Analysis
-
max time kernel
152s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02/02/2023, 13:41
Behavioral task
behavioral1
Sample
PerX.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral2
Sample
PerX.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Scarletz.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral4
Sample
Scarletz.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
PerX.exe
-
Size
700KB
-
MD5
2a1a572771597d924ed145efaf4c77d6
-
SHA1
0302a5986fadc56557018291003a2bc852fd0913
-
SHA256
333ea334c1a637d1ef888771bf6542953d28f76c26487356ff2a94a971667c55
-
SHA512
17560878ae608fe947220f0d640d72d51e7c607e238e8be7b9f19fc7d20a7dd631633c21f424629bb8f57963161d8226601308cf95ced86c7c178b64dd0302fc
-
SSDEEP
12288:Ddm3xc4L24cmoS8c97WyggbpPYfBZpLnPO2Vmi1ZXA2m/jl+mixj2:Ddm3xX9ggbpcLP7A2gomOC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" PerX.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" PerX.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" PerX.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" PerX.exe -
Executes dropped EXE 1 IoCs
pid Process 1128 PerXmgr.exe -
resource yara_rule behavioral1/memory/1212-60-0x0000000001F00000-0x0000000002F8E000-memory.dmp upx behavioral1/memory/1212-68-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral1/memory/1212-69-0x0000000001F00000-0x0000000002F8E000-memory.dmp upx behavioral1/memory/1212-76-0x0000000000400000-0x0000000000531000-memory.dmp upx behavioral1/memory/1212-77-0x0000000001F00000-0x0000000002F8E000-memory.dmp upx behavioral1/memory/1128-80-0x0000000000230000-0x000000000028B000-memory.dmp upx -
Loads dropped DLL 9 IoCs
pid Process 1212 PerX.exe 1212 PerX.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" PerX.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" PerX.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" PerX.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: PerX.exe File opened (read-only) \??\I: PerX.exe File opened (read-only) \??\J: PerX.exe File opened (read-only) \??\K: PerX.exe File opened (read-only) \??\R: PerX.exe File opened (read-only) \??\N: PerX.exe File opened (read-only) \??\Y: PerX.exe File opened (read-only) \??\X: PerX.exe File opened (read-only) \??\E: PerX.exe File opened (read-only) \??\G: PerX.exe File opened (read-only) \??\L: PerX.exe File opened (read-only) \??\O: PerX.exe File opened (read-only) \??\P: PerX.exe File opened (read-only) \??\U: PerX.exe File opened (read-only) \??\W: PerX.exe File opened (read-only) \??\Z: PerX.exe File opened (read-only) \??\H: PerX.exe File opened (read-only) \??\M: PerX.exe File opened (read-only) \??\Q: PerX.exe File opened (read-only) \??\S: PerX.exe File opened (read-only) \??\T: PerX.exe File opened (read-only) \??\V: PerX.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf PerX.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe PerX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe PerX.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe PerX.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI PerX.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2020 1128 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1212 PerX.exe 1212 PerX.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe 1212 PerX.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 1212 PerX.exe Token: SeDebugPrivilege 2020 WerFault.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1128 1212 PerX.exe 28 PID 1212 wrote to memory of 1128 1212 PerX.exe 28 PID 1212 wrote to memory of 1128 1212 PerX.exe 28 PID 1212 wrote to memory of 1128 1212 PerX.exe 28 PID 1128 wrote to memory of 2020 1128 PerXmgr.exe 29 PID 1128 wrote to memory of 2020 1128 PerXmgr.exe 29 PID 1128 wrote to memory of 2020 1128 PerXmgr.exe 29 PID 1128 wrote to memory of 2020 1128 PerXmgr.exe 29 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1128 1212 PerX.exe 28 PID 1212 wrote to memory of 1128 1212 PerX.exe 28 PID 1212 wrote to memory of 2020 1212 PerX.exe 29 PID 1212 wrote to memory of 2020 1212 PerX.exe 29 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 PID 1212 wrote to memory of 1120 1212 PerX.exe 18 PID 1212 wrote to memory of 1172 1212 PerX.exe 16 PID 1212 wrote to memory of 1204 1212 PerX.exe 15 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" PerX.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\PerX.exe"C:\Users\Admin\AppData\Local\Temp\PerX.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\PerXmgr.exeC:\Users\Admin\AppData\Local\Temp\PerXmgr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1524⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05
-
Filesize
113KB
MD5d26092af969610dab56e02649ecae88d
SHA1cd450ff4b645acd188fa1f9e9c16a972c0e99f87
SHA256e4fedb771fd949517cbf3392c9f36be599bf16726a4702cb960a1f4845c39a71
SHA5128c87bf4318089dc03d7c60b1d1f04ac46333f792ca37bd3a0ca832dc22ae56dc8b0a473154706ef58812c70cf99d6fee877ab4984ce973eaaa3e5d1525730b05