Analysis
-
max time kernel
153s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
01-08-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
Resource
win7-20220718-en
General
-
Target
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe
-
Size
567KB
-
MD5
742fa4d87468c0627133ec45629c692d
-
SHA1
d9bb92a9b3a050394f8008d76e94eb8cffb82787
-
SHA256
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
-
SHA512
70218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svhost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svhost.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svhost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" svhost.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1052 svhost.exe -
Processes:
resource yara_rule behavioral1/memory/1052-61-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-63-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-65-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-69-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-71-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral1/memory/1052-72-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-75-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-76-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx behavioral1/memory/1052-82-0x0000000000400000-0x0000000000476000-memory.dmp upx behavioral1/memory/1052-83-0x0000000002C10000-0x0000000003C9E000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe.lnk 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe -
Loads dropped DLL 1 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exepid process 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svhost.exe -
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svhost.exedescription ioc process File opened (read-only) \??\F: svhost.exe File opened (read-only) \??\G: svhost.exe File opened (read-only) \??\J: svhost.exe File opened (read-only) \??\K: svhost.exe File opened (read-only) \??\O: svhost.exe File opened (read-only) \??\U: svhost.exe File opened (read-only) \??\X: svhost.exe File opened (read-only) \??\E: svhost.exe File opened (read-only) \??\Z: svhost.exe File opened (read-only) \??\W: svhost.exe File opened (read-only) \??\V: svhost.exe File opened (read-only) \??\M: svhost.exe File opened (read-only) \??\N: svhost.exe File opened (read-only) \??\Q: svhost.exe File opened (read-only) \??\R: svhost.exe File opened (read-only) \??\S: svhost.exe File opened (read-only) \??\T: svhost.exe File opened (read-only) \??\Y: svhost.exe File opened (read-only) \??\I: svhost.exe File opened (read-only) \??\L: svhost.exe File opened (read-only) \??\P: svhost.exe File opened (read-only) \??\H: svhost.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svhost.exedescription ioc process File opened for modification C:\autorun.inf svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exedescription pid process target process PID 2000 set thread context of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe svhost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe svhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Windows\svhost.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exesvhost.exepid process 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 1052 svhost.exe 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe 1052 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exesvhost.exedescription pid process Token: SeDebugPrivilege 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe Token: SeDebugPrivilege 1052 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 1052 svhost.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.execmd.exesvhost.exedescription pid process target process PID 2000 wrote to memory of 1272 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 2000 wrote to memory of 1272 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 2000 wrote to memory of 1272 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 2000 wrote to memory of 1272 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe cmd.exe PID 1272 wrote to memory of 1248 1272 cmd.exe reg.exe PID 1272 wrote to memory of 1248 1272 cmd.exe reg.exe PID 1272 wrote to memory of 1248 1272 cmd.exe reg.exe PID 1272 wrote to memory of 1248 1272 cmd.exe reg.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 2000 wrote to memory of 1052 2000 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe svhost.exe PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 2000 1052 svhost.exe 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe PID 1052 wrote to memory of 2000 1052 svhost.exe 5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE PID 1052 wrote to memory of 1104 1052 svhost.exe taskhost.exe PID 1052 wrote to memory of 1164 1052 svhost.exe Dwm.exe PID 1052 wrote to memory of 1212 1052 svhost.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svhost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"C:\Users\Admin\AppData\Local\Temp\5c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows\svhost.exe.lnk" /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD532827e69b293b99013bbbe37d029245d
SHA1bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA2569250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA51258c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD532827e69b293b99013bbbe37d029245d
SHA1bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA2569250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA51258c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5
-
C:\Users\Admin\AppData\Roaming\Windows\svhost.exeFilesize
567KB
MD5742fa4d87468c0627133ec45629c692d
SHA1d9bb92a9b3a050394f8008d76e94eb8cffb82787
SHA2565c663d8932faf3af09c3fae890b5cec421a6601848745b01034b0d5b85b8fae2
SHA51270218d835228e6180971e833ef477f9e8648bc03d877b466d8d4778f7598278dab46bec44767265c7a66873eea09d7a13d36496d156c53e4fcc1893db17b9bb4
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD532827e69b293b99013bbbe37d029245d
SHA1bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA2569250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA51258c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5
-
memory/1052-69-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-65-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-60-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-61-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-63-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-66-0x00000000004629D0-mapping.dmp
-
memory/1052-78-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1052-82-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-84-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1052-71-0x0000000002C10000-0x0000000003C9E000-memory.dmpFilesize
16.6MB
-
memory/1052-72-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-75-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1052-76-0x0000000002C10000-0x0000000003C9E000-memory.dmpFilesize
16.6MB
-
memory/1052-83-0x0000000002C10000-0x0000000003C9E000-memory.dmpFilesize
16.6MB
-
memory/1248-57-0x0000000000000000-mapping.dmp
-
memory/1272-56-0x0000000000000000-mapping.dmp
-
memory/2000-80-0x00000000749F0000-0x0000000074F9B000-memory.dmpFilesize
5.7MB
-
memory/2000-81-0x00000000749F0000-0x0000000074F9B000-memory.dmpFilesize
5.7MB
-
memory/2000-55-0x00000000749F0000-0x0000000074F9B000-memory.dmpFilesize
5.7MB
-
memory/2000-77-0x0000000000AD0000-0x0000000000AD2000-memory.dmpFilesize
8KB
-
memory/2000-54-0x0000000075C41000-0x0000000075C43000-memory.dmpFilesize
8KB