Analysis
-
max time kernel
118s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 23:21
Static task
static1
Behavioral task
behavioral1
Sample
e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe
Resource
win7-20240903-en
General
-
Target
e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe
-
Size
1012KB
-
MD5
3c8349453436e1bb2383d81edf04c550
-
SHA1
3da06cb3376b1721e4d875c10f5a6953662abcf0
-
SHA256
e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02
-
SHA512
59f49b92a3cd5fb3abe683c6c19747d2c7986469caafc266f81b409e8a12975df59c3db2787acebd35d626fdc0d3c8a82d16527679abfceea7ca780a44d411f1
-
SSDEEP
12288:k1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0INK4h1oWxJpcEi0/3IWV//7cSd8HR4bm:k1/aGLDCM4D8ayGM0R3o8/oAuylKi+t
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2804 dbdysx.exe -
Loads dropped DLL 2 IoCs
pid Process 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\dbdysx.exe" dbdysx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
resource yara_rule behavioral1/memory/2696-2-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-5-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-10-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-8-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-7-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-6-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-11-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-9-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-4-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-55-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-29-0x0000000002170000-0x00000000031FE000-memory.dmp upx behavioral1/memory/2696-30-0x0000000002170000-0x00000000031FE000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbdysx.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe Token: SeDebugPrivilege 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2696 wrote to memory of 1052 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 18 PID 2696 wrote to memory of 1140 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 20 PID 2696 wrote to memory of 1164 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 21 PID 2696 wrote to memory of 2004 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 23 PID 2696 wrote to memory of 2804 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 30 PID 2696 wrote to memory of 2804 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 30 PID 2696 wrote to memory of 2804 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 30 PID 2696 wrote to memory of 2804 2696 e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe 30 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1052
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1140
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe"C:\Users\Admin\AppData\Local\Temp\e90d50b767df3ffc3113e0ea15d0128c9b81e7d2ff0e33d834b7d0539dd7ca02N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2696 -
C:\ProgramData\dbdysx.exe"C:\ProgramData\dbdysx.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2004
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1012KB
MD59773bf313ffe4f4027fb6fa3aa896384
SHA1208d0575420bd6b3bba56674fff19ac18f0a2e4e
SHA2566fd181ab0ad898041547c38472dbc9e617f7b907ee1003c5537b9eeb2ebaa561
SHA51292449a982e731f1831f5133d7f9068454fd0b0e5129b67574fe7a9fdfb6755f7e9349d1b302c984d26f7ecdb2d787e9c71c188356597bcae8a9bb787388f8fed
-
Filesize
557KB
MD58d0dcbc1481a967175e19dfa204d461e
SHA1e785b892957645d143f1408e71811130f8d3db96
SHA256a723e131c3067b612750c583cab54524721189ed95929f96dc71b326a98e4b72
SHA5128457e9a648ace64fadfc5bc742ec3c1315c5815176a06c3c37271cf4a7cd9b1030dddd1077f353a393435a5442ecc8983c7dd1e0a090d5e3d7711231589af1ba
-
Filesize
454KB
MD547edcd0306bb49e327b7ce6cc862769c
SHA1b2efb1b2960069d7f989f04df5ca563462e3e114
SHA2568ef9154d4b9c7624e81394506b25f592eb848d2828d7645ba626cf48821a7b4c
SHA512d4d9d12381d1da25072cf8ce13c9fb32d553f4fea1404f8e79bc61338e220cde5e1e9f64a4886bc19db0d268feae70c640b9765c4fdb25622eee27a774b0d2cf