Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2023 03:42

General

  • Target

    d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe

  • Size

    160KB

  • MD5

    896d561765d793ad98a6e17155d78440

  • SHA1

    ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3

  • SHA256

    d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc

  • SHA512

    0caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47

  • SSDEEP

    3072:iT2xNfzEmPUac0yCRS9EK0TLmkQzWAJ4IeQkXN5gNAm6Nk:mkPpe0mkQzxJ4IeQC+aE

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe
    "C:\Users\Admin\AppData\Local\Temp\d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4736
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:3480
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4824
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4692

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Modify Registry

    6
    T1112

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    3
    T1089

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      Filesize

      160KB

      MD5

      896d561765d793ad98a6e17155d78440

      SHA1

      ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3

      SHA256

      d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc

      SHA512

      0caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47

    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      Filesize

      160KB

      MD5

      896d561765d793ad98a6e17155d78440

      SHA1

      ee6c4cd6f39e8d7e32130b13ac832f1cff32e3c3

      SHA256

      d1b90eda8f53941e0e5eb0ec4ca270b52027b03bea6f312a7647f9f3c39040cc

      SHA512

      0caefd9a8fe0219f3fe001f3f7c5a135ad4f95de334794dd99ee163f3177f9c7a42939f067d1e9773008af68e63ff240e85cb041040850d8eccadc9e3e4c1f47

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      0518b0c986ebecc2e8b7d18563f3a3f9

      SHA1

      f64c6bf2713c74c0519bc4dfbb1ef2d361d8fa0f

      SHA256

      5beab60b4c60e1dd16a188541199742eb97df28aa6a3e41f7dcabc1c75dee492

      SHA512

      a49b8b37bc4d23c631e891b9cc8921bc724f52a66c59f01823536423336fd387223f544ff6de19db5ed691a18285004bc2a1fc5730f4165e26b89479713f9915

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      36f62dc8408cdfed6204f4d055b58b50

      SHA1

      b930e41f6a50624897bb78a34854bb53dea361e1

      SHA256

      63c2c690d3205dc175f8378560011874b62fb7d6a74695a7c22ce8d6ed673c5a

      SHA512

      2bdb9299dac81874d527a9cdfa7cf119e658706debed9fdcbee7e793302043663b3394607c04f6b101a73c630b8c72dafee2071f6576b5d99183499eb78770ac

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{868BDA23-A058-11ED-B696-5E3721E937B7}.dat
      Filesize

      5KB

      MD5

      cd99c5557a73cd02a95f7f6dad660d77

      SHA1

      7153f0832f2490dc84fb7521224bf0c4261922fb

      SHA256

      7c9fa06ebdd378b29088fa464536c39bed8f8a04e10132f02812597d62c18e03

      SHA512

      86908572b99cd8216f642cd974d1d8b409705a2fe6564cf1c50638a9b21f645ef91877d9aa53d06b5a49dfa78421627bb8e2deab851e8f20161be37d0604067d

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{868C0133-A058-11ED-B696-5E3721E937B7}.dat
      Filesize

      3KB

      MD5

      16c170a74f7ed6880150f00937d27281

      SHA1

      6b40a8b878ffb4f5175097b4fad7bcd654177c56

      SHA256

      86419a90a0943e832cf8e98ba6c1e4fb39ed2068f6987898d4462f7b22d1d48f

      SHA512

      39b3a49b2ce81f98f8758b84b6134ef4c086d8e91e3513d2ef008521687c5964b2dd942333aa7f9d1462215448243396ebf3ecf6c97103680de7d233012b8251

    • memory/1756-152-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/1756-157-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

    • memory/1756-140-0x0000000000000000-mapping.dmp
    • memory/1756-150-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/1756-151-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/1756-147-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/3480-154-0x0000000000000000-mapping.dmp
    • memory/4736-145-0x0000000002590000-0x000000000361E000-memory.dmp
      Filesize

      16.6MB

    • memory/4736-143-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

    • memory/4736-135-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

    • memory/4736-133-0x0000000002590000-0x000000000361E000-memory.dmp
      Filesize

      16.6MB

    • memory/4736-139-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/4736-138-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/4736-158-0x0000000002590000-0x000000000361E000-memory.dmp
      Filesize

      16.6MB

    • memory/4736-136-0x0000000000400000-0x0000000000433000-memory.dmp
      Filesize

      204KB

    • memory/4736-137-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB