Overview

overview

10

Static

static

8

e0c494dab6...62.exe

windows7_x64

10

e0c494dab6...62.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1797s
  • max time network
    1605s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-06-2022 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0c494dab64f42c19ddb7eaba973423c7ef2996104e6cc6b70dc269292ac8362.exe

  • Size

    2.0MB

  • MD5

    818fc5aa272e4ab7e0209916686f5525

  • SHA1

    d4db5757339e5943b1012a008feb1ec8ad9ddd5b

  • SHA256

    e0c494dab64f42c19ddb7eaba973423c7ef2996104e6cc6b70dc269292ac8362

  • SHA512

    ca81fe247ca70b41a34bb43c37215e0fa3b94bac33e231886ce150fd9b635bb415215e08781a6d272355f27699dd79caf052a36b249073e53755b52a6f223d7a

Score
10/10
salitybackdoorevasionsuricatatrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata
  • suricata: ET MALWARE Win32.Sality-GR Checkin

    suricata: ET MALWARE Win32.Sality-GR Checkin

    suricata
  • Blocklisted process makes network request 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:404
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:804
      • C:\Windows\system32\fontdrvhost.exe
        "fontdrvhost.exe"
        1⤵
          PID:800
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2264
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3468
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:460
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:3712
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3556
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:3392
                    • C:\Windows\system32\DllHost.exe
                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                      1⤵
                        PID:3300
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                        1⤵
                          PID:3100
                        • C:\Windows\Explorer.EXE
                          C:\Windows\Explorer.EXE
                          1⤵
                            PID:2996
                            • C:\Users\Admin\AppData\Local\Temp\e0c494dab64f42c19ddb7eaba973423c7ef2996104e6cc6b70dc269292ac8362.exe
                              "C:\Users\Admin\AppData\Local\Temp\e0c494dab64f42c19ddb7eaba973423c7ef2996104e6cc6b70dc269292ac8362.exe"
                              2⤵
                              • Modifies firewall policy service
                              • UAC bypass
                              • Windows security bypass
                              • Checks computer location settings
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Checks whether UAC is enabled
                              • Enumerates connected drives
                              • Drops autorun.inf file
                              • Drops file in Program Files directory
                              • Drops file in Windows directory
                              • Modifies registry class
                              • Modifies system certificate store
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:1712
                              • C:\Windows\SysWOW64\mshta.exe
                                "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\e0c494dab64f42c19ddb7eaba973423c7ef2996104e6cc6b70dc269292ac8362.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\index.hta.log" /PID "1712" /CID "z8oThfaEq9tDegyN" /VERSION "111915098" /BUCKET "0" /SSB "1" /COUNTRY "US" /OS "10.0" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe,\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\"" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-1809750270-3141839489-3074374771-1000" /CLIENT "utorrent"
                                3⤵
                                • Blocklisted process makes network request
                                • Checks computer location settings
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2660
                                • C:\Windows\SysWOW64\cscript.exe
                                  "C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"
                                  4⤵
                                    PID:3440
                                  • C:\Windows\SysWOW64\PING.EXE
                                    "C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500
                                    4⤵
                                    • Runs ping.exe
                                    PID:328
                                  • C:\Windows\SysWOW64\cscript.exe
                                    "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjE3MTIiLCJoIjoiejhvVGhmYUVxOXREZWd5TiIsInYiOiIxMTE5MTUwOTgiLCJiIjo0NTE0NiwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjY0Iiwic2xuZyI6ImVuIiwiZGIiOiIiLCJkYnYiOiIxMS4wIiwiaWJyIjpbeyJuYW1lIjoiIiwidmVyc2lvbiI6Ijc1LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiI4OS4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IiIsInZlcnNpb24iOiIxMS4wIiwiZXhlTmFtZSI6ImlleHBsb3JlIn0seyJuYW1lIjoiIiwidmVyc2lvbiI6IjkyLjAiLCJleGVOYW1lIjoibXNlZGdlIn1dLCJpcCI6IjE1NC42MS43MS41MSIsImNuIjoiTmV0aGVybGFuZHMiLCJwYWNraWQiOiJsYXZhc29mdF9iaW5nIn0="
                                    4⤵
                                    • Blocklisted process makes network request
                                    PID:4732
                            • C:\Windows\system32\taskhostw.exe
                              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                              1⤵
                                PID:2420
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                1⤵
                                  PID:2292
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  1⤵
                                    PID:4256
                                  • C:\Windows\System32\RuntimeBroker.exe
                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                    1⤵
                                      PID:4516
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:752

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v6

                                      Initial Access

                                      Replication Through Removable Media

                                      1
                                      T1091

                                      Execution

                                      Persistence

                                      Modify Existing Service

                                      1
                                      T1031

                                      Privilege Escalation

                                      Bypass User Account Control

                                      1
                                      T1088

                                      Defense Evasion

                                      Modify Registry

                                      6
                                      T1112

                                      Bypass User Account Control

                                      1
                                      T1088

                                      Disabling Security Tools

                                      3
                                      T1089

                                      Virtualization/Sandbox Evasion

                                      1
                                      T1497

                                      Install Root Certificate

                                      1
                                      T1130

                                      Credential Access

                                      Discovery

                                      Query Registry

                                      3
                                      T1012

                                      System Information Discovery

                                      4
                                      T1082

                                      Virtualization/Sandbox Evasion

                                      1
                                      T1497

                                      Peripheral Device Discovery

                                      1
                                      T1120

                                      Remote System Discovery

                                      1
                                      T1018

                                      Lateral Movement

                                      Replication Through Removable Media

                                      1
                                      T1091

                                      Collection

                                      Exfiltration

                                      Command and Control

                                      Impact

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\i18n\en.json
                                        Filesize

                                        5KB

                                        MD5

                                        4417dbfa9fce94752a5a2dfdc823cb92

                                        SHA1

                                        12d2fd479d85b3f26c28351bbd0e44f06bc60597

                                        SHA256

                                        2381252b689d7ef2a8e1dcea6b7366c0436e70ff29e9b63f3ae34bcc5c60aaf5

                                        SHA512

                                        922c3e44db618cb2a77ad8ae6cceeaaecda3acf47034dcfe620cc5c352bededa6e4c983c74a05a797bcbed4f595d205f21829e3393b8994feb73f8179494a93c

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\images\loading.gif
                                        Filesize

                                        5KB

                                        MD5

                                        c910e2a5db424644aead18e1758c5efd

                                        SHA1

                                        fa58fc1a0c17db6c0eb573a0d548e544604114da

                                        SHA256

                                        00c62ed42795f996b5f963c69ce918c2623d72896ebb628dfd9bc800514900ce

                                        SHA512

                                        66d87ba337fc672f3f2fac50e2b32774b3a470b32fe5ba1a0e887bf74465e3db1375eca3cab91367bf88b2c6fbf0301e11d6f64c90dddc0c972fabeaefd37b7e

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\images\main_icon.png
                                        Filesize

                                        3KB

                                        MD5

                                        e29ae2c3347790175085244651c40d6a

                                        SHA1

                                        0b9a15b6791439b319496950b85ab82dc2e3e5ae

                                        SHA256

                                        639bccb6ed0fce165cc979a2949d211ec8f1570133d644bf042a5400c3454c21

                                        SHA512

                                        53287d741b18275ee35eb4c4392c452e25846748ccaf3954a57f017a6e844b25ec4a39438c6ed7b24128138b8d7239cfacf69112f9803ab9d2ee981ea97a9808

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\images\main_utorrent.ico
                                        Filesize

                                        104KB

                                        MD5

                                        44d122c9473107fc36412de81418c84a

                                        SHA1

                                        a0072c789a9cd50ba561683c69af8602927cf4a8

                                        SHA256

                                        7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

                                        SHA512

                                        b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\index.hta
                                        Filesize

                                        522B

                                        MD5

                                        76903930c0ade2285f1ab1bf54be660d

                                        SHA1

                                        0fdd5990ca58cf6c49985ffd2075baa09cd728ce

                                        SHA256

                                        61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

                                        SHA512

                                        c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\scripts\common.js
                                        Filesize

                                        354KB

                                        MD5

                                        294704ab62d0810ce15a39d08c8b1bf4

                                        SHA1

                                        9eb74fbb3eb81e6312c94ec4e3e84792e1a0aa68

                                        SHA256

                                        f6332951011366de16da034680ca2eaf06d28171aa094ed42af649823b045bdd

                                        SHA512

                                        a622b8109a5b09961dd18761abeb701b3a2956967a8373e1ea3e4648a5a0d7427f37b7d0f0e3635aad452f43d0754d30ddeeac5def88a554ad655f174d60faff

