ad4f.exe 30 PID 3064 wrote to memory of 2092 3064 f76ad4f.exe 30 PID 2092 wrote to memory of 2668 2092 rundll32.exe 32 PID 2092 wrote to memory of 2668 2092 rundll32.exe 32 PID 2092 wrote to memory of 2668 2092 rundll32.exe 32 PID 2092 wrote to memory of 2668 2092 rundll32.exe 32 PID 2092 wrote to memory of 2364 2092 rundll32.exe 33 PID 2092 wrote to memory of 2364 2092 rundll32.exe 33 PID 2092 wrote to memory of 2364 2092 rundll32.exe 33 PID 2092 wrote to memory of 2364 2092 rundll32.exe 33 PID 3064 wrote to memory of 1124 3064 f76ad4f.exe 19 PID 3064 wrote to memory of 1192 3064 f76ad4f.exe 20 PID 3064 wrote to memory of 1216 3064 f76ad4f.exe 21 PID 3064 wrote to memory of 1664 3064 f76ad4f.exe 25 PID 3064 wrote to memory of 2668 3064 f76ad4f.exe 32 PID 3064 wrote to memory of 2668 3064 f76ad4f.exe 32 PID 3064 wrote to memory of 2364 3064 f76ad4f.exe 33 PID 3064 wrote to memory of 2364 3064 f76ad4f.exe 33 PID 2364 wrote to memory of 1124 2364 f76cf02.exe 19 PID 2364 wrote to memory of 1192 2364 f76cf02.exe 20 PID 2364 wrote to memory of 1216 2364 f76cf02.exe 21 PID 2364 wrote to memory of 1664 2364 f76cf02.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76cf02.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76ad4f.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1192
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0d192d4bc6fcb6942f678b312e884c2fe6c1675d30c958bedc304aab1dfe9eN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0d192d4bc6fcb6942f678b312e884c2fe6c1675d30c958bedc304aab1dfe9eN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\f76ad4f.exeC:\Users\Admin\AppData\Local\Temp\f76ad4f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\f76aef5.exeC:\Users\Admin\AppData\Local\Temp\f76aef5.exe4⤵
- Executes dropped EXE
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\f76cf02.exeC:\Users\Admin\AppData\Local\Temp\f76cf02.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD55d205a7aae863782691b94b9bcc1095b
SHA11ab90179f12c10f0823cc587dfe70ca04d1247c4
SHA256550c1ec652600399ac53dc00dbab5f59668e6521f71a8e2a3455169590b338d1
SHA5121c4a271b764a99d1b30d48fefde08aca345503ba88d223e3297759c38eef976661b4be393dc2e553cae0149d4c6f94305d929cc887fc8de39b7eb3d796056d8e
-
Filesize
97KB
MD5963ce6f1592bfaeca65f18a444e80321
SHA1e9bbec53e24845b943633b71828058486efcc383
SHA25640ac38264e2e9381e7e26dc032a641aaeea0fd521665fedc3e18d3909182ee10
SHA512d59cb75a74303660711270b6c69b4f2c63712b2d8626149e133ff2a704a227883b6782f22da9189358cc0c34c92f8f6d156f5a1ffc5ef56e43e4188c1f8dcc63