Analysis
-
max time kernel
145s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 16:42
General
-
Target
964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe
-
Size
306KB
-
MD5
42cb8388450dc2abe5c9e78db3459b90
-
SHA1
9aa1c15cfcaf0f34c0eef855b17ccb110404a5eb
-
SHA256
964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef
-
SHA512
b011045a15a0e165e40e59838d73b56779dbaecc2723588ac4bcb9fade393a9a1e31c3e19b032d49b1e7f5d9a13570df6f2aece348668383846d8b76daaac0d8
-
SSDEEP
6144:IR2J0LS6VdwnYe8uS/b+gd5hYIRxWLMYYaI:IRm0Oq6YF/bHHhYQXYK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of UnmapMainImage 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe"C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exeC:\Users\Admin\AppData\Local\Temp\964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60befmgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4804 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD542cb8388450dc2abe5c9e78db3459b90
SHA19aa1c15cfcaf0f34c0eef855b17ccb110404a5eb
SHA256964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef
SHA512b011045a15a0e165e40e59838d73b56779dbaecc2723588ac4bcb9fade393a9a1e31c3e19b032d49b1e7f5d9a13570df6f2aece348668383846d8b76daaac0d8
-
Filesize
306KB
MD542cb8388450dc2abe5c9e78db3459b90
SHA19aa1c15cfcaf0f34c0eef855b17ccb110404a5eb
SHA256964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef
SHA512b011045a15a0e165e40e59838d73b56779dbaecc2723588ac4bcb9fade393a9a1e31c3e19b032d49b1e7f5d9a13570df6f2aece348668383846d8b76daaac0d8
-
Filesize
306KB
MD542cb8388450dc2abe5c9e78db3459b90
SHA19aa1c15cfcaf0f34c0eef855b17ccb110404a5eb
SHA256964054f80aa0a3bcf5e8d7da746bcc1fa6157ada823224f23bb0fdac20b60bef
SHA512b011045a15a0e165e40e59838d73b56779dbaecc2723588ac4bcb9fade393a9a1e31c3e19b032d49b1e7f5d9a13570df6f2aece348668383846d8b76daaac0d8
-
Filesize
115KB
MD565f41bb924a2844cc959d6d6d3f3f6b8
SHA1792d6d2b567bb4af7aab919f88f75fd30bff759e
SHA256737d287347a89d01754fb30aa2bad7e2478fdb90d2646db3704c5bb119136e78
SHA512109b1affea70dafb6ec683c72623ba3371682b163e7ee0470b8e908dbcbf17f8acecb747efd4aa26e52869fa14b2fbb004ea65f0f0a65c75c1ac873a161b7cc9
-
Filesize
115KB
MD565f41bb924a2844cc959d6d6d3f3f6b8
SHA1792d6d2b567bb4af7aab919f88f75fd30bff759e
SHA256737d287347a89d01754fb30aa2bad7e2478fdb90d2646db3704c5bb119136e78
SHA512109b1affea70dafb6ec683c72623ba3371682b163e7ee0470b8e908dbcbf17f8acecb747efd4aa26e52869fa14b2fbb004ea65f0f0a65c75c1ac873a161b7cc9
-
Filesize
5KB
MD5891e4ff9c297a1ea7d5b9fad8d278ff4
SHA11ae6384c9dbb50597dce49ea3abe521c01268788
SHA2562d2db77b4b992bd0fe388bd85ea919442f660c7f09000082d9b47e7c3409ebe1
SHA5120e8482b192c9cd79a588146cfa938397d81ba4648482fff8af3260599dfc2975de4df364941f70bf762db4c00005d0a09ba6946ddcb3416f060cd5a641e910f6
-
Filesize
5KB
MD535c75da2e5b61d147a7921d8b5888a60
SHA1530338d5acb9de8ed620d5e346ad3e7fa546a61a
SHA256ddb1a1a80234780fad7ac4c62c39f23e76a1942393d9a73088f378aeea9faa76
SHA512e56e172f8fa0594b4ebae93495698c796aae814e5eff40ed7619e5e9d9ccb3a19d1a1107c4762f2f6979c2b0ef294326e49478a39577e7e56064937014e826b4
-
Filesize
5KB
MD5376d9b7399283b58faf5bfae083acae6
SHA16495925c79b4968118aa0a389de5c4c26170c887
SHA25610a284cd0d9ac1c415bc868a6fa0ab3b227e5bf84e7d753dba0ef4e0e44f55fc
SHA512d72008e7de3a50eda79c9bc9c4249295c792d253f329317b9f46a22a2d11be673f5f4dbc6f4b25f6c13584fd18aeaa413cb31164b28ffa2ec8c6063dad6a53ae
-
Filesize
3KB
MD5e9404c462d2f154f6a748384a00a140f
SHA14d03a54f04987e26f5ee2a95f476111fbbed11cb
SHA256b9c2e343e5610d76b4f728ef9829b046140e1c44d8126e406fbb826c1031e571
SHA5126acc4525ad585df616285fc453caf0ca9bee047e95f31b340b5dde8c8acf5a0ef1b1518f9bf665bf93f32f76de1b80eeff8dc705420e437752eccf04bb5af0fb
-
Filesize
115KB
MD565f41bb924a2844cc959d6d6d3f3f6b8
SHA1792d6d2b567bb4af7aab919f88f75fd30bff759e
SHA256737d287347a89d01754fb30aa2bad7e2478fdb90d2646db3704c5bb119136e78
SHA512109b1affea70dafb6ec683c72623ba3371682b163e7ee0470b8e908dbcbf17f8acecb747efd4aa26e52869fa14b2fbb004ea65f0f0a65c75c1ac873a161b7cc9
-
Filesize
115KB
MD565f41bb924a2844cc959d6d6d3f3f6b8
SHA1792d6d2b567bb4af7aab919f88f75fd30bff759e
SHA256737d287347a89d01754fb30aa2bad7e2478fdb90d2646db3704c5bb119136e78
SHA512109b1affea70dafb6ec683c72623ba3371682b163e7ee0470b8e908dbcbf17f8acecb747efd4aa26e52869fa14b2fbb004ea65f0f0a65c75c1ac873a161b7cc9
-
Filesize
257B
MD5c8955e8eacc3fa85bfb199439625cb47
SHA184b92a5d1cfe5092c7dba5872042b3e4590285aa
SHA2566654e84603ff9bf9abd29af024b58f65200553c26ba05832121ea0e75404df86
SHA5125536ab169e357c15db88ed1f59985931bb5a5fa7e5ec8629314e0dbe5bed84b9c7cc5ff40da85afaca1d60eac435b6d83545266235c6517207ff7d72bbe95080
-
-
Filesize
352KB
-
Filesize
132KB
-
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
132KB
-
Filesize
160KB
-
Filesize
132KB
-
-
Filesize
160KB
-
Filesize
132KB
-
Filesize
160KB
-
Filesize
352KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
132KB
-
Filesize
352KB
-
Filesize
16.6MB
-
-
-
Filesize
132KB
-
Filesize
16.6MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
16.6MB
-
-
Filesize
16.6MB
-
Filesize
352KB
-
Filesize
16.6MB
-
Filesize
132KB