Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1d71878a266c4a25bf931119ff965e95839ffdf6e90f06e5123dfc0a615212c2.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
1d71878a266c4a25bf931119ff965e95839ffdf6e90f06e5123dfc0a615212c2.dll
-
Size
120KB
-
MD5
dfe99f01b1fbfbfce89949463ead8e19
-
SHA1
4c2d382b786ce9d1b245dad367a3297ec90de3f9
-
SHA256
1d71878a266c4a25bf931119ff965e95839ffdf6e90f06e5123dfc0a615212c2
-
SHA512
07ecdd3b4451dc98e716479d44ff4ee5dc328d3ba5648559498ddbb0fa15f8b450ccf4496281691032dfd13b57899579753e592fce8070f0454afdb223d1dcb0
-
SSDEEP
1536:KaAsFvnQzuVVPoDQin068M5jq5ZJy2EL0I6JHe0Et6LrfEy7n27kX2YCXFbWoFTJ:KCKz0684jq5ZJFEAV/tQyrX0xWI
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76fcb6.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fcb6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e0ed.exe -
Executes dropped EXE 3 IoCs
pid Process 2204 f76e0ed.exe 2596 f76e2b1.exe 2868 f76fcb6.exe -
Loads dropped DLL 6 IoCs
pid Process 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e0ed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76fcb6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76fcb6.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e0ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fcb6.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f76e0ed.exe File opened (read-only) \??\T: f76e0ed.exe File opened (read-only) \??\E: f76e0ed.exe File opened (read-only) \??\I: f76e0ed.exe File opened (read-only) \??\J: f76e0ed.exe File opened (read-only) \??\P: f76e0ed.exe File opened (read-only) \??\E: f76fcb6.exe File opened (read-only) \??\H: f76e0ed.exe File opened (read-only) \??\L: f76e0ed.exe File opened (read-only) \??\N: f76e0ed.exe File opened (read-only) \??\R: f76e0ed.exe File opened (read-only) \??\S: f76e0ed.exe File opened (read-only) \??\G: f76e0ed.exe File opened (read-only) \??\O: f76e0ed.exe File opened (read-only) \??\Q: f76e0ed.exe File opened (read-only) \??\G: f76fcb6.exe File opened (read-only) \??\M: f76e0ed.exe -
resource yara_rule behavioral1/memory/2204-11-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-15-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-17-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-13-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-14-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-20-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-19-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-18-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-16-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-21-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-58-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-61-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-59-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-62-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-63-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-65-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-66-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-79-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-80-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-84-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-104-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2204-147-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2868-160-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2868-203-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76e15a f76e0ed.exe File opened for modification C:\Windows\SYSTEM.INI f76e0ed.exe File created C:\Windows\f77318c f76fcb6.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76fcb6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e0ed.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2204 f76e0ed.exe 2204 f76e0ed.exe 2868 f76fcb6.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2204 f76e0ed.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe Token: SeDebugPrivilege 2868 f76fcb6.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 3040 wrote to memory of 2656 3040 rundll32.exe 31 PID 2656 wrote to memory of 2204 2656 rundll32.exe 32 PID 2656 wrote to memory of 2204 2656 rundll32.exe 32 PID 2656 wrote to memory of 2204 2656 rundll32.exe 32 PID 2656 wrote to memory of 2204 2656 rundll32.exe 32 PID 2204 wrote to memory of 1088 2204 f76e0ed.exe 18 PID 2204 wrote to memory of 1172 2204 f76e0ed.exe 20 PID 2204 wrote to memory of 1200 2204 f76e0ed.exe 21 PID 2204 wrote to memory of 1864 2204 f76e0ed.exe 25 PID 2204 wrote to memory of 3040 2204 f76e0ed.exe 30 PID 2204 wrote to memory of 2656 2204 f76e0ed.exe 31 PID 2204 wrote to memory of 2656 2204 f76e0ed.exe 31 PID 2656 wrote to memory of 2596 2656 rundll32.exe 33 PID 2656 wrote to memory of 2596 2656 rundll32.exe 33 PID 2656 wrote to memory of 2596 2656 rundll32.exe 33 PID 2656 wrote to memory of 2596 2656 rundll32.exe 33 PID 2656 wrote to memory of 2868 2656 rundll32.exe 34 PID 2656 wrote to memory of 2868 2656 rundll32.exe 34 PID 2656 wrote to memory of 2868 2656 rundll32.exe 34 PID 2656 wrote to memory of 2868 2656 rundll32.exe 34 PID 2204 wrote to memory of 1088 2204 f76e0ed.exe 18 PID 2204 wrote to memory of 1172 2204 f76e0ed.exe 20 PID 2204 wrote to memory of 1200 2204 f76e0ed.exe 21 PID 2204 wrote to memory of 1864 2204 f76e0ed.exe 25 PID 2204 wrote to memory of 2596 2204 f76e0ed.exe 33 PID 2204 wrote to memory of 2596 2204 f76e0ed.exe 33 PID 2204 wrote to memory of 2868 2204 f76e0ed.exe 34 PID 2204 wrote to memory of 2868 2204 f76e0ed.exe 34 PID 2868 wrote to memory of 1088 2868 f76fcb6.exe 18 PID 2868 wrote to memory of 1172 2868 f76fcb6.exe 20 PID 2868 wrote to memory of 1200 2868 f76fcb6.exe 21 PID 2868 wrote to memory of 1864 2868 f76fcb6.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76fcb6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e0ed.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1088
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d71878a266c4a25bf931119ff965e95839ffdf6e90f06e5123dfc0a615212c2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d71878a266c4a25bf931119ff965e95839ffdf6e90f06e5123dfc0a615212c2.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\f76e0ed.exeC:\Users\Admin\AppData\Local\Temp\f76e0ed.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\f76e2b1.exeC:\Users\Admin\AppData\Local\Temp\f76e2b1.exe4⤵
- Executes dropped EXE
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\f76fcb6.exeC:\Users\Admin\AppData\Local\Temp\f76fcb6.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2868
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5bd325fa18fe7f6b0ec6c34a135a18583
SHA1a6f0f28f5ac44fb25739316796cefad45b91e1d7
SHA256e0e3a24d4aad4bfc86cf608088b25427cb7d0bc75d418144da542538222f98b7
SHA512a4ba8b21ade4387a458d52370c7288edc08efacd5584b682708abd73ab3720cbf82fcf468ef532347785cb1ff4f0077fb8bb6b06d93e0d4ee879188246b90266
-
Filesize
257B
MD545a37f10b77acc3f265621c5bbae4c65
SHA190a4b40f606cc7968efa0a56a146b0349be6e610
SHA25610252d1f0370df5efdbf5be5f282576f7edc782e0bad88ed9e3931b5d5760f99
SHA512beee877f28559929a3ccdce134913e97d13e32a3760ca12790a7a7de3c63f68443bf4afeed16b5ee6252c15e5b4ca2f06289209f5f9153aaf4934f137cbe8437