Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-12-2024 13:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6eb2ca20a146835e3572169f310be3f08e6ccf25e5e61d79302e5746262b8884.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
6eb2ca20a146835e3572169f310be3f08e6ccf25e5e61d79302e5746262b8884.dll
-
Size
120KB
-
MD5
cd6e40ca47c38bd5dbdcbdc3d48ba9e1
-
SHA1
cbe2b319a7c035655933c0c53dd8ee87812bb74a
-
SHA256
6eb2ca20a146835e3572169f310be3f08e6ccf25e5e61d79302e5746262b8884
-
SHA512
c85503d3839e3af78619ebd97f69074aea6154ad6dc5e9002bee1167c417ef944790860c10116f150684a4130578df87739c29662b905e1c6f8106f98c3471f7
-
SSDEEP
1536:6v0GWwxXsfqK7LYNLdXl9ef9TiNr1ZJ+EAHW1gXQz3x9U7emjHKDl:s0GWw9dKXYNJXlEF2Nr1X+E2A9yeKHS
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e57f.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c9d4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e57f.exe -
Executes dropped EXE 3 IoCs
pid Process 2896 f76c9d4.exe 2892 f76cb2b.exe 2032 f76e57f.exe -
Loads dropped DLL 6 IoCs
pid Process 536 rundll32.exe 536 rundll32.exe 536 rundll32.exe 536 rundll32.exe 536 rundll32.exe 536 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c9d4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e57f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e57f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e57f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e57f.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76c9d4.exe File opened (read-only) \??\J: f76c9d4.exe File opened (read-only) \??\G: f76e57f.exe File opened (read-only) \??\K: f76c9d4.exe File opened (read-only) \??\M: f76c9d4.exe File opened (read-only) \??\N: f76c9d4.exe File opened (read-only) \??\P: f76c9d4.exe File opened (read-only) \??\E: f76e57f.exe File opened (read-only) \??\R: f76c9d4.exe File opened (read-only) \??\T: f76c9d4.exe File opened (read-only) \??\H: f76c9d4.exe File opened (read-only) \??\I: f76c9d4.exe File opened (read-only) \??\L: f76c9d4.exe File opened (read-only) \??\O: f76c9d4.exe File opened (read-only) \??\Q: f76c9d4.exe File opened (read-only) \??\E: f76c9d4.exe File opened (read-only) \??\S: f76c9d4.exe -
resource yara_rule behavioral1/memory/2896-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-13-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-58-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-59-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-60-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-78-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-88-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2896-153-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2032-167-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2032-207-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76ca22 f76c9d4.exe File opened for modification C:\Windows\SYSTEM.INI f76c9d4.exe File created C:\Windows\f771a64 f76e57f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e57f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c9d4.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2896 f76c9d4.exe 2896 f76c9d4.exe 2032 f76e57f.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2896 f76c9d4.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe Token: SeDebugPrivilege 2032 f76e57f.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 2160 wrote to memory of 536 2160 rundll32.exe 30 PID 536 wrote to memory of 2896 536 rundll32.exe 32 PID 536 wrote to memory of 2896 536 rundll32.exe 32 PID 536 wrote to memory of 2896 536 rundll32.exe 32 PID 536 wrote to memory of 2896 536 rundll32.exe 32 PID 2896 wrote to memory of 1112 2896 f76c9d4.exe 19 PID 2896 wrote to memory of 1164 2896 f76c9d4.exe 20 PID 2896 wrote to memory of 1192 2896 f76c9d4.exe 21 PID 2896 wrote to memory of 2036 2896 f76c9d4.exe 23 PID 2896 wrote to memory of 2160 2896 f76c9d4.exe 29 PID 2896 wrote to memory of 536 2896 f76c9d4.exe 30 PID 2896 wrote to memory of 536 2896 f76c9d4.exe 30 PID 536 wrote to memory of 2892 536 rundll32.exe 33 PID 536 wrote to memory of 2892 536 rundll32.exe 33 PID 536 wrote to memory of 2892 536 rundll32.exe 33 PID 536 wrote to memory of 2892 536 rundll32.exe 33 PID 536 wrote to memory of 2032 536 rundll32.exe 34 PID 536 wrote to memory of 2032 536 rundll32.exe 34 PID 536 wrote to memory of 2032 536 rundll32.exe 34 PID 536 wrote to memory of 2032 536 rundll32.exe 34 PID 2896 wrote to memory of 1112 2896 f76c9d4.exe 19 PID 2896 wrote to memory of 1164 2896 f76c9d4.exe 20 PID 2896 wrote to memory of 1192 2896 f76c9d4.exe 21 PID 2896 wrote to memory of 2036 2896 f76c9d4.exe 23 PID 2896 wrote to memory of 2892 2896 f76c9d4.exe 33 PID 2896 wrote to memory of 2892 2896 f76c9d4.exe 33 PID 2896 wrote to memory of 2032 2896 f76c9d4.exe 34 PID 2896 wrote to memory of 2032 2896 f76c9d4.exe 34 PID 2032 wrote to memory of 1112 2032 f76e57f.exe 19 PID 2032 wrote to memory of 1164 2032 f76e57f.exe 20 PID 2032 wrote to memory of 1192 2032 f76e57f.exe 21 PID 2032 wrote to memory of 2036 2032 f76e57f.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c9d4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e57f.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6eb2ca20a146835e3572169f310be3f08e6ccf25e5e61d79302e5746262b8884.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6eb2ca20a146835e3572169f310be3f08e6ccf25e5e61d79302e5746262b8884.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\f76c9d4.exeC:\Users\Admin\AppData\Local\Temp\f76c9d4.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\f76cb2b.exeC:\Users\Admin\AppData\Local\Temp\f76cb2b.exe4⤵
- Executes dropped EXE
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\f76e57f.exeC:\Users\Admin\AppData\Local\Temp\f76e57f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2036
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD525b6708da10a936f41033fe4135fb75f
SHA179da8c9c5e073e9ff05719bb29dcf72170a816ee
SHA256b026ce4528be259f43f286f21e0f78cbd6f66966f509e3cc9e13528a7176b954
SHA5120cefd9a7fc9c5630c13cd6790fc95575ce5a447e5e7bfb55f000a45d86678f6b8c2e78cfaa7a9cebd1dbc2dcacb1a9ad12cf23a061678bd677d3460b38e56403
-
Filesize
97KB
MD54b0b9ce919103425acc2123f6b431d27
SHA19e981ea26b0d05de64ff6da14475e27101a2f5f7
SHA2568fb21dec3a9fa1724b11a0f2aa18bd9d71c2afb9255dcbe4fe5aa1a0ebd1f14f
SHA512ee61fd0aed5639e58bcd1629d9556be0ffb6e414e5976334dac67c6807f21390aaab4ac74cc190cf991d4605629e7d17bff8d12feccc72072832c67aa298ff0b