Analysis
-
max time kernel
92s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 18:35
General
-
Target
samp-npc.exe
-
Size
392KB
-
MD5
5a1e2e8b2fca5a40ab426bd3f533b3f2
-
SHA1
7f73f23a7b16aa3c8262d76fc30b1e514cfbe7de
-
SHA256
b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805
-
SHA512
514e32472eac1ebdf963136e1d80f249e4c097a4926e362697d005f3100add5afd7f76a4e1b59b321800eabe5ab42f0261b318939d5c3d63f60e4ed18fc9d9e2
-
SSDEEP
6144:Pu++THBU7JnFjlJlQ8TM4r0zsaBuxtj/cjAOvP99qqDLuEnIorHSzhl6GkkakJL:9+TIvSGrOsaBuPcjwqnuqI7LaQL
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\samp-npc.exe"C:\Users\Admin\AppData\Local\Temp\samp-npc.exe"2⤵
- Modifies firewall policy service
- Modifies system executable filetype association
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1534490390-1401835681-5805828371978415027494939609530693522138043534-251906749"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD59e569f1233a9742a0562c3ac17932710
SHA1d5adb4084a72f3d535042aff65ad15933963fa8a
SHA256004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042
SHA512078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81
-
Filesize
255B
MD5fd732fbd20b67c2f72f9514de90f84bb
SHA132cebadd0dcfe73fee74bd167d3db4a485125110
SHA256971d9953651b624b157da6b284236d303826a1ca29d0eebed375e79ce5969c73
SHA51250be953bd8ca8c5f5ad7dff6a047db10f144d957427bddbb7128e4cf6e9dc6a348e709007553db67bb71994197fb1ca850908c889fa5feb17475a7c481e93304
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
352KB
MD59e569f1233a9742a0562c3ac17932710
SHA1d5adb4084a72f3d535042aff65ad15933963fa8a
SHA256004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042
SHA512078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81
-
Filesize
352KB
MD59e569f1233a9742a0562c3ac17932710
SHA1d5adb4084a72f3d535042aff65ad15933963fa8a
SHA256004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042
SHA512078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81
-
Filesize
8KB
-
Filesize
484KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
12.3MB
-
Filesize
8KB
-
Filesize
12.3MB
-
Filesize
484KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
484KB
-
-
Filesize
16.6MB