Analysis
-
max time kernel
170s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 02:20
Behavioral task
behavioral1
Sample
e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe
Resource
win7-20220812-en
General
-
Target
e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe
-
Size
1.1MB
-
MD5
6a13bb213fda4f15b7e4cc48a83dd368
-
SHA1
eea95805b5c0fef042c8fc59efe5aa30598db37d
-
SHA256
e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755
-
SHA512
262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a
-
SSDEEP
24576:zAQ6Zx9cxTmOrucTIEFSpOGAM4DSs9FvzAIpgkTzbZU:zAQ/TD5EO3JgAf
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" explorer.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" explorer.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 380 SVCHOST.EXE -
resource yara_rule behavioral2/memory/380-138-0x00000000024E0000-0x000000000356E000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3872 set thread context of 4320 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSecurityPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeTakeOwnershipPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeLoadDriverPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSystemProfilePrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSystemtimePrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeProfSingleProcessPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeIncBasePriorityPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeCreatePagefilePrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeBackupPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeRestorePrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeShutdownPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeDebugPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeSystemEnvironmentPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeChangeNotifyPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeRemoteShutdownPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeUndockPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeManageVolumePrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeImpersonatePrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeCreateGlobalPrivilege 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 33 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 34 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 35 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: 36 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe Token: SeIncreaseQuotaPrivilege 4320 explorer.exe Token: SeSecurityPrivilege 4320 explorer.exe Token: SeTakeOwnershipPrivilege 4320 explorer.exe Token: SeLoadDriverPrivilege 4320 explorer.exe Token: SeSystemProfilePrivilege 4320 explorer.exe Token: SeSystemtimePrivilege 4320 explorer.exe Token: SeProfSingleProcessPrivilege 4320 explorer.exe Token: SeIncBasePriorityPrivilege 4320 explorer.exe Token: SeCreatePagefilePrivilege 4320 explorer.exe Token: SeBackupPrivilege 4320 explorer.exe Token: SeRestorePrivilege 4320 explorer.exe Token: SeShutdownPrivilege 4320 explorer.exe Token: SeDebugPrivilege 4320 explorer.exe Token: SeSystemEnvironmentPrivilege 4320 explorer.exe Token: SeChangeNotifyPrivilege 4320 explorer.exe Token: SeRemoteShutdownPrivilege 4320 explorer.exe Token: SeUndockPrivilege 4320 explorer.exe Token: SeManageVolumePrivilege 4320 explorer.exe Token: SeImpersonatePrivilege 4320 explorer.exe Token: SeCreateGlobalPrivilege 4320 explorer.exe Token: 33 4320 explorer.exe Token: 34 4320 explorer.exe Token: 35 4320 explorer.exe Token: 36 4320 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4320 explorer.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 712 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 79 PID 3872 wrote to memory of 380 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 80 PID 3872 wrote to memory of 380 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 80 PID 3872 wrote to memory of 380 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 80 PID 3872 wrote to memory of 4320 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 81 PID 3872 wrote to memory of 4320 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 81 PID 3872 wrote to memory of 4320 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 81 PID 3872 wrote to memory of 4320 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 81 PID 3872 wrote to memory of 4320 3872 e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe 81 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84 PID 4320 wrote to memory of 2908 4320 explorer.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe"C:\Users\Admin\AppData\Local\Temp\e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
PID:712
-
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"2⤵
- Executes dropped EXE
PID:380
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:2908
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD5e6e858b315cc3cad4f6772c3ce7799c9
SHA12e3ded63d9c8259b0df043892b7a8003d4dc00ee
SHA256761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168
SHA51200f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae
-
Filesize
412KB
MD5e6e858b315cc3cad4f6772c3ce7799c9
SHA12e3ded63d9c8259b0df043892b7a8003d4dc00ee
SHA256761c8164a97f4fe2370ca5579f65b6d352408ff21979bb1fb2a1f2aaede5b168
SHA51200f75b0e169bafb2441b81bc92437f4382e063d8c7c47269786693dec7511f126baa61de365454c92e0b4a7a50a93914eaa4d0ea5ed744fa315096807918a4ae
-
Filesize
1.1MB
MD56a13bb213fda4f15b7e4cc48a83dd368
SHA1eea95805b5c0fef042c8fc59efe5aa30598db37d
SHA256e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755
SHA512262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a
-
Filesize
1.1MB
MD56a13bb213fda4f15b7e4cc48a83dd368
SHA1eea95805b5c0fef042c8fc59efe5aa30598db37d
SHA256e16a28f0876c0eab8e70ee7d7453c358396e577fbf83d12e05cd638289f56755
SHA512262d590269985b9f2f0cda5228c308e04ea10d2d5b8d6f7b448879b32c6fc4f3130187512c2986a736917e10c7f4f4b569cd9147c0490e5f5128c80b6bb2565a