Overview

overview

10

Static

static

8

announce.exe

windows7-x64

10

announce.exe

windows10-2004-x64

1

plugins/regex.so

ubuntu-18.04-amd64

1

plugins/sscanf.dll

windows7-x64

3

plugins/sscanf.dll

windows10-2004-x64

3

plugins/sscanf.so

ubuntu-18.04-amd64

1

plugins/streamer.dll

windows7-x64

3

plugins/streamer.dll

windows10-2004-x64

3

plugins/streamer.so

ubuntu-18.04-amd64

1

samp-npc.exe

windows7-x64

10

samp-npc.exe

windows10-2004-x64

10

samp-server.exe

windows7-x64

10

samp-server.exe

windows10-2004-x64

10

scriptfile...ts.vbs

windows7-x64

1

scriptfile...ts.vbs

windows10-2004-x64

1

�...ts.vbs

windows7-x64

1

�...ts.vbs

windows10-2004-x64

1

�...ck.vbs

windows7-x64

1

�...ck.vbs

windows10-2004-x64

1

�...nc.dll

windows7-x64

1

�...nc.dll

windows10-2004-x64

1

�...cc.exe

windows7-x64

1

�...cc.exe

windows10-2004-x64

1

�...no.exe

windows7-x64

8

�...no.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    samp-npc.exe

  • Size

    392KB

  • MD5

    5a1e2e8b2fca5a40ab426bd3f533b3f2

  • SHA1

    7f73f23a7b16aa3c8262d76fc30b1e514cfbe7de

  • SHA256

    b9c417d03289754578824f61d7788c8e1967610d29c9a8a63a53fc22fa366805

  • SHA512

    514e32472eac1ebdf963136e1d80f249e4c097a4926e362697d005f3100add5afd7f76a4e1b59b321800eabe5ab42f0261b318939d5c3d63f60e4ed18fc9d9e2

  • SSDEEP

    6144:Pu++THBU7JnFjlJlQ8TM4r0zsaBuxtj/cjAOvP99qqDLuEnIorHSzhl6GkkakJL:9+TIvSGrOsaBuPcjwqnuqI7LaQL

Score
10/10
neshtasalitybackdoorevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1156
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1228
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1256
          • C:\Users\Admin\AppData\Local\Temp\samp-npc.exe
            "C:\Users\Admin\AppData\Local\Temp\samp-npc.exe"
            2⤵
            • Modifies firewall policy service
            • Modifies system executable filetype association
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1932
            • C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe
              "C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2036
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "1534490390-1401835681-5805828371978415027494939609530693522138043534-251906749"
          1⤵
            PID:1768

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Replication Through Removable Media

          1
          T1091

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Change Default File Association

          1
          T1042

          Privilege Escalation

          Bypass User Account Control

          1
          T1088

          Defense Evasion

          Modify Registry

          6
          T1112

          Bypass User Account Control

          1
          T1088

          Disabling Security Tools

          3
          T1089

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Replication Through Removable Media

          1
          T1091

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe
            Filesize

            352KB

            MD5

            9e569f1233a9742a0562c3ac17932710

            SHA1

            d5adb4084a72f3d535042aff65ad15933963fa8a

            SHA256

            004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042

            SHA512

            078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81

            Download Submit
          • C:\Windows\SYSTEM.INI
            Filesize

            255B

            MD5

            fd732fbd20b67c2f72f9514de90f84bb

            SHA1

            32cebadd0dcfe73fee74bd167d3db4a485125110

            SHA256

            971d9953651b624b157da6b284236d303826a1ca29d0eebed375e79ce5969c73

            SHA512

            50be953bd8ca8c5f5ad7dff6a047db10f144d957427bddbb7128e4cf6e9dc6a348e709007553db67bb71994197fb1ca850908c889fa5feb17475a7c481e93304

            Download Submit
          • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
            Filesize

            252KB

            MD5

            9e2b9928c89a9d0da1d3e8f4bd96afa7

            SHA1

            ec66cda99f44b62470c6930e5afda061579cde35

            SHA256

            8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

            SHA512

            2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

            Download Submit
          • \Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe
            Filesize

            352KB

            MD5

            9e569f1233a9742a0562c3ac17932710

            SHA1

            d5adb4084a72f3d535042aff65ad15933963fa8a

            SHA256

            004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042

            SHA512

            078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81

            Download Submit
          • \Users\Admin\AppData\Local\Temp\3582-490\samp-npc.exe
            Filesize

            352KB

            MD5

            9e569f1233a9742a0562c3ac17932710

            SHA1

            d5adb4084a72f3d535042aff65ad15933963fa8a

            SHA256

            004d3f22807c96b01745ac4e23eb6039b7318a8aaca5c12cab9bd6a087244042

            SHA512

            078cf2241e4e821cd7c30931efc74a965c553314a61a8b078190848fd6d6ef5be33dc3e79e27b73069d6b1560d62d8deeaf2a24d4f0c5e27ba79f4f6210e3f81

            Download Submit
          • memory/1932-54-0x0000000075F51000-0x0000000075F53000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1932-61-0x0000000002780000-0x00000000027F9000-memory.dmp
            Filesize

            484KB

            Download
          • memory/1932-63-0x0000000000240000-0x0000000000242000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1932-68-0x0000000002B40000-0x0000000003BCE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1932-70-0x0000000002540000-0x000000000318A000-memory.dmp
            Filesize

            12.3MB

            Download
          • memory/1932-71-0x0000000000240000-0x0000000000242000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1932-72-0x0000000002540000-0x000000000318A000-memory.dmp
            Filesize

            12.3MB

            Download
          • memory/2036-62-0x0000000000400000-0x0000000000479000-memory.dmp
            Filesize

            484KB

            Download
          • memory/2036-64-0x0000000001F30000-0x0000000002FBE000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/2036-65-0x00000000003E0000-0x00000000003E2000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2036-66-0x0000000000400000-0x0000000000479000-memory.dmp
            Filesize

            484KB

            Download
          • memory/2036-57-0x0000000000000000-mapping.dmp
            Download
          • memory/2036-60-0x0000000001F30000-0x0000000002FBE000-memory.dmp
            Filesize

            16.6MB

            Download