Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-02-2025 10:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
409a501dc82db8683f0c5ad57926eeb5c87e66032dd9f683672d5ddc87e507a2.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
120 seconds
General
-
Target
409a501dc82db8683f0c5ad57926eeb5c87e66032dd9f683672d5ddc87e507a2.dll
-
Size
120KB
-
MD5
608007011d60ece1ddfff1e747a146bf
-
SHA1
be26fac45f2967249f527dfa479777532f9c8b60
-
SHA256
409a501dc82db8683f0c5ad57926eeb5c87e66032dd9f683672d5ddc87e507a2
-
SHA512
687b33742e1d2bbd05072069d618542d27a7441274385ac694ee8822c9969a82d4e3d06028f8046a279b9b07894e2475519153cab088a44753a8a08915efed80
-
SSDEEP
1536:gYW1BZqAJ5UBZUCrLw72oAcCjqyTtqgYZrAROH8UatBrKeLuHtyqCO4CS+1I/iX:zWfJC2zCjqQiroOH8USrCCO4CShKX
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76e225.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76e225.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c66b.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c66b.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e225.exe -
Executes dropped EXE 3 IoCs
pid Process 3004 f76c66b.exe 2624 f76c800.exe 2684 f76e225.exe -
Loads dropped DLL 6 IoCs
pid Process 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe 2988 rundll32.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c66b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c66b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76e225.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76e225.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e225.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76e225.exe File opened (read-only) \??\G: f76c66b.exe File opened (read-only) \??\I: f76c66b.exe File opened (read-only) \??\J: f76c66b.exe File opened (read-only) \??\N: f76c66b.exe File opened (read-only) \??\P: f76c66b.exe File opened (read-only) \??\S: f76c66b.exe File opened (read-only) \??\H: f76c66b.exe File opened (read-only) \??\M: f76c66b.exe File opened (read-only) \??\O: f76c66b.exe File opened (read-only) \??\R: f76c66b.exe File opened (read-only) \??\T: f76c66b.exe File opened (read-only) \??\E: f76e225.exe File opened (read-only) \??\K: f76c66b.exe File opened (read-only) \??\E: f76c66b.exe File opened (read-only) \??\L: f76c66b.exe File opened (read-only) \??\Q: f76c66b.exe -
resource yara_rule behavioral1/memory/3004-11-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-13-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-59-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-58-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-60-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-64-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-80-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-85-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-104-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-105-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-106-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/3004-148-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2684-154-0x0000000000990000-0x0000000001A4A000-memory.dmp upx behavioral1/memory/2684-204-0x0000000000990000-0x0000000001A4A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f77170a f76e225.exe File created C:\Windows\f76c6b9 f76c66b.exe File opened for modification C:\Windows\SYSTEM.INI f76c66b.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c66b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76e225.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3004 f76c66b.exe 3004 f76c66b.exe 2684 f76e225.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 3004 f76c66b.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe Token: SeDebugPrivilege 2684 f76e225.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 1964 wrote to memory of 2988 1964 rundll32.exe 30 PID 2988 wrote to memory of 3004 2988 rundll32.exe 31 PID 2988 wrote to memory of 3004 2988 rundll32.exe 31 PID 2988 wrote to memory of 3004 2988 rundll32.exe 31 PID 2988 wrote to memory of 3004 2988 rundll32.exe 31 PID 3004 wrote to memory of 1112 3004 f76c66b.exe 19 PID 3004 wrote to memory of 1176 3004 f76c66b.exe 20 PID 3004 wrote to memory of 1208 3004 f76c66b.exe 21 PID 3004 wrote to memory of 1108 3004 f76c66b.exe 23 PID 3004 wrote to memory of 1964 3004 f76c66b.exe 29 PID 3004 wrote to memory of 2988 3004 f76c66b.exe 30 PID 3004 wrote to memory of 2988 3004 f76c66b.exe 30 PID 2988 wrote to memory of 2624 2988 rundll32.exe 32 PID 2988 wrote to memory of 2624 2988 rundll32.exe 32 PID 2988 wrote to memory of 2624 2988 rundll32.exe 32 PID 2988 wrote to memory of 2624 2988 rundll32.exe 32 PID 2988 wrote to memory of 2684 2988 rundll32.exe 34 PID 2988 wrote to memory of 2684 2988 rundll32.exe 34 PID 2988 wrote to memory of 2684 2988 rundll32.exe 34 PID 2988 wrote to memory of 2684 2988 rundll32.exe 34 PID 3004 wrote to memory of 1112 3004 f76c66b.exe 19 PID 3004 wrote to memory of 1176 3004 f76c66b.exe 20 PID 3004 wrote to memory of 1208 3004 f76c66b.exe 21 PID 3004 wrote to memory of 1108 3004 f76c66b.exe 23 PID 3004 wrote to memory of 2624 3004 f76c66b.exe 32 PID 3004 wrote to memory of 2624 3004 f76c66b.exe 32 PID 3004 wrote to memory of 2684 3004 f76c66b.exe 34 PID 3004 wrote to memory of 2684 3004 f76c66b.exe 34 PID 2684 wrote to memory of 1112 2684 f76e225.exe 19 PID 2684 wrote to memory of 1176 2684 f76e225.exe 20 PID 2684 wrote to memory of 1208 2684 f76e225.exe 21 PID 2684 wrote to memory of 1108 2684 f76e225.exe 23 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c66b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76e225.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\409a501dc82db8683f0c5ad57926eeb5c87e66032dd9f683672d5ddc87e507a2.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\409a501dc82db8683f0c5ad57926eeb5c87e66032dd9f683672d5ddc87e507a2.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\f76c66b.exeC:\Users\Admin\AppData\Local\Temp\f76c66b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\f76c800.exeC:\Users\Admin\AppData\Local\Temp\f76c800.exe4⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\f76e225.exeC:\Users\Admin\AppData\Local\Temp\f76e225.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD54b7382ccdc04d27fa1d2aaed0943f3ab
SHA11bed0b2abcfa07db47e0932e8de0ed00a1bc6d05
SHA25620b5c6a3f6fa41cf97535683d5837ff5a4f35053a99646b02514e4a1a792bdd2
SHA512338723ef2089399d703f8d55466f10547a5997e28eebdc24325c732938c1822a88ab53432bb9f68cb12f11c1f0855454b3e4a2d6de59d2d0459d8e9c72a44a7c
-
Filesize
97KB
MD50128e7eb42d0c07202f5bdaba9c93ddc
SHA1768743e79058859dadd6e6c0e5191a9885646a57
SHA256cdb2875b4f7da9ce1361bd01d0f63dd4217970e3db5086de1e7e0a5277e35aae
SHA512ac1a37d25dd5bce52c377b41c4ea4ef1f29c7d2c067e916e2231d2da64dc6fd803ee23b8c35551e73be19a2db2a1990df72a121a8560cf47e6c9c3586f2986f2