Overview

overview

10

Static

static

3

27ce808184...0N.exe

windows7-x64

10

27ce808184...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27ce8081843077b6e9c559267cb19f80N.exe

  • Size

    165KB

  • MD5

    27ce8081843077b6e9c559267cb19f80

  • SHA1

    7811a1be5df65d6179147050a251fa8d3e2f63d4

  • SHA256

    f142ef7a4027554cb455a6de9b44b312ba34b9b4188ee45259ba1f4238180a67

  • SHA512

    bffe3125653f8c7db4ce2e797cbc068577a13c51dfa0eb1fd838740a91f9235c6c72eb1514c8729961fbec90550c0e19a8375afee41b6b8774f6d936c320ea27

  • SSDEEP

    3072:QZSlI/HUOjSiToj7CEqfqg27mx/t3CnM9ga7ECfVeB1P0Yal7gz8PrVG:Qv/HFjSdfCZ47mx/t3Cn3a4CfUB1Cl7a

Score
10/10
ramnitsalitybackdoorbankerdiscoveryevasionspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Loads dropped DLL 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\27ce8081843077b6e9c559267cb19f80N.exe
    "C:\Users\Admin\AppData\Local\Temp\27ce8081843077b6e9c559267cb19f80N.exe"
    1⤵
    • Modifies firewall policy service
    • UAC bypass
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • System policy modification
    PID:3700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 6248
      2⤵
      • Program crash
      PID:1716
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700
    1⤵
      PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~TMEFA0.tmp
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit

    • memory/3700-7-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-13-0x0000000077C12000-0x0000000077C13000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3700-9-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-14-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3700-10-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3700-12-0x0000000077C12000-0x0000000077C14000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3700-15-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-11-0x0000000003560000-0x000000000359E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3700-8-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-3-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-1-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/3700-16-0x00000000023D0000-0x000000000345E000-memory.dmp

      Filesize

      16.6MB

      Download