Overview

overview

10

Static

static

264169e298...b8.exe

windows7_x64

10

264169e298...b8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    36s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    264169e29889e4d8c479b70a724aac77da0d071c744ac0f24826fbf7d8e383b8.exe

  • Size

    292KB

  • MD5

    7cfd696c634de38e6a974acc82c9b0c0

  • SHA1

    301eea2cd9ec5698fdd058c70080f64796c21b7b

  • SHA256

    264169e29889e4d8c479b70a724aac77da0d071c744ac0f24826fbf7d8e383b8

  • SHA512

    9ea600d7bf0e49eda1bfa895b4c46ad023ca704110508eed12ab6019a37c7e8a5f02cc2ecd917b27635bc1e8a77b659dd3e90ee545a648a3529b250c32857b08

Score
10/10
ramnitsalitybackdoorbankerevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs
          2⤵
            PID:864
            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
              wmiadap.exe /F /T /R
              3⤵
                PID:1988
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:1084
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:736
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1184
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    2⤵
                      PID:1036
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:452
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:340
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:828
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:796
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              2⤵
                                PID:744
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:660
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:580
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:416
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:376
                                    • C:\Windows\system32\wininit.exe
                                      wininit.exe
                                      1⤵
                                        PID:368
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:484
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1364
                                            • C:\Users\Admin\AppData\Local\Temp\264169e29889e4d8c479b70a724aac77da0d071c744ac0f24826fbf7d8e383b8.exe
                                              "C:\Users\Admin\AppData\Local\Temp\264169e29889e4d8c479b70a724aac77da0d071c744ac0f24826fbf7d8e383b8.exe"
                                              2⤵
                                              • Modifies firewall policy service
                                              • UAC bypass
                                              • Windows security bypass
                                              • Windows security modification
                                              • Checks whether UAC is enabled
                                              • Drops file in Windows directory
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              • System policy modification
                                              PID:1972
                                          • C:\Windows\system32\Dwm.exe
                                            "C:\Windows\system32\Dwm.exe"
                                            1⤵
                                              PID:1292

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v6

                                            Initial Access

                                            Execution

                                            Persistence

                                            Modify Existing Service

                                            1
                                            T1031

                                            Privilege Escalation

                                            Bypass User Account Control

                                            1
                                            T1088

                                            Defense Evasion

                                            Modify Registry

                                            5
                                            T1112

                                            Bypass User Account Control

                                            1
                                            T1088

                                            Disabling Security Tools

                                            3
                                            T1089

                                            Credential Access

                                            Discovery

                                            System Information Discovery

                                            1
                                            T1082

                                            Lateral Movement

                                            Collection

                                            Exfiltration

                                            Command and Control

                                            Impact

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/1972-55-0x00000000006B0000-0x000000000173E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/1972-56-0x0000000000400000-0x000000000044A000-memory.dmp
                                              Filesize

                                              296KB

                                              Download
                                            • memory/1972-57-0x00000000006B0000-0x000000000173E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/1972-58-0x0000000000400000-0x000000000044A000-memory.dmp
                                              Filesize

                                              296KB

                                              Download