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\scripts\initialize.js
                                        Filesize

                                        1005B

                                        MD5

                                        2a65c76b51a2c15eebeefa662d511af9

                                        SHA1

                                        3c5f93d39fdd573e43c7a451836d425bc1b07a5d

                                        SHA256

                                        31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

                                        SHA512

                                        85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\scripts\install.js
                                        Filesize

                                        6KB

                                        MD5

                                        ade3e833add95bf0f5f1619bf816d893

                                        SHA1

                                        48df3ae9a43c6d8783dab68ec423a9ff8ab25c04

                                        SHA256

                                        bbbf5859eb80eda10d42aee0557256d161768f1db7648f65a12444fc40fb8f1d

                                        SHA512

                                        8ed6005f9801ad5e7108ca698f65f7e31ecd842ca3fc9c1086f9cd247896b2ed59c8d5aaf62ad33e96e67837757814510ce058b5ce1cbdec461453799f9abf26

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\shell_scripts\check_if_cscript_is_working.js
                                        Filesize

                                        18B

                                        MD5

                                        401b092610275ba2a62376598bfd9c6b

                                        SHA1

                                        da1173bc19dd51759f06ac21237a1e8af19d96e7

                                        SHA256

                                        d1b9d32702d7d7a184ab4654c204e6d385a9499fde63e0b06bda60f8077a7862

                                        SHA512

                                        4a6b34a572864c8648ae1d3e2fe7b3ae2caada78cac726fafe4fe840afdeac1b53ea161ef27abe82ed6843e61bf853901a2d1bdf2ec255de0c395423d1b2e865

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\shell_scripts\shell_ping_after_close.js
                                        Filesize

                                        312B

                                        MD5

                                        3ba92505f8af34e948f97360767d4f8a

                                        SHA1

                                        997a36be9f9f5262195b24c8c99c0688086c80ee

                                        SHA256

                                        5e872715109b381c99aa19e2435628640505794e09a1998de7b92c2a5aea38e1

                                        SHA512

                                        b33d3519684e3b54e582e401c7144d4d3783ac44ee73e8d9ce2d92b2e0a091758d330d966ab7db19f7d22fe18335d3e8effc0961ff9d9c4ac147d0ec2c91e626

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\HTA\styles\common.css
                                        Filesize

                                        99KB

                                        MD5

                                        8a94d780401556cceabf35058bbd4b5a

                                        SHA1

                                        19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

                                        SHA256

                                        086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

                                        SHA512

                                        b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

                                        Download Submit
                                      • C:\Users\Admin\AppData\Local\Temp\HYDC048.tmp.1654586212\index.hta.log
                                        Filesize

                                        57B

                                        MD5

                                        e56c677ab044cea12c815acb768f70ca

                                        SHA1

                                        c6e65512382c5ec15ed8b23c5fb8ae28fad9d1af

                                        SHA256

                                        ef3f78757079f8b8bbd8fcfccf632c635e837d62158a2eb38751520d80c74a4c

                                        SHA512

                                        cf88867189201224618de905f2b537eba0b3d1380835123953ef3a1d555b1dc31cff084eeb989bd963f8193b659e17d9e95c74e1f797478e8e8f9904183f700b

                                        Download Submit
                                      • memory/328-143-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/1712-132-0x0000000002840000-0x00000000038CE000-memory.dmp
                                        Filesize

                                        16.6MB

                                        Download
                                      • memory/1712-150-0x0000000002840000-0x00000000038CE000-memory.dmp
                                        Filesize

                                        16.6MB

                                        Download
                                      • memory/1712-131-0x0000000002840000-0x00000000038CE000-memory.dmp
                                        Filesize

                                        16.6MB

                                        Download
                                      • memory/1712-130-0x0000000000400000-0x0000000000934000-memory.dmp
                                        Filesize

                                        5.2MB

                                        Download
                                      • memory/1712-149-0x0000000000400000-0x0000000000934000-memory.dmp
                                        Filesize

                                        5.2MB

                                        Download
                                      • memory/2660-133-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/3440-141-0x0000000000000000-mapping.dmp
                                        Download
                                      • memory/4732-147-0x0000000000000000-mapping.dmp
                                        Download