Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 18:57
Static task
static1
Behavioral task
behavioral1
Sample
SecurityHealths.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SecurityHealths.exe
Resource
win10v2004-20230220-en
General
-
Target
SecurityHealths.exe
-
Size
664KB
-
MD5
1b04b8062dd9cceabfa5c6f2ec6302b2
-
SHA1
9ff95a3dd1bba1dcf63809b00aa320a1104729c0
-
SHA256
f8663e37a4df974fd50038af0b16f9b994ee9eadbab852369a9b816918d41f97
-
SHA512
990935879bc56696d002976e9af6451844b5898be72368fdc27ac9f0cdbb060f8d9838ab3e03431e6501a62c7ba81f2ec37f2fbf82f12104199ce58c69aea1ee
-
SSDEEP
12288:2DKDBnRhiEFs7aonCVPdk88KzIxH3tsxV:2DKDBRhe9CVPdkAzIxdiV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
SecurityHealths.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" SecurityHealths.exe -
Processes:
SecurityHealths.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecurityHealths.exe -
Processes:
SecurityHealths.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SecurityHealths.exe -
Chinese Botnet payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-74-0x0000000010000000-0x0000000010017000-memory.dmp unk_chinese_botnet behavioral1/memory/2024-177-0x0000000000400000-0x00000000004AA000-memory.dmp unk_chinese_botnet -
Processes:
resource yara_rule behavioral1/memory/2024-54-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-56-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-57-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-60-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-64-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-69-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-70-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-71-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-72-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-77-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-79-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-80-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-81-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-82-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-89-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-90-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-92-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-95-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-97-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-99-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-105-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-108-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-110-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-116-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-117-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-119-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-121-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-126-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-128-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx -
Processes:
SecurityHealths.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SecurityHealths.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SecurityHealths.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecurityHealths.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Kseuaqw.exe" SecurityHealths.exe -
Processes:
SecurityHealths.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecurityHealths.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SecurityHealths.exedescription ioc process File opened (read-only) \??\W: SecurityHealths.exe File opened (read-only) \??\X: SecurityHealths.exe File opened (read-only) \??\Y: SecurityHealths.exe File opened (read-only) \??\F: SecurityHealths.exe File opened (read-only) \??\L: SecurityHealths.exe File opened (read-only) \??\M: SecurityHealths.exe File opened (read-only) \??\Q: SecurityHealths.exe File opened (read-only) \??\R: SecurityHealths.exe File opened (read-only) \??\B: SecurityHealths.exe File opened (read-only) \??\H: SecurityHealths.exe File opened (read-only) \??\K: SecurityHealths.exe File opened (read-only) \??\Z: SecurityHealths.exe File opened (read-only) \??\E: SecurityHealths.exe File opened (read-only) \??\G: SecurityHealths.exe File opened (read-only) \??\J: SecurityHealths.exe File opened (read-only) \??\P: SecurityHealths.exe File opened (read-only) \??\T: SecurityHealths.exe File opened (read-only) \??\V: SecurityHealths.exe File opened (read-only) \??\I: SecurityHealths.exe File opened (read-only) \??\N: SecurityHealths.exe File opened (read-only) \??\O: SecurityHealths.exe File opened (read-only) \??\S: SecurityHealths.exe File opened (read-only) \??\U: SecurityHealths.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
SecurityHealths.exedescription ioc process File opened for modification C:\autorun.inf SecurityHealths.exe -
Drops file in Program Files directory 5 IoCs
Processes:
SecurityHealths.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe SecurityHealths.exe -
Drops file in Windows directory 3 IoCs
Processes:
SecurityHealths.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI SecurityHealths.exe File created C:\Windows\Kseuaqw.exe SecurityHealths.exe File opened for modification C:\Windows\Kseuaqw.exe SecurityHealths.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecurityHealths.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecurityHealths.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SecurityHealths.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
SecurityHealths.exepid process 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
SecurityHealths.exedescription pid process Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecurityHealths.exepid process 2024 SecurityHealths.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
SecurityHealths.exedescription pid process target process PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe taskhost.exe PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe Dwm.exe PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
SecurityHealths.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecurityHealths.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealths.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealths.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\gqtd.exeFilesize
100KB
MD5bcbeed47358429eed973f57fb9ac25f1
SHA1111e572385c1dbab4c82e3c06dcf2ef8df72c471
SHA256e97ee32f6786eae48f670175c2b028d60cb40aa4c8259e5c33c3b64b527c0650
SHA51259de4bdd2ace04c16127750dcc43981cb7677301f831cd89775f5e0e4acc5a7661ae96dd9913a6155a3ea3c48f24e4f49efd471c93ba5ddb5283401e26b23463
-
memory/1120-58-0x0000000001E20000-0x0000000001E22000-memory.dmpFilesize
8KB
-
memory/2024-89-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-68-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2024-92-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-63-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2024-66-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2024-64-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-65-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/2024-90-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-67-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2024-69-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-70-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-71-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-54-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-73-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2024-74-0x0000000010000000-0x0000000010017000-memory.dmpFilesize
92KB
-
memory/2024-77-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-79-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-80-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-81-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-82-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-72-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-57-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-60-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-94-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2024-95-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-97-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-99-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-103-0x0000000004460000-0x0000000004462000-memory.dmpFilesize
8KB
-
memory/2024-104-0x0000000004470000-0x0000000004471000-memory.dmpFilesize
4KB
-
memory/2024-105-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-106-0x0000000004460000-0x0000000004462000-memory.dmpFilesize
8KB
-
memory/2024-108-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-110-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-116-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-117-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-119-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-121-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-126-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-128-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-133-0x0000000004460000-0x0000000004462000-memory.dmpFilesize
8KB
-
memory/2024-56-0x0000000001EF0000-0x0000000002F7E000-memory.dmpFilesize
16.6MB
-
memory/2024-177-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB