Analysis
-
max time kernel
153s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
25-07-2022 03:30
General
-
Target
f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe
-
Size
827KB
-
MD5
bb5bacfe2ae5bf6e02f5aa5f55c28acf
-
SHA1
c49192478c9611df1fde63fdd1f848def716fcba
-
SHA256
f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c
-
SHA512
f59a33f7bac0f8efab55c00e5e5be44c1db9ed859c7e6ffe563d43767d7c71ed902831739dea211d05ef6920ad2b13e7b76e824c88ade01e3cdf441fa524a8fc
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 6 IoCs
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 30 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 33 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe"C:\Users\Admin\AppData\Local\Temp\f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe"C:\Users\Admin\AppData\Local\Temp\f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe" -service -lunch1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe"C:\Users\Admin\AppData\Local\Temp\f7f175a450a116c0be3c493e697c98c9469f2f894f3834fea484f5540621350c.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AMMYY\hrFilesize
22B
MD5b51ff1164a5b348f4d9e903b66c0d4ce
SHA14806f314c99a10cb3d896c4fab229ef7ffebf25d
SHA2565034f0aba9c8ed2728a0b22594f374fb0fc5cd0a9272085841c69c4999bf4534
SHA5127e05b203d9510ca4f3dc271d0aa06ac36759073a81b92274e780fde0487a99cf5d1a6225be04e750dc3d708eb9c3b4b3237e8a84bbbc7f61460b2a805e5740db
-
C:\ProgramData\AMMYY\hr3Filesize
68B
MD5875292975e6701eb3668c9d7d4e0cf0e
SHA108a301850bdb78b372b16e274d5f71e5d97ff135
SHA256d417318cb9b4105760511b16b21a86f79ca975038089e391b1c037aa58aa78b4
SHA51298af0edcec8859f7ed25671538c5a9db9f69fe9b61d215d400274280ab24f9a5c8e1a4ca378042724698e69bdb258420967fdc65949c7d72d1b80cdf465d9b25
-
C:\ProgramData\AMMYY\settings3.binFilesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8
-
C:\Windows\SYSTEM.INIFilesize
257B
MD50f50553cf6fc0db44663405f6d2786ae
SHA1e919c8076508be2a292d8f3f72d59454df9ac900
SHA256ef41b3f0370ce3e2cb14f3bd86ffd1eedcdda129293a451023f3deeefaf7ce97
SHA512dab729b639e377ef11140646da60bf63ca5245cdc49dbaee756f8238e5bf4169972897f0b8203b30da860ecbb0a5b1f0bf78629610665151c00d46855a1fba2a
-
memory/2100-140-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/2100-133-0x0000000000000000-mapping.dmp
-
memory/2100-147-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/2100-146-0x0000000004F20000-0x0000000005FAE000-memory.dmpFilesize
16.6MB
-
memory/2100-145-0x0000000004F20000-0x0000000005FAE000-memory.dmpFilesize
16.6MB
-
memory/2100-143-0x0000000004F20000-0x0000000005FAE000-memory.dmpFilesize
16.6MB
-
memory/4396-131-0x0000000002410000-0x000000000349E000-memory.dmpFilesize
16.6MB
-
memory/4396-130-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/4396-137-0x0000000002410000-0x000000000349E000-memory.dmpFilesize
16.6MB
-
memory/4396-135-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/4560-132-0x0000000000FE0000-0x000000000206E000-memory.dmpFilesize
16.6MB
-
memory/4560-139-0x0000000000FE0000-0x000000000206E000-memory.dmpFilesize
16.6MB
-
memory/4560-144-0x0000000000FE0000-0x000000000206E000-memory.dmpFilesize
16.6MB
-
memory/4560-136-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB