Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
05-02-2025 15:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll
Resource
win7-20241023-en
windows7-x64
17 signatures
120 seconds
General
-
Target
2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll
-
Size
120KB
-
MD5
1551b8b305f4869b1211172f5515cc40
-
SHA1
b4983ba6ffcc839e2415b419754f1dab5c55ce95
-
SHA256
2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99b
-
SHA512
338a3a3c7de1b13a14b631fc8a0d7956f88fa6dd92aa06f8a8043b7be5b9b51e4980b05fd2d5590b48eff21ea609d915172edee62b013b9bae1fed902e41d879
-
SSDEEP
3072:VEgVV7VOvSMIlJxeJsBcQpCzxUamtiCF:VhDsIP0JA8FUaOi
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76c4d5.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a92b.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c4d5.exe -
Executes dropped EXE 3 IoCs
pid Process 1628 f76a92b.exe 2640 f76aaef.exe 2512 f76c4d5.exe -
Loads dropped DLL 6 IoCs
pid Process 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76a92b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76c4d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76c4d5.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a92b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c4d5.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: f76c4d5.exe File opened (read-only) \??\P: f76a92b.exe File opened (read-only) \??\N: f76a92b.exe File opened (read-only) \??\H: f76a92b.exe File opened (read-only) \??\I: f76a92b.exe File opened (read-only) \??\K: f76a92b.exe File opened (read-only) \??\M: f76a92b.exe File opened (read-only) \??\R: f76a92b.exe File opened (read-only) \??\G: f76c4d5.exe File opened (read-only) \??\G: f76a92b.exe File opened (read-only) \??\J: f76a92b.exe File opened (read-only) \??\L: f76a92b.exe File opened (read-only) \??\O: f76a92b.exe File opened (read-only) \??\Q: f76a92b.exe File opened (read-only) \??\S: f76a92b.exe File opened (read-only) \??\E: f76a92b.exe -
resource yara_rule behavioral1/memory/1628-13-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-18-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-19-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-17-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-15-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-20-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-22-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-16-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-14-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-21-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-62-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-63-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-64-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-66-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-65-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-68-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-69-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-85-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-87-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-89-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/1628-157-0x00000000005F0000-0x00000000016AA000-memory.dmp upx behavioral1/memory/2512-169-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2512-210-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76a9a7 f76a92b.exe File opened for modification C:\Windows\SYSTEM.INI f76a92b.exe File created C:\Windows\f76f91e f76c4d5.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76a92b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76c4d5.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1628 f76a92b.exe 1628 f76a92b.exe 2512 f76c4d5.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 1628 f76a92b.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe Token: SeDebugPrivilege 2512 f76c4d5.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2116 wrote to memory of 2108 2116 rundll32.exe 30 PID 2108 wrote to memory of 1628 2108 rundll32.exe 31 PID 2108 wrote to memory of 1628 2108 rundll32.exe 31 PID 2108 wrote to memory of 1628 2108 rundll32.exe 31 PID 2108 wrote to memory of 1628 2108 rundll32.exe 31 PID 1628 wrote to memory of 1112 1628 f76a92b.exe 19 PID 1628 wrote to memory of 1176 1628 f76a92b.exe 20 PID 1628 wrote to memory of 1204 1628 f76a92b.exe 21 PID 1628 wrote to memory of 1652 1628 f76a92b.exe 25 PID 1628 wrote to memory of 2116 1628 f76a92b.exe 29 PID 1628 wrote to memory of 2108 1628 f76a92b.exe 30 PID 1628 wrote to memory of 2108 1628 f76a92b.exe 30 PID 2108 wrote to memory of 2640 2108 rundll32.exe 32 PID 2108 wrote to memory of 2640 2108 rundll32.exe 32 PID 2108 wrote to memory of 2640 2108 rundll32.exe 32 PID 2108 wrote to memory of 2640 2108 rundll32.exe 32 PID 2108 wrote to memory of 2512 2108 rundll32.exe 33 PID 2108 wrote to memory of 2512 2108 rundll32.exe 33 PID 2108 wrote to memory of 2512 2108 rundll32.exe 33 PID 2108 wrote to memory of 2512 2108 rundll32.exe 33 PID 1628 wrote to memory of 1112 1628 f76a92b.exe 19 PID 1628 wrote to memory of 1176 1628 f76a92b.exe 20 PID 1628 wrote to memory of 1204 1628 f76a92b.exe 21 PID 1628 wrote to memory of 1652 1628 f76a92b.exe 25 PID 1628 wrote to memory of 2640 1628 f76a92b.exe 32 PID 1628 wrote to memory of 2640 1628 f76a92b.exe 32 PID 1628 wrote to memory of 2512 1628 f76a92b.exe 33 PID 1628 wrote to memory of 2512 1628 f76a92b.exe 33 PID 2512 wrote to memory of 1112 2512 f76c4d5.exe 19 PID 2512 wrote to memory of 1176 2512 f76c4d5.exe 20 PID 2512 wrote to memory of 1204 2512 f76c4d5.exe 21 PID 2512 wrote to memory of 1652 2512 f76c4d5.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76c4d5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76a92b.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2290859e7670996d705ece11f8164ea6ef345f0d691296e2b3f0a81bc9f5c99bN.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\f76a92b.exeC:\Users\Admin\AppData\Local\Temp\f76a92b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\f76aaef.exeC:\Users\Admin\AppData\Local\Temp\f76aaef.exe4⤵
- Executes dropped EXE
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\f76c4d5.exeC:\Users\Admin\AppData\Local\Temp\f76c4d5.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1652
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c0081356aa7eb83b569d1dc436539689
SHA1d2fb32ae802241f45b6718a7de81677ad4b42fb9
SHA256fbc155647df3e3c2a2a46ba030b9313fb2b13836b7e7dfffde8145c569e875e5
SHA5128637cda220d3ef7a7a3689cfb93bd39af19cf28f05eba3e5176802d011c0d64422c14477a8096b3df902147318cb26c5ffe2c9ccdd779baeddb86817e90f8a38
-
Filesize
257B
MD559d82f5c4b8b3809efae1cafb31e8dfc
SHA118f5826fe261c565a5fe008db36aac16c82d1807
SHA256bd0fa5c13a2b6227fdb0d0a325ed5069b7b26fb3ba615034ad31ecf6745309e8
SHA512faa136184a0507798190ffc4fa6b1e8daba5093015835684e56fc5cac136d9421f27018bf982a2ba010a0bbd741c9b683ceefb10c889c54af5571573cb4b8fc5