Analysis
-
max time kernel
83s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-12-2024 17:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
762c77dac3df240f2dd548ad29b50c952515b6cee0076fd8159a8af37749df38N.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
762c77dac3df240f2dd548ad29b50c952515b6cee0076fd8159a8af37749df38N.dll
-
Size
120KB
-
MD5
f996cd58ba8593422c2d6b554e583350
-
SHA1
d6b13174d1ce552ce3aaae54de7e1c3ba9547c15
-
SHA256
762c77dac3df240f2dd548ad29b50c952515b6cee0076fd8159a8af37749df38
-
SHA512
bda08a5f258636aea2049ef6b61e4b60f053d7540e313b057a49d2cfb79a768074d45b15c054ef1d9a829581b7bbff60da9dcc646a45557f1438aecca4658782
-
SSDEEP
1536:Ug/JzJ21qktSQN/XJvmqvIALdDAvZfBFOpwY/a3p9YoQ8VNieAhE8Ja3R:z/FJ2ntSQN/Xhmqvz+ffwa5PIeAhEF
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76db13.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76db13.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f99b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76db13.exe -
Executes dropped EXE 3 IoCs
pid Process 2896 f76db13.exe 2752 f76dc7a.exe 2584 f76f99b.exe -
Loads dropped DLL 6 IoCs
pid Process 1548 rundll32.exe 1548 rundll32.exe 1548 rundll32.exe 1548 rundll32.exe 1548 rundll32.exe 1548 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76db13.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f99b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f99b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76db13.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f99b.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: f76db13.exe File opened (read-only) \??\Q: f76db13.exe File opened (read-only) \??\G: f76f99b.exe File opened (read-only) \??\N: f76db13.exe File opened (read-only) \??\E: f76db13.exe File opened (read-only) \??\G: f76db13.exe File opened (read-only) \??\L: f76db13.exe File opened (read-only) \??\M: f76db13.exe File opened (read-only) \??\P: f76db13.exe File opened (read-only) \??\E: f76f99b.exe File opened (read-only) \??\H: f76f99b.exe File opened (read-only) \??\I: f76db13.exe File opened (read-only) \??\J: f76db13.exe File opened (read-only) \??\K: f76db13.exe File opened (read-only) \??\O: f76db13.exe -
resource yara_rule behavioral1/memory/2896-17-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-14-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-23-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-19-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-16-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-15-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-21-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-20-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-18-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-62-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-22-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-63-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-64-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-65-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-67-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-81-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-83-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-84-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-85-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-104-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-106-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-108-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-109-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2896-149-0x00000000006D0000-0x000000000178A000-memory.dmp upx behavioral1/memory/2584-165-0x0000000000980000-0x0000000001A3A000-memory.dmp upx behavioral1/memory/2584-208-0x0000000000980000-0x0000000001A3A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76db61 f76db13.exe File opened for modification C:\Windows\SYSTEM.INI f76db13.exe File created C:\Windows\f772b35 f76f99b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76db13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f99b.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2896 f76db13.exe 2896 f76db13.exe 2584 f76f99b.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2896 f76db13.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe Token: SeDebugPrivilege 2584 f76f99b.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 548 wrote to memory of 1548 548 rundll32.exe 31 PID 1548 wrote to memory of 2896 1548 rundll32.exe 32 PID 1548 wrote to memory of 2896 1548 rundll32.exe 32 PID 1548 wrote to memory of 2896 1548 rundll32.exe 32 PID 1548 wrote to memory of 2896 1548 rundll32.exe 32 PID 2896 wrote to memory of 1120 2896 f76db13.exe 19 PID 2896 wrote to memory of 1168 2896 f76db13.exe 20 PID 2896 wrote to memory of 1212 2896 f76db13.exe 21 PID 2896 wrote to memory of 1540 2896 f76db13.exe 23 PID 2896 wrote to memory of 548 2896 f76db13.exe 30 PID 2896 wrote to memory of 1548 2896 f76db13.exe 31 PID 2896 wrote to memory of 1548 2896 f76db13.exe 31 PID 1548 wrote to memory of 2752 1548 rundll32.exe 33 PID 1548 wrote to memory of 2752 1548 rundll32.exe 33 PID 1548 wrote to memory of 2752 1548 rundll32.exe 33 PID 1548 wrote to memory of 2752 1548 rundll32.exe 33 PID 1548 wrote to memory of 2584 1548 rundll32.exe 34 PID 1548 wrote to memory of 2584 1548 rundll32.exe 34 PID 1548 wrote to memory of 2584 1548 rundll32.exe 34 PID 1548 wrote to memory of 2584 1548 rundll32.exe 34 PID 2896 wrote to memory of 1120 2896 f76db13.exe 19 PID 2896 wrote to memory of 1168 2896 f76db13.exe 20 PID 2896 wrote to memory of 1212 2896 f76db13.exe 21 PID 2896 wrote to memory of 1540 2896 f76db13.exe 23 PID 2896 wrote to memory of 2752 2896 f76db13.exe 33 PID 2896 wrote to memory of 2752 2896 f76db13.exe 33 PID 2896 wrote to memory of 2584 2896 f76db13.exe 34 PID 2896 wrote to memory of 2584 2896 f76db13.exe 34 PID 2584 wrote to memory of 1120 2584 f76f99b.exe 19 PID 2584 wrote to memory of 1168 2584 f76f99b.exe 20 PID 2584 wrote to memory of 1212 2584 f76f99b.exe 21 PID 2584 wrote to memory of 1540 2584 f76f99b.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76db13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f99b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\762c77dac3df240f2dd548ad29b50c952515b6cee0076fd8159a8af37749df38N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\762c77dac3df240f2dd548ad29b50c952515b6cee0076fd8159a8af37749df38N.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\f76db13.exeC:\Users\Admin\AppData\Local\Temp\f76db13.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\f76dc7a.exeC:\Users\Admin\AppData\Local\Temp\f76dc7a.exe4⤵
- Executes dropped EXE
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\f76f99b.exeC:\Users\Admin\AppData\Local\Temp\f76f99b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2584
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1540
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD538a7367776b3770f2e42e9087fe531af
SHA155e971b8769062d98731c074094b78fe4494dd34
SHA256f6307a5cb91762f54042cf91280fa402fa965412dcc7d43f5b245622c6d8a2af
SHA512ab6ac39836e226cebf062468015f9845e6fbe66f631afb87fa8505e4602e0082f1312a898a100003d3d70d7f6126979999543cecf2a3b51132d8f649dc372eda
-
Filesize
256B
MD5f02682e006de3cf6432aab556e015207
SHA1a1d6d3eeadae1ec8520bed797dd4a347d673eb84
SHA2561f486849f2bae2135a1b1ad0d42138187176172f852e7d5cf94693d6f85af271
SHA512bd946c0d2e1270bc7b15a7829d2fa7d6409a6379a97a8c2ed03272f55029371632b186088ab816d5423e155248ae37c225ee4fba9645a537ff22ace6f75e42e0