Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 08:27
Static task
static1
Behavioral task
behavioral1
Sample
ScriptCryptor.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
ScriptCryptor.exe
-
Size
528KB
-
MD5
55215f0ef9972f69b60f3f21a27a07d0
-
SHA1
3fd5fb6f8bcd8fa33604a24ae0c856d451fba539
-
SHA256
6d8d2c284235cac81763ee58e196b2f0b1e865cf192de04a64a4c3ecb350c85c
-
SHA512
3367a528ec827b0d28c748c8e5304d883586685cf1dccf6abce095db01e3d36f16f486c0fd21984ca7e593c4e4962dee4dc71f0fa4eeb097d8e1972c559e9e6d
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ScriptCryptor.exe -
resource yara_rule behavioral1/memory/860-55-0x0000000002140000-0x00000000031CE000-memory.dmp upx behavioral1/memory/860-61-0x0000000002140000-0x00000000031CE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ScriptCryptor.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ScriptCryptor.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ScriptCryptor.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ScriptCryptor.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: ScriptCryptor.exe File opened (read-only) \??\I: ScriptCryptor.exe File opened (read-only) \??\L: ScriptCryptor.exe File opened (read-only) \??\N: ScriptCryptor.exe File opened (read-only) \??\O: ScriptCryptor.exe File opened (read-only) \??\Q: ScriptCryptor.exe File opened (read-only) \??\S: ScriptCryptor.exe File opened (read-only) \??\U: ScriptCryptor.exe File opened (read-only) \??\V: ScriptCryptor.exe File opened (read-only) \??\Y: ScriptCryptor.exe File opened (read-only) \??\E: ScriptCryptor.exe File opened (read-only) \??\H: ScriptCryptor.exe File opened (read-only) \??\J: ScriptCryptor.exe File opened (read-only) \??\T: ScriptCryptor.exe File opened (read-only) \??\X: ScriptCryptor.exe File opened (read-only) \??\Z: ScriptCryptor.exe File opened (read-only) \??\F: ScriptCryptor.exe File opened (read-only) \??\K: ScriptCryptor.exe File opened (read-only) \??\M: ScriptCryptor.exe File opened (read-only) \??\P: ScriptCryptor.exe File opened (read-only) \??\R: ScriptCryptor.exe File opened (read-only) \??\W: ScriptCryptor.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe ScriptCryptor.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ScriptCryptor.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 860 ScriptCryptor.exe 860 ScriptCryptor.exe 860 ScriptCryptor.exe 860 ScriptCryptor.exe 860 ScriptCryptor.exe 860 ScriptCryptor.exe 860 ScriptCryptor.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe Token: SeDebugPrivilege 860 ScriptCryptor.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 860 ScriptCryptor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 PID 860 wrote to memory of 1256 860 ScriptCryptor.exe 12 PID 860 wrote to memory of 1360 860 ScriptCryptor.exe 13 PID 860 wrote to memory of 1416 860 ScriptCryptor.exe 18 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ScriptCryptor.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1256
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1360
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\ScriptCryptor.exe"C:\Users\Admin\AppData\Local\Temp\ScriptCryptor.exe"2⤵
- Modifies firewall policy service
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:860
-