Overview

overview

10

Static

static

2e0e6c4e75...aa.exe

windows7-x64

10

2e0e6c4e75...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e0e6c4e7555213a16299dde7333319feb145dc64c04b8e01efc50a7a79d1faa.exe

  • Size

    160KB

  • MD5

    a2f95eeb3673ab81a0afb1e4bde259e6

  • SHA1

    bf7974abec8d5a479d553e08790e1c0370168fed

  • SHA256

    2e0e6c4e7555213a16299dde7333319feb145dc64c04b8e01efc50a7a79d1faa

  • SHA512

    eec3e522543d778b336da4275f32975d2dbd27e28ae1f056ddfe78bcce9d22c7a990497c2db92f7dd7e8ff1e533c3f5831e4fd04d81e9382bda5f4873579e5e8

  • SSDEEP

    3072:2nxwgxgfR/DVG7wBpEwfpNoICJwY7PuWZBD:e+xDVG0BpV0Jhi4BD

Score
10/10
ramnitsalitybackdoorbankerevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:376
    • C:\Users\Admin\AppData\Local\Temp\2e0e6c4e7555213a16299dde7333319feb145dc64c04b8e01efc50a7a79d1faa.exe
      "C:\Users\Admin\AppData\Local\Temp\2e0e6c4e7555213a16299dde7333319feb145dc64c04b8e01efc50a7a79d1faa.exe"
      1⤵
      • Modifies firewall policy service
      • UAC bypass
      • Windows security bypass
      • Windows security modification
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3056
      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        "C:\Program Files (x86)\Microsoft\WaterMark.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:5072
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1344
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:620
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:620 CREDAT:17410 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1964
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:2724
        • C:\Windows\system32\taskhostw.exe
          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
          1⤵
            PID:2856
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:2612
            • C:\Windows\system32\sihost.exe
              sihost.exe
              1⤵
                PID:2528
              • C:\Windows\system32\fontdrvhost.exe
                "fontdrvhost.exe"
                1⤵
                  PID:808
                • C:\Windows\system32\fontdrvhost.exe
                  "fontdrvhost.exe"
                  1⤵
                    PID:800

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    Filesize

                    160KB

                    MD5

                    a2f95eeb3673ab81a0afb1e4bde259e6

                    SHA1

                    bf7974abec8d5a479d553e08790e1c0370168fed

                    SHA256

                    2e0e6c4e7555213a16299dde7333319feb145dc64c04b8e01efc50a7a79d1faa

                    SHA512

                    eec3e522543d778b336da4275f32975d2dbd27e28ae1f056ddfe78bcce9d22c7a990497c2db92f7dd7e8ff1e533c3f5831e4fd04d81e9382bda5f4873579e5e8

                    Download Submit

                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                    Filesize

                    160KB

                    MD5

                    a2f95eeb3673ab81a0afb1e4bde259e6

                    SHA1

                    bf7974abec8d5a479d553e08790e1c0370168fed

                    SHA256

                    2e0e6c4e7555213a16299dde7333319feb145dc64c04b8e01efc50a7a79d1faa

                    SHA512

                    eec3e522543d778b336da4275f32975d2dbd27e28ae1f056ddfe78bcce9d22c7a990497c2db92f7dd7e8ff1e533c3f5831e4fd04d81e9382bda5f4873579e5e8

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD
                    Filesize

                    779B

                    MD5

                    004e1f9f2b4726e5564e16c49fb4a831

                    SHA1

                    b57e588e3371a7fee13eaa737aefdf4e126dcf51

                    SHA256

                    bad8f107566ae2c13676df6b3c67da0642b6c850a6705acac03f460a6adb8dab

                    SHA512

                    5971b426d98c2f4e66708d490f513d66f85b89aa31479ec8e60e6b54b2afe32b77cf8d853d367f5ee173685129d0ba179739be5cf72a11a641d1cee6a28c75c4

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DB145CFEEC544B1582FED1ADA3370DD
                    Filesize

                    246B

                    MD5

                    72528a3e753c91fd843b520cd298dae5

                    SHA1

                    59338ff2c6a217d8dd06ce7e9953e1278473b1d6

                    SHA256

                    26e9a0b027aa4e324764ebe313680516be65d1731aa59e82cd93d4f5216fb4ad

                    SHA512

                    95965d290e4cf657313aef07cae35393cb64800247f61fe33265567044ba8d7a6f61d83209707d6d0391b6b2960658ba462ec51bb7c9c4b5562f005c34723d53

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9FD8C37F-5854-11ED-B696-5203DB9D3E0F}.dat
                    Filesize

                    5KB

                    MD5

                    9a489e4da497f4270d23fd4ba74f68ef

                    SHA1

                    26706aa891532703c3931c254543636cf5632854

                    SHA256

                    29a0b213f07f7b905ab1aacdba5466b7ac926d6526e30e6c21d7a0e68fab269b

                    SHA512

                    16beaf7a5efae0a8f458ca6205ed689caabc8850d4dcfb3f04d371dd08f8bcad55ee0967eab0b3a3c7af3e2b748c351a53a20d2052974cd32958cb83d166d87f

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9FD8EA8F-5854-11ED-B696-5203DB9D3E0F}.dat
                    Filesize

                    3KB

                    MD5

                    0bffd0177456fa9eaad5656d19bcef9a

                    SHA1

                    d42a138574aae68a5b480efad0b6c4a604405b2d

                    SHA256

                    7123d2d31e8fd7d7e8f66066265ba8b9e33b0527c267b229f381aed94c689e08

                    SHA512

                    0a25a8ec7c5e697a2bea9d6c7efd6fa058c653fbce1f7908b7518c9a896830a1224f9bbbf5ca2ec3c6c868f84d281cf2c3b4446e50be69262c232d3b56c672e4

                    Download Submit

                  • memory/1624-153-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/1624-147-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/1624-149-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/1624-151-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/1624-150-0x0000000000400000-0x0000000000432000-memory.dmp

                    Filesize

                    200KB

                    Download

                  • memory/3056-141-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/3056-146-0x0000000003520000-0x00000000045AE000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/3056-136-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/3056-137-0x0000000000400000-0x0000000000421000-memory.dmp

                    Filesize

                    132KB

                    Download

                  • memory/3056-133-0x0000000003520000-0x00000000045AE000-memory.dmp

                    Filesize

                    16.6MB

                    Download