Analysis
-
max time kernel
194s -
max time network
240s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
29-11-2022 23:15
General
-
Target
c7b571d8b889466d791b474515aab705b2ec7f0b3a1a434dccb8cdaf265216fb.exe
-
Size
606KB
-
MD5
887ac3a14b1b18d94925b05201e9fe66
-
SHA1
ff20f17ede14c87191b7e8923ed7590a9e578001
-
SHA256
c7b571d8b889466d791b474515aab705b2ec7f0b3a1a434dccb8cdaf265216fb
-
SHA512
7f3c40008a7792fa8e90825c9ee0cfecc9d37ad3708cf18f94098bca867b5861ddfd7fdc76abd5a4a6e2ed32e14d7bdbbc0a94b7a12524dd6cdd85ba9578c91e
-
SSDEEP
12288:UR/dtjPWedI4ilnP/TP7xQLtV8TuJ+fUoy6SoMvPJ6Q/FO0cn2b:UR/dRZ4nTVQLtVsuEfUoy6MHJ6SFOW
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 6 IoCs
-
ModiLoader Second Stage 2 IoCs
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\c7b571d8b889466d791b474515aab705b2ec7f0b3a1a434dccb8cdaf265216fb.exe"C:\Users\Admin\AppData\Local\Temp\c7b571d8b889466d791b474515aab705b2ec7f0b3a1a434dccb8cdaf265216fb.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\Project0.exe"C:\Users\Admin\AppData\Local\Temp\Project0.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x33c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Project0.exeFilesize
419KB
MD5b0bbf810140e6d6345c2985a1847f42a
SHA1cdd53da4c4843828e0ab1c2a7f3e2d14d35cebdf
SHA25658c26518232a71975ece52588d554f116f9af33042a07a2a0f5fb366fabcb363
SHA512444b1992d326bfb007d6707b3f0fc276895cb2573e04242de4c4d3f2d6d20dde185ad005214f038dc13fbf446d1d20c52ca4b695c5a1a8f04348022000d4e59e
-
C:\Users\Admin\AppData\Local\Temp\Project0.exeFilesize
419KB
MD5b0bbf810140e6d6345c2985a1847f42a
SHA1cdd53da4c4843828e0ab1c2a7f3e2d14d35cebdf
SHA25658c26518232a71975ece52588d554f116f9af33042a07a2a0f5fb366fabcb363
SHA512444b1992d326bfb007d6707b3f0fc276895cb2573e04242de4c4d3f2d6d20dde185ad005214f038dc13fbf446d1d20c52ca4b695c5a1a8f04348022000d4e59e
-
memory/1016-135-0x0000000000000000-mapping.dmp
-
memory/4092-132-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/4092-133-0x00000000023C0000-0x000000000347A000-memory.dmpFilesize
16.7MB
-
memory/4092-134-0x00000000023C0000-0x000000000347A000-memory.dmpFilesize
16.7MB
-
memory/4092-137-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/4092-138-0x00000000023C0000-0x000000000347A000-memory.dmpFilesize
16.7MB