Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
29-12-2024 05:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e3919cd13418daf566f8462ec27d3bdffe8d8c60b8c340a190284055c581c897.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
150 seconds
General
-
Target
e3919cd13418daf566f8462ec27d3bdffe8d8c60b8c340a190284055c581c897.dll
-
Size
120KB
-
MD5
49a5ae325f463148d504671413506903
-
SHA1
5053187c7d1f3fecc73d34ef81d0afc1f4178a4c
-
SHA256
e3919cd13418daf566f8462ec27d3bdffe8d8c60b8c340a190284055c581c897
-
SHA512
c580fe6bfbf294dee117db911e104724cc5b2dbd2780fc050ab0d6dde45f1b3ca20e5c8e58cd388f16377f3a92768b58507180037b95b1bac79ee85c4dac67ef
-
SSDEEP
3072:AufSm3dbpxqAXB4RByRiUC3P7ss5GgSHTWLmKQ:Auvbpxj4RBqujssFp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76738b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f768f16.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f768f16.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76738b.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768f16.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768f16.exe -
Executes dropped EXE 3 IoCs
pid Process 2220 f76738b.exe 2632 f76755f.exe 3036 f768f16.exe -
Loads dropped DLL 6 IoCs
pid Process 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f768f16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f768f16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76738b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f768f16.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768f16.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: f76738b.exe File opened (read-only) \??\P: f76738b.exe File opened (read-only) \??\G: f76738b.exe File opened (read-only) \??\K: f76738b.exe File opened (read-only) \??\M: f76738b.exe File opened (read-only) \??\R: f76738b.exe File opened (read-only) \??\H: f76738b.exe File opened (read-only) \??\I: f76738b.exe File opened (read-only) \??\L: f76738b.exe File opened (read-only) \??\Q: f76738b.exe File opened (read-only) \??\S: f76738b.exe File opened (read-only) \??\E: f76738b.exe File opened (read-only) \??\J: f76738b.exe File opened (read-only) \??\O: f76738b.exe File opened (read-only) \??\T: f76738b.exe File opened (read-only) \??\E: f768f16.exe File opened (read-only) \??\G: f768f16.exe -
resource yara_rule behavioral1/memory/2220-11-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-16-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-19-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-17-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-13-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-14-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-22-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-21-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-20-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-18-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-15-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-60-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-61-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-62-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-63-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-64-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-66-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-67-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-83-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-86-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-85-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/2220-153-0x00000000005E0000-0x000000000169A000-memory.dmp upx behavioral1/memory/3036-166-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/3036-209-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f767407 f76738b.exe File opened for modification C:\Windows\SYSTEM.INI f76738b.exe File created C:\Windows\f76c3eb f768f16.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76738b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f768f16.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2220 f76738b.exe 2220 f76738b.exe 3036 f768f16.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 2220 f76738b.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe Token: SeDebugPrivilege 3036 f768f16.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 1420 wrote to memory of 308 1420 rundll32.exe 30 PID 308 wrote to memory of 2220 308 rundll32.exe 31 PID 308 wrote to memory of 2220 308 rundll32.exe 31 PID 308 wrote to memory of 2220 308 rundll32.exe 31 PID 308 wrote to memory of 2220 308 rundll32.exe 31 PID 2220 wrote to memory of 1108 2220 f76738b.exe 19 PID 2220 wrote to memory of 1156 2220 f76738b.exe 20 PID 2220 wrote to memory of 1196 2220 f76738b.exe 21 PID 2220 wrote to memory of 1676 2220 f76738b.exe 25 PID 2220 wrote to memory of 1420 2220 f76738b.exe 29 PID 2220 wrote to memory of 308 2220 f76738b.exe 30 PID 2220 wrote to memory of 308 2220 f76738b.exe 30 PID 308 wrote to memory of 2632 308 rundll32.exe 32 PID 308 wrote to memory of 2632 308 rundll32.exe 32 PID 308 wrote to memory of 2632 308 rundll32.exe 32 PID 308 wrote to memory of 2632 308 rundll32.exe 32 PID 308 wrote to memory of 3036 308 rundll32.exe 33 PID 308 wrote to memory of 3036 308 rundll32.exe 33 PID 308 wrote to memory of 3036 308 rundll32.exe 33 PID 308 wrote to memory of 3036 308 rundll32.exe 33 PID 2220 wrote to memory of 1108 2220 f76738b.exe 19 PID 2220 wrote to memory of 1156 2220 f76738b.exe 20 PID 2220 wrote to memory of 1196 2220 f76738b.exe 21 PID 2220 wrote to memory of 1676 2220 f76738b.exe 25 PID 2220 wrote to memory of 2632 2220 f76738b.exe 32 PID 2220 wrote to memory of 2632 2220 f76738b.exe 32 PID 2220 wrote to memory of 3036 2220 f76738b.exe 33 PID 2220 wrote to memory of 3036 2220 f76738b.exe 33 PID 3036 wrote to memory of 1108 3036 f768f16.exe 19 PID 3036 wrote to memory of 1156 3036 f768f16.exe 20 PID 3036 wrote to memory of 1196 3036 f768f16.exe 21 PID 3036 wrote to memory of 1676 3036 f768f16.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76738b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f768f16.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1156
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3919cd13418daf566f8462ec27d3bdffe8d8c60b8c340a190284055c581c897.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3919cd13418daf566f8462ec27d3bdffe8d8c60b8c340a190284055c581c897.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\f76738b.exeC:\Users\Admin\AppData\Local\Temp\f76738b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\f76755f.exeC:\Users\Admin\AppData\Local\Temp\f76755f.exe4⤵
- Executes dropped EXE
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\f768f16.exeC:\Users\Admin\AppData\Local\Temp\f768f16.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3036
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1676
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5537622e6e4865254aca0d8ca8c0c7413
SHA1f3e8fd185c5b2f60c93adcf3f777ff754621769e
SHA256f1df1edc2450915eed3dd586de2af1dbf96725c114107c1adc563afcfc2a1d77
SHA5127dc536acb67abd57404852de7ded832795545e00a9b21e5698a3b4412a63613701d889a5af6b05b33b2d84b342933bef56a12a02d0a7dbfd9bf75ea06342d6e0
-
Filesize
97KB
MD5c603c31c41c7a5356c2d5f1aa97183ed
SHA182852f3982d934e8d9bd8a88dc526e57ce199d79
SHA25694fa3a677ca6e961b7a5728db542a05d1bc643bee96167257edcef9a2387c22b
SHA5123145bcc4c8ff4c0c668e802e9c963a6a8e172becc26bee789de878dc9ceae8fa07590785f172060325e14f2763627d2196b2a501d7a1362a4685f5cc0937c0de