Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-01-2025 04:00
Static task
static1
Behavioral task
behavioral1
Sample
dbb05aa00b27bf2f5931a4cf898a4532f91c9b55a94906c5a92abae93b4174f9.dll
Resource
win7-20240903-en
General
-
Target
dbb05aa00b27bf2f5931a4cf898a4532f91c9b55a94906c5a92abae93b4174f9.dll
-
Size
120KB
-
MD5
aefc83f151afb680020c81a876d142c4
-
SHA1
2a01783c73827870b67130567bc6748b6034b46a
-
SHA256
dbb05aa00b27bf2f5931a4cf898a4532f91c9b55a94906c5a92abae93b4174f9
-
SHA512
4c1865437d286efcb76d4082d3be7a49b57a92fb5e63cfd1d9ce9f4b48c7dfd0f7e3aa0372fde3f20757b6d624a41f2f324aeaf56144c30b06c17476d10977b8
-
SSDEEP
1536:yASoUSgQA7BiTMecrp5lG5PC1xYpEwa7pcHP1hLR+eLnvt+CHWycf3P/rRkxeENy:x0F7AYpeCdf7pcH9+8n4CHRc/3eKB
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f769c3f.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bac7.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769c3f.exe -
Executes dropped EXE 3 IoCs
pid Process 2100 f769c3f.exe 2840 f769e04.exe 2684 f76bac7.exe -
Loads dropped DLL 6 IoCs
pid Process 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe 1736 rundll32.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f769c3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f769c3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76bac7.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769c3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bac7.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: f769c3f.exe File opened (read-only) \??\G: f769c3f.exe File opened (read-only) \??\L: f769c3f.exe File opened (read-only) \??\O: f769c3f.exe File opened (read-only) \??\P: f769c3f.exe File opened (read-only) \??\Q: f769c3f.exe File opened (read-only) \??\G: f76bac7.exe File opened (read-only) \??\S: f769c3f.exe File opened (read-only) \??\E: f769c3f.exe File opened (read-only) \??\H: f769c3f.exe File opened (read-only) \??\I: f769c3f.exe File opened (read-only) \??\R: f769c3f.exe File opened (read-only) \??\E: f76bac7.exe File opened (read-only) \??\H: f76bac7.exe File opened (read-only) \??\J: f769c3f.exe File opened (read-only) \??\K: f769c3f.exe File opened (read-only) \??\M: f769c3f.exe File opened (read-only) \??\N: f769c3f.exe -
resource yara_rule behavioral1/memory/2100-15-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-18-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-20-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-17-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-14-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-23-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-21-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-19-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-16-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-22-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-59-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-60-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-61-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-62-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-63-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-65-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-66-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-67-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-68-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-83-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-85-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-105-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-107-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2100-148-0x0000000000690000-0x000000000174A000-memory.dmp upx behavioral1/memory/2684-160-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2684-203-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI f769c3f.exe File created C:\Windows\f76ecb0 f76bac7.exe File created C:\Windows\f769cad f769c3f.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f769c3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76bac7.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2100 f769c3f.exe 2100 f769c3f.exe 2684 f76bac7.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2100 f769c3f.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe Token: SeDebugPrivilege 2684 f76bac7.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 2040 wrote to memory of 1736 2040 rundll32.exe 30 PID 1736 wrote to memory of 2100 1736 rundll32.exe 31 PID 1736 wrote to memory of 2100 1736 rundll32.exe 31 PID 1736 wrote to memory of 2100 1736 rundll32.exe 31 PID 1736 wrote to memory of 2100 1736 rundll32.exe 31 PID 2100 wrote to memory of 1100 2100 f769c3f.exe 19 PID 2100 wrote to memory of 1152 2100 f769c3f.exe 20 PID 2100 wrote to memory of 1196 2100 f769c3f.exe 21 PID 2100 wrote to memory of 1624 2100 f769c3f.exe 25 PID 2100 wrote to memory of 2040 2100 f769c3f.exe 29 PID 2100 wrote to memory of 1736 2100 f769c3f.exe 30 PID 2100 wrote to memory of 1736 2100 f769c3f.exe 30 PID 1736 wrote to memory of 2840 1736 rundll32.exe 32 PID 1736 wrote to memory of 2840 1736 rundll32.exe 32 PID 1736 wrote to memory of 2840 1736 rundll32.exe 32 PID 1736 wrote to memory of 2840 1736 rundll32.exe 32 PID 1736 wrote to memory of 2684 1736 rundll32.exe 33 PID 1736 wrote to memory of 2684 1736 rundll32.exe 33 PID 1736 wrote to memory of 2684 1736 rundll32.exe 33 PID 1736 wrote to memory of 2684 1736 rundll32.exe 33 PID 2100 wrote to memory of 1100 2100 f769c3f.exe 19 PID 2100 wrote to memory of 1152 2100 f769c3f.exe 20 PID 2100 wrote to memory of 1196 2100 f769c3f.exe 21 PID 2100 wrote to memory of 1624 2100 f769c3f.exe 25 PID 2100 wrote to memory of 2840 2100 f769c3f.exe 32 PID 2100 wrote to memory of 2840 2100 f769c3f.exe 32 PID 2100 wrote to memory of 2684 2100 f769c3f.exe 33 PID 2100 wrote to memory of 2684 2100 f769c3f.exe 33 PID 2684 wrote to memory of 1100 2684 f76bac7.exe 19 PID 2684 wrote to memory of 1152 2684 f76bac7.exe 20 PID 2684 wrote to memory of 1196 2684 f76bac7.exe 21 PID 2684 wrote to memory of 1624 2684 f76bac7.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76bac7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f769c3f.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1152
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbb05aa00b27bf2f5931a4cf898a4532f91c9b55a94906c5a92abae93b4174f9.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbb05aa00b27bf2f5931a4cf898a4532f91c9b55a94906c5a92abae93b4174f9.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\f769c3f.exeC:\Users\Admin\AppData\Local\Temp\f769c3f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\f769e04.exeC:\Users\Admin\AppData\Local\Temp\f769e04.exe4⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\f76bac7.exeC:\Users\Admin\AppData\Local\Temp\f76bac7.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5fc24e3414a38f886946c2c22da2be25f
SHA11a28e7144298c4e82dae765646b0deccb8bc04d7
SHA256006670724f9f0ffa16cad6cb8d8b76e5e370a716cb0cef3660560b17a8e26d59
SHA512e691bbd30b3b216ccd6daa97a53c82a6a990718c8095de3bcf228fdf206f8c4eb2515b6f853d44e84038bc14696f082826f3d5a4814572bdeeb37ec6ddfdfe0f
-
Filesize
97KB
MD59300915c1b242c58c1f32b9f25bf6a40
SHA13cc25f1fa31c2ea2c3d02ae92f994b1cb4d22f6c
SHA2562240aba1aaad86dae2ff53da38679707131de5fb79247acbf6da86ea3d72e33d
SHA5123e594b7e054174a351e0662b2c578984cbc8d86b8b16638fccd9a14b605b5a208cb549b2dbaec74194ba9d496ad5f354ae1c2d7bb0e96085781fe321712765fa