Analysis

  • max time kernel
    151s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 02:20

General

  • Target

    e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe

  • Size

    1.1MB

  • MD5

    6a13bb213fda4f15b7e4cc48a83dd368

  • SHA1

    eea95805b5c0fef042c8fc59efe5aa30598db37d

  • SHA256

    e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755

  • SHA512

    262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a

  • SSDEEP

    24576:zAQ6Zx9cxTmOrucTIEFSpOGAM4DSs9FvzAIpgkTzbZU:zAQ/TD5EO3JgAf

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 9 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 13 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 32 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1120
    • C:\Users\Admin\AppData\Local\Temp\e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe
      "C:\Users\Admin\AppData\Local\Temp\e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe"
      1⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1744
      • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        "C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Deletes itself
        • Windows security modification
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1488
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\SysWOW64\notepad.exe
          C:\Windows\SysWOW64\notepad.exe
          3⤵
            PID:1704
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1208
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:1176
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:824

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

                    Filesize

                    412KB

                    MD5

                    e6e858b315cc3cad4f6772c3ce7799c9

                    SHA1

                    2e3ded63d9c8259b0df043892b7a8003d4dc00ee

                    SHA256

                    761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168

                    SHA512

                    00f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae

                  • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

                    Filesize

                    412KB

                    MD5

                    e6e858b315cc3cad4f6772c3ce7799c9

                    SHA1

                    2e3ded63d9c8259b0df043892b7a8003d4dc00ee

                    SHA256

                    761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168

                    SHA512

                    00f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae

                  • C:\Windows\SYSTEM.INI

                    Filesize

                    255B

                    MD5

                    16ef19c01dc6c22d9b4d9e5dc2378689

                    SHA1

                    bf089e76a2d6713c8b4997ae3c22639ec41395f1

                    SHA256

                    ae182f2ae9b4a6da3aea14e0a856eeccd586d5da61c524357204c05055e5ad01

                    SHA512

                    8d5f25643b56a3840001479114edf82ffc9fb8409d7692c05f916e2186dc83d718599ea22ca7df8c296f2ece3ae11d4d54b8fa0038a556717fbd572edbe89b09

                  • C:\Windupdt\winupdate.exe

                    Filesize

                    1.1MB

                    MD5

                    2914671203fb9f6cd43c3a1890e62199

                    SHA1

                    206b053743f43a8be9db38af1400ffa8b517af77

                    SHA256

                    ef9340ae3695ac3cb6baacfce55c11a267f65a5d942b0de15e2bf211ff89759f

                    SHA512

                    d3b15fbf34ff5e8a3cf06276f8e75c9fa95e025510328c848f2746bcbc3c604e3ab3fdd4655c475067d6ab8cfeb7d8c9f0947829ce56c5b5ad449ce59e50b0d2

                  • C:\Windupdt\winupdate.exe

                    Filesize

                    1.1MB

                    MD5

                    6a13bb213fda4f15b7e4cc48a83dd368

                    SHA1

                    eea95805b5c0fef042c8fc59efe5aa30598db37d

                    SHA256

                    e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755

                    SHA512

                    262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a

                  • \Users\Admin\AppData\Local\Temp\SVCHOST.EXE

                    Filesize

                    412KB

                    MD5

                    e6e858b315cc3cad4f6772c3ce7799c9

                    SHA1

                    2e3ded63d9c8259b0df043892b7a8003d4dc00ee

                    SHA256

                    761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168

                    SHA512

                    00f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae

                  • \Users\Admin\AppData\Local\Temp\SVCHOST.EXE

                    Filesize

                    412KB

                    MD5

                    e6e858b315cc3cad4f6772c3ce7799c9

                    SHA1

                    2e3ded63d9c8259b0df043892b7a8003d4dc00ee

                    SHA256

                    761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168

                    SHA512

                    00f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae

                  • memory/1020-71-0x0000000013140000-0x0000000013263000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1020-86-0x00000000003B0000-0x00000000003B2000-memory.dmp

                    Filesize

                    8KB

                  • memory/1020-82-0x00000000003B0000-0x00000000003B2000-memory.dmp

                    Filesize

                    8KB

                  • memory/1020-81-0x0000000013140000-0x0000000013263000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1020-77-0x0000000013140000-0x0000000013263000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1020-75-0x0000000013140000-0x0000000013263000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1020-73-0x0000000013140000-0x0000000013263000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1488-64-0x0000000001E30000-0x0000000002EBE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1488-84-0x0000000001E30000-0x0000000002EBE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1488-68-0x00000000003D0000-0x00000000003D2000-memory.dmp

                    Filesize

                    8KB

                  • memory/1488-67-0x0000000001E30000-0x0000000002EBE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1488-88-0x0000000001E30000-0x0000000002EBE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1488-87-0x0000000000400000-0x0000000000469000-memory.dmp

                    Filesize

                    420KB

                  • memory/1488-66-0x0000000000400000-0x0000000000469000-memory.dmp

                    Filesize

                    420KB

                  • memory/1488-85-0x00000000003D0000-0x00000000003D2000-memory.dmp

                    Filesize

                    8KB

                  • memory/1704-83-0x0000000000240000-0x0000000000242000-memory.dmp

                    Filesize

                    8KB

                  • memory/1744-70-0x0000000000230000-0x0000000000232000-memory.dmp

                    Filesize

                    8KB

                  • memory/1744-89-0x0000000002F70000-0x0000000003FFE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1744-91-0x0000000002F70000-0x0000000003FFE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1744-92-0x0000000002F70000-0x0000000003FFE000-memory.dmp

                    Filesize

                    16.6MB

                  • memory/1988-65-0x0000000003200000-0x0000000003269000-memory.dmp

                    Filesize

                    420KB

                  • memory/1988-54-0x0000000075281000-0x0000000075283000-memory.dmp

                    Filesize

                    8KB

                  • memory/1988-78-0x00000000031E0000-0x00000000031EF000-memory.dmp

                    Filesize

                    60KB

                  • memory/1988-69-0x00000000031E0000-0x0000000003E2A000-memory.dmp

                    Filesize

                    12.3MB