Overview

overview

10

Static

static

1

SecurityHealths.exe

windows7-x64

10

SecurityHealths.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2023 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecurityHealths.exe

  • Size

    664KB

  • MD5

    1b04b8062dd9cceabfa5c6f2ec6302b2

  • SHA1

    9ff95a3dd1bba1dcf63809b00aa320a1104729c0

  • SHA256

    f8663e37a4df974fd50038af0b16f9b994ee9eadbab852369a9b816918d41f97

  • SHA512

    990935879bc56696d002976e9af6451844b5898be72368fdc27ac9f0cdbb060f8d9838ab3e03431e6501a62c7ba81f2ec37f2fbf82f12104199ce58c69aea1ee

  • SSDEEP

    12288:2DKDBnRhiEFs7aonCVPdk88KzIxH3tsxV:2DKDBRhe9CVPdkAzIxdiV

Score
10/10
chinese_generic_botnetsalitybackdoorbotnetevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Chinese Botnet payload 2 IoCs
    botnet
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\SecurityHealths.exe
        "C:\Users\Admin\AppData\Local\Temp\SecurityHealths.exe"
        2⤵
        • Modifies firewall policy service
        • UAC bypass
        • Windows security bypass
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2024
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1204
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1120

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Modify Registry

        6
        T1112

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        3
        T1089

        Credential Access

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        2
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\gqtd.exe
          Filesize

          100KB

          MD5

          bcbeed47358429eed973f57fb9ac25f1

          SHA1

          111e572385c1dbab4c82e3c06dcf2ef8df72c471

          SHA256

          e97ee32f6786eae48f670175c2b028d60cb40aa4c8259e5c33c3b64b527c0650

          SHA512

          59de4bdd2ace04c16127750dcc43981cb7677301f831cd89775f5e0e4acc5a7661ae96dd9913a6155a3ea3c48f24e4f49efd471c93ba5ddb5283401e26b23463

          Download Submit
        • memory/1120-58-0x0000000001E20000-0x0000000001E22000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-89-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-68-0x00000000003F0000-0x00000000003F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2024-92-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-63-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-66-0x00000000003F0000-0x00000000003F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2024-64-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-65-0x0000000000400000-0x00000000004AA000-memory.dmp
          Filesize

          680KB

          Download
        • memory/2024-90-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-67-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-69-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-70-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-71-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-54-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-73-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-74-0x0000000010000000-0x0000000010017000-memory.dmp
          Filesize

          92KB

          Download
        • memory/2024-77-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-79-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-80-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-81-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-82-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-72-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-57-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-60-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-94-0x00000000003E0000-0x00000000003E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-95-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-97-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-99-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-103-0x0000000004460000-0x0000000004462000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-104-0x0000000004470000-0x0000000004471000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2024-105-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-106-0x0000000004460000-0x0000000004462000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-108-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-110-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-116-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-117-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-119-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-121-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-126-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-128-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-133-0x0000000004460000-0x0000000004462000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2024-56-0x0000000001EF0000-0x0000000002F7E000-memory.dmp
          Filesize

          16.6MB

          Download
        • memory/2024-177-0x0000000000400000-0x00000000004AA000-memory.dmp
          Filesize

          680KB

          Download