Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
30-01-2023 03:42
General
-
Target
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
-
Size
160KB
-
MD5
896d561765d793ad98a6e17155d78440
-
SHA1
ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
-
SHA256
d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
-
SHA512
0caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
SSDEEP
3072:iT2xNfzEmPUac0yCRS9EK0TLmkQzWAJ4IeQkXN5gNAm6Nk:mkPpe0mkQzxJ4IeQC+aE
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 9 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
C:\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
C:\Windows\SYSTEM.INIFilesize
255B
MD5cf93e4d26ba68966ce9a11e994a5a9d3
SHA1f52e887aa5a6357a48a8c1c0f62e5c8e447cc1e4
SHA2569e8c2c209c85a359d8720dc82254f95d34e0676ab9c0563c638afaf7bfdec807
SHA5128daafc03b1eb33f303e8340621745345f93459b20fb66903c5b9743c3afdf71fe21c7203548d562d1bb4c58a5205cb9e82d22c32c67a61078ddb1e2b3bced44f
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
\Program Files (x86)\Microsoft\WaterMark.exeFilesize
160KB
MD5896d561765d793ad98a6e17155d78440
SHA1ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3
SHA256d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc
SHA5120caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47
-
memory/288-78-0x0000000000000000-mapping.dmp
-
memory/288-76-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/288-109-0x0000000000190000-0x0000000000192000-memory.dmpFilesize
8KB
-
memory/288-200-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/288-285-0x0000000002C50000-0x0000000003CDE000-memory.dmpFilesize
16.6MB
-
memory/288-81-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/288-203-0x0000000002C50000-0x0000000003CDE000-memory.dmpFilesize
16.6MB
-
memory/288-88-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/1488-66-0x0000000002120000-0x00000000031AE000-memory.dmpFilesize
16.6MB
-
memory/1488-55-0x0000000002120000-0x00000000031AE000-memory.dmpFilesize
16.6MB
-
memory/1488-59-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1488-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1488-61-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1488-58-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1488-199-0x0000000002120000-0x00000000031AE000-memory.dmpFilesize
16.6MB
-
memory/1488-64-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1656-79-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1656-86-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1656-151-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1656-152-0x0000000002140000-0x00000000031CE000-memory.dmpFilesize
16.6MB
-
memory/1656-84-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1656-83-0x0000000002140000-0x00000000031CE000-memory.dmpFilesize
16.6MB
-
memory/1656-68-0x0000000002140000-0x00000000031CE000-memory.dmpFilesize
16.6MB
-
memory/1656-63-0x0000000000000000-mapping.dmp
-
memory/1840-90-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1840-92-0x0000000000000000-mapping.dmp
-
memory/1840-93-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1840-110-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/1840-202-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB