Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 18:57
Static task
static1
Behavioral task
behavioral1
Sample
SecurityHealths.exe
Resource
win7-20230220-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
SecurityHealths.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
SecurityHealths.exe
-
Size
664KB
-
MD5
1b04b8062dd9cceabfa5c6f2ec6302b2
-
SHA1
9ff95a3dd1bba1dcf63809b00aa320a1104729c0
-
SHA256
f8663e37a4df974fd50038af0b16f9b994ee9eadbab852369a9b816918d41f97
-
SHA512
990935879bc56696d002976e9af6451844b5898be72368fdc27ac9f0cdbb060f8d9838ab3e03431e6501a62c7ba81f2ec37f2fbf82f12104199ce58c69aea1ee
-
SSDEEP
12288:2DKDBnRhiEFs7aonCVPdk88KzIxH3tsxV:2DKDBRhe9CVPdkAzIxdiV
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" SecurityHealths.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecurityHealths.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SecurityHealths.exe -
Chinese Botnet payload 2 IoCs
resource yara_rule behavioral1/memory/2024-74-0x0000000010000000-0x0000000010017000-memory.dmp unk_chinese_botnet behavioral1/memory/2024-177-0x0000000000400000-0x00000000004AA000-memory.dmp unk_chinese_botnet -
resource yara_rule behavioral1/memory/2024-54-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-56-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-57-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-60-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-64-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-69-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-70-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-71-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-72-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-77-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-79-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-80-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-81-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-82-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-89-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-90-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-92-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-95-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-97-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-99-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-105-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-108-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-110-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-116-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-117-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-119-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-121-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-126-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx behavioral1/memory/2024-128-0x0000000001EF0000-0x0000000002F7E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" SecurityHealths.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" SecurityHealths.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SecurityHealths.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\Kseuaqw.exe" SecurityHealths.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecurityHealths.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: SecurityHealths.exe File opened (read-only) \??\X: SecurityHealths.exe File opened (read-only) \??\Y: SecurityHealths.exe File opened (read-only) \??\F: SecurityHealths.exe File opened (read-only) \??\L: SecurityHealths.exe File opened (read-only) \??\M: SecurityHealths.exe File opened (read-only) \??\Q: SecurityHealths.exe File opened (read-only) \??\R: SecurityHealths.exe File opened (read-only) \??\B: SecurityHealths.exe File opened (read-only) \??\H: SecurityHealths.exe File opened (read-only) \??\K: SecurityHealths.exe File opened (read-only) \??\Z: SecurityHealths.exe File opened (read-only) \??\E: SecurityHealths.exe File opened (read-only) \??\G: SecurityHealths.exe File opened (read-only) \??\J: SecurityHealths.exe File opened (read-only) \??\P: SecurityHealths.exe File opened (read-only) \??\T: SecurityHealths.exe File opened (read-only) \??\V: SecurityHealths.exe File opened (read-only) \??\I: SecurityHealths.exe File opened (read-only) \??\N: SecurityHealths.exe File opened (read-only) \??\O: SecurityHealths.exe File opened (read-only) \??\S: SecurityHealths.exe File opened (read-only) \??\U: SecurityHealths.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf SecurityHealths.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe SecurityHealths.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe SecurityHealths.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI SecurityHealths.exe File created C:\Windows\Kseuaqw.exe SecurityHealths.exe File opened for modification C:\Windows\Kseuaqw.exe SecurityHealths.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecurityHealths.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SecurityHealths.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe 2024 SecurityHealths.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe Token: SeDebugPrivilege 2024 SecurityHealths.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2024 SecurityHealths.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 PID 2024 wrote to memory of 1120 2024 SecurityHealths.exe 16 PID 2024 wrote to memory of 1204 2024 SecurityHealths.exe 15 PID 2024 wrote to memory of 1248 2024 SecurityHealths.exe 14 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecurityHealths.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealths.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealths.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1204
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5bcbeed47358429eed973f57fb9ac25f1
SHA1111e572385c1dbab4c82e3c06dcf2ef8df72c471
SHA256e97ee32f6786eae48f670175c2b028d60cb40aa4c8259e5c33c3b64b527c0650
SHA51259de4bdd2ace04c16127750dcc43981cb7677301f831cd89775f5e0e4acc5a7661ae96dd9913a6155a3ea3c48f24e4f49efd471c93ba5ddb5283401e26b23463