Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-04-2024 18:34
General
-
Target
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213.exe
-
Size
157KB
-
MD5
04739948ba1b0e0e5a36913914a19dae
-
SHA1
2c1622b237e6ea49a5297f3060d9b216a0760b32
-
SHA256
0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213
-
SHA512
811caf83ce7b583b720612f9e5c989726727804ae0af9c730fe0f8c46078ac0cea4e1bd0cfeb88cd8501de970a87771a9af9bcb53d6e4e6af4777d2f968894f5
-
SSDEEP
3072:xeZUO+PHKrXl0CFh5mlhQ+Z/KuSWviHJjqGXer4:xyd+P8CCFPmlq+IbhX04
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 19 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs
-
UPX dump on OEP (original entry point) 29 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 8 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 23 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213.exe"C:\Users\Admin\AppData\Local\Temp\0d0233a0b94140a1fc7aeb086cc44a5b119a86c2731c144aa4490fa4f229f213.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\359420139.exeC:\Users\Admin\AppData\Local\Temp\359420139.exe3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\213727312.exeC:\Users\Admin\AppData\Local\Temp\213727312.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\228717671.exeC:\Users\Admin\AppData\Local\Temp\228717671.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3043923061.exeC:\Users\Admin\AppData\Local\Temp\3043923061.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2062012843.exeC:\Users\Admin\AppData\Local\Temp\2062012843.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\805819405.exeC:\Users\Admin\AppData\Local\Temp\805819405.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\1[1]Filesize
81KB
MD501e5faba64d8e9a9c187831fdc819f4c
SHA1350a1a2bf237e64f43716262f99c632f5e01ba62
SHA2567f4f76bd8fa91a71ce7999f9bbd0f7a63ca82d4e96b4d99cfad98edde1d85450
SHA512f4bc09ab9e4579b82707d6420e3b9df9ec4fd77e11ce5eb8304b45e3b5c9403c01de4e50f3c7f03f00f3ebc921646794638dccfded199bfe5f3fd727f3e57782
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\5[1]Filesize
8KB
MD5145fc3dbf778aa2ba80af3d74eabfad6
SHA113dfeadb4b38c461f8b9d25853c0cae5d9a65f7c
SHA2565ab3bcaff0514c89388ea4958197ab0ff5bcc5999e1b95d830bc72da94bd4200
SHA5129bd7d50d489c4fc57ee1a0d3ad3cd2d29ca20f8ad1e46668a36d7ecced42db03a6980b039a2aeb7a1e1761aef89d994d73a497043ba744678290a8a9772a6306
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\2[1]Filesize
14KB
MD5fce292c79288067dc17919ed588c161c
SHA1bb44fa2c95af5bbd11e49264a40c16d6f343fa21
SHA2564ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828
SHA51273dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e
-
C:\Users\Admin\AppData\Local\Temp\2062012843.exeFilesize
14KB
MD52f4ab1a4a57649200550c0906d57bc28
SHA194bc52ed3921791630b2a001d9565b8f1bd3bd17
SHA256baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa
SHA512ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8
-
C:\Users\Admin\AppData\Local\Temp\359420139.exeFilesize
81KB
MD5f4713c8ac5fc1e4919156157e7bece19
SHA17bd9e35b1d1210183bbb4fe1995895cbc1692c62
SHA2562be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b
SHA512ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f
-
C:\Users\Admin\AppData\Local\Temp\805819405.exeFilesize
8KB
MD5c34a248f132e739652407b0aa8c978cd
SHA1f7f05357fd6ab2d1a11e3427ee46626bb6ad94ee
SHA2564c9c53256ff65c9930c38b193537ad510930c25052231c7eef3715057b79e578
SHA512f7999e8b903fbc2e715d6d7e7bb0bc421cef79dbd61f6d94f18fa63c99a420d2a70d4b23fa0b8ec05d073c954aec718be588ada718bb0f5aacd618ad815f2703
-
C:\Users\Admin\sysvpplvcr.exeFilesize
154KB
MD52d6e5a4910a9c1bbb02a393a856dd660
SHA1b0609a416b3e3251195f08bcdc5e78dc8e02bcc7
SHA2568d93992e9c3f3354b81b1e589cc662f3c7e15acc25f703af8220cbb779cf3fb4
SHA5120dfc3a927ef4407e625b84158e047d6e8ff8d3f2afb90df57ee1732ef69b026a43a50f6c65d28d8a39b23b6eaeda12f7b05f0b520e3f97afc8319466c8c79d55
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD573a114a8a15463801244f5b4e48086e8
SHA14053752e273dec27aba72d50f7c407d18a89fb53
SHA256f6fa0cbc174fd9a3cadd7be41ffe0d7e1df0e7defbe864fef4802a5cb322ee49
SHA512ab47374a4fb0bda016350d82639d5463289c802b1bbe29929b0089240bfb002ec09a1349e1b0c376543bac0266e8aae9f48d12f0492d713817b1395f6400612b
-
C:\Users\Admin\tbtnds.datFilesize
4KB
MD5d73cf76255ed3e90e72d98d28e8eddd3
SHA1d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5
SHA256bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781
SHA51220ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2
-
F:\poayss.pifFilesize
100KB
MD58bac0cadefd9c11a3a3534f4b139c199
SHA1c3df045be9f1e78123eb3eb0ae6b579a9789b979
SHA256bfb5f07f4bc40e953a9aece1ff4487de53635df99f137eabf01820581e15d6ef
SHA51258fd2f11cb4677007e1ebde7bedd254104a8b9b31c56e8b989e6d3274599edc9190c743b7496aa575244c56506e1e7fa60868f5aa5806d7386972f18142ff84e
-
memory/912-197-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/912-191-0x0000000000080000-0x0000000000082000-memory.dmpFilesize
8KB
-
memory/1028-130-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1028-205-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/1028-126-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/1120-5-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/2180-204-0x00000000021B0000-0x00000000021B2000-memory.dmpFilesize
8KB
-
memory/2180-124-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/2180-118-0x00000000021B0000-0x00000000021B2000-memory.dmpFilesize
8KB
-
memory/2316-232-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2316-199-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2316-200-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2832-246-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2832-245-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2832-261-0x0000000000130000-0x0000000000132000-memory.dmpFilesize
8KB
-
memory/2928-25-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-33-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-47-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-67-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-69-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-76-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-78-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-82-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-86-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-93-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-43-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-39-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-100-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-116-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/2928-37-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-36-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-35-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-58-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-32-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-31-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-26-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-0-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2928-24-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2928-20-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-22-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/2928-17-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-19-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2928-18-0x00000000002D0000-0x00000000002D2000-memory.dmpFilesize
8KB
-
memory/2928-14-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-11-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-9-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-6-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-4-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-3-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB
-
memory/2928-1-0x0000000001ED0000-0x0000000002F5E000-memory.dmpFilesize
16.6MB