Overview

overview

10

Static

static

Fasapos.exe

windows7_x64

10

Fasapos.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fasapos.exe

  • Size

    3.8MB

  • MD5

    06520d039dc1372fec03e88669785ae0

  • SHA1

    0afaf454daa59ab4d5af84f20d46b6ede83df3aa

  • SHA256

    513c36f4a21c7ebf125fe36b98fb2c065898b9f543a6e8dbbf3f9a041c5b86fa

  • SHA512

    6aeb2a52e99e0cab49b0c395bf2b4d8453e43543d7700e644b09713023a6e73a32ec74bae425e835c550b480db783a0f80e793edfeb8c76774e510294854db9f

Score
10/10
salitybackdoorevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Disables RegEdit via registry modification
    evasion
  • Disables Task Manager via registry modification
    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:712
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:716
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:976
        • c:\windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2376
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
            1⤵
              PID:2388
            • c:\windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:2648
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3008
                  • C:\Users\Admin\AppData\Local\Temp\Fasapos.exe
                    "C:\Users\Admin\AppData\Local\Temp\Fasapos.exe"
                    2⤵
                    • Modifies firewall policy service
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Enumerates connected drives
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:2352
                • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                  "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                  1⤵
                    PID:3204
                  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                    1⤵
                      PID:3216
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3448
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                        1⤵
                          PID:3692

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Modify Existing Service

                        1
                        T1031

                        Privilege Escalation

                        Bypass User Account Control

                        1
                        T1088

                        Defense Evasion

                        Modify Registry

                        5
                        T1112

                        Bypass User Account Control

                        1
                        T1088

                        Disabling Security Tools

                        3
                        T1089

                        Credential Access

                        Discovery

                        System Information Discovery

                        3
                        T1082

                        Query Registry

                        1
                        T1012

                        Peripheral Device Discovery

                        1
                        T1120

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2352-115-0x00000000022D0000-0x000000000335E000-memory.dmp
                          Filesize

                          16.6MB

                          Download
                        • memory/2352-116-0x0000000004D40000-0x0000000004D42000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2352-117-0x00000000059A0000-0x00000000059A1000-memory.dmp
                          Filesize

                          4KB

                          Download