slothfulmedia | 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273

General

Target

448838b2a60484ee78c2198f2c0c9c85.bin.exe
Size

115KB
MD5

448838b2a60484ee78c2198f2c0c9c85
SHA1

f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
SHA256

64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
SHA512

9e532af06e5f4764529211e8c5c749baa7b01c72f11b603218c3c08d70cf1e732f8d9d81ec257ca247aaa96d1502150a2f402b1b3914780b6344222b007dd53f

Score

10^/10

trojan slothfulmedia

Malware Config

Signatures

SlothfulMedia
SlothfulMedia is a malware used by sophisticated threat actors that drops a remote access tool.
trojan slothfulmedia

SlothfulMedia Main Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Media\mediaplayer.exe	family_slothfulmedia
C:\Users\Admin\AppData\Roaming\Media\mediaplayer.exe	family_slothfulmedia

Executes dropped EXE 2 IoCs

Processes:

mediaplayer.exeWsxZT.exe

pid process

1080 mediaplayer.exe
3536 WsxZT.exe

pid	process
1080	mediaplayer.exe
3536	WsxZT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

448838b2a60484ee78c2198f2c0c9c85.bin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\International\Geo\Nation	448838b2a60484ee78c2198f2c0c9c85.bin.exe

Deletes itself 1 IoCs

Processes:

WsxZT.exe

pid process

3536 WsxZT.exe

pid	process
3536	WsxZT.exe

Modifies registry class 1 IoCs

Processes:

448838b2a60484ee78c2198f2c0c9c85.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	448838b2a60484ee78c2198f2c0c9c85.bin.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

448838b2a60484ee78c2198f2c0c9c85.bin.exe

description	pid	process	target process
PID 3692 wrote to memory of 1080	3692	448838b2a60484ee78c2198f2c0c9c85.bin.exe	mediaplayer.exe
PID 3692 wrote to memory of 1080	3692	448838b2a60484ee78c2198f2c0c9c85.bin.exe	mediaplayer.exe
PID 3692 wrote to memory of 1080	3692	448838b2a60484ee78c2198f2c0c9c85.bin.exe	mediaplayer.exe
PID 3692 wrote to memory of 3536	3692	448838b2a60484ee78c2198f2c0c9c85.bin.exe	WsxZT.exe
PID 3692 wrote to memory of 3536	3692	448838b2a60484ee78c2198f2c0c9c85.bin.exe	WsxZT.exe
PID 3692 wrote to memory of 3536	3692	448838b2a60484ee78c2198f2c0c9c85.bin.exe	WsxZT.exe

C:\Users\Admin\AppData\Local\Temp\448838b2a60484ee78c2198f2c0c9c85.bin.exe
"C:\Users\Admin\AppData\Local\Temp\448838b2a60484ee78c2198f2c0c9c85.bin.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Roaming\Media\mediaplayer.exe
  "C:\Users\Admin\AppData\Roaming\Media\mediaplayer.exe"
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\WsxZT.exe
  "C:\Users\Admin\AppData\Local\Temp\WsxZT.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  PID:3536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WsxZT.exe

MD5
64e3f894ce1fedbda8de9557ec25f048

SHA1
eec441dc95a9194b73c8c9df73a3a6d8677b0607

SHA256
0c65e44eac431125d4ee6c46052464aafdf668ac2fc27086efa3e062be173a15

SHA512
85c23b279c723b8c72e32341cacecaa20407e4de21beb801b895c49a3010df81ebedb560c0407e14cef2cd80432b9ab1ca243f673537af7fa7f90cf46f339966

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsxZT.exe

MD5
64e3f894ce1fedbda8de9557ec25f048

SHA1
eec441dc95a9194b73c8c9df73a3a6d8677b0607

SHA256
0c65e44eac431125d4ee6c46052464aafdf668ac2fc27086efa3e062be173a15

SHA512
85c23b279c723b8c72e32341cacecaa20407e4de21beb801b895c49a3010df81ebedb560c0407e14cef2cd80432b9ab1ca243f673537af7fa7f90cf46f339966

Download Submit
C:\Users\Admin\AppData\Roaming\Media\mediaplayer.exe

MD5
9f23bd89694b66d8a67bb18434da4ee8

SHA1
db8c6ea90b1be5aa560bfbe5a34577eb284243af

SHA256
927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

SHA512
72e95a90dc8ee2fd69b26665e88d19b1d36527fe8bbc03e252d4be925cf4acae20a3155dcd7caa50daf6e16d201a16822d77356c91654a6e4a05981425574c5b

Download Submit
C:\Users\Admin\AppData\Roaming\Media\mediaplayer.exe

MD5
9f23bd89694b66d8a67bb18434da4ee8

SHA1
db8c6ea90b1be5aa560bfbe5a34577eb284243af

SHA256
927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae

SHA512
72e95a90dc8ee2fd69b26665e88d19b1d36527fe8bbc03e252d4be925cf4acae20a3155dcd7caa50daf6e16d201a16822d77356c91654a6e4a05981425574c5b

Download Submit
memory/1080-0-0x0000000000000000-mapping.dmp

Download
memory/3536-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads