Analysis
-
max time kernel
133s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 18:34
General
-
Target
b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exe
-
Size
392KB
-
MD5
5a1e2e8b2fca5a40ab426bd3f533b3f2
-
SHA1
7f73f23a7b16aa3c8262d76fc30b1e514cfbe7de
-
SHA256
b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805
-
SHA512
514e32472eac1ebdf963136e1d80f249e4c097a4926e362697d005f3100add5afd7f76a4e1b59b321800eabe5ab42f0261b318939d5c3d63f60e4ed18fc9d9e2
-
SSDEEP
6144:Pu++THBU7JnFjlJlQ8TM4r0zsaBuxtj/cjAOvP99qqDLuEnIorHSzhl6GkkakJL:9+TIvSGrOsaBuPcjwqnuqI7LaQL
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exe"C:\Users\Admin\AppData\Local\Temp\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exeFilesize
352KB
MD59e569f1233a9742a0562c3ac17932710
SHA1d5adb4084a72f3d535042aff65ad15933963fa8a
SHA256004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042
SHA512078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exeFilesize
352KB
MD59e569f1233a9742a0562c3ac17932710
SHA1d5adb4084a72f3d535042aff65ad15933963fa8a
SHA256004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042
SHA512078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81
-
\Users\Admin\AppData\Local\Temp\3582-490\b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805.exeFilesize
352KB
MD59e569f1233a9742a0562c3ac17932710
SHA1d5adb4084a72f3d535042aff65ad15933963fa8a
SHA256004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042
SHA512078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81
-
memory/960-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/960-63-0x0000000002730000-0x00000000027A9000-memory.dmpFilesize
484KB
-
memory/1520-57-0x0000000000000000-mapping.dmp
-
memory/1520-60-0x0000000001FF0000-0x000000000307E000-memory.dmpFilesize
16.6MB
-
memory/1520-61-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1520-62-0x0000000001FF0000-0x000000000307E000-memory.dmpFilesize
16.6MB