Resubmissions
25-06-2021 19:11
210625-5pemrnaw72 817-01-2021 18:28
210117-75pm951t9e 830-12-2020 13:22
201230-xn7db4f1zn 8Analysis
-
max time kernel
151s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
freebobux.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
freebobux.exe
Resource
win10v20201028
General
-
Target
freebobux.exe
-
Size
779KB
-
MD5
794b00893a1b95ade9379710821ac1a4
-
SHA1
85c7b2c351700457e3d6a21032dfd971ccb9b09d
-
SHA256
5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
-
SHA512
3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CLWCP.exepid process 1356 CLWCP.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1228 cmd.exe 1228 cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
CLWCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" CLWCP.exe -
Suspicious behavior: EnumeratesProcesses 119 IoCs
Processes:
taskmgr.exepid process 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 268 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 268 taskmgr.exe -
Suspicious use of FindShellTrayWindow 131 IoCs
Processes:
taskmgr.exepid process 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe -
Suspicious use of SendNotifyMessage 131 IoCs
Processes:
taskmgr.exepid process 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe 268 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
freebobux.execmd.exedescription pid process target process PID 1832 wrote to memory of 1228 1832 freebobux.exe cmd.exe PID 1832 wrote to memory of 1228 1832 freebobux.exe cmd.exe PID 1832 wrote to memory of 1228 1832 freebobux.exe cmd.exe PID 1832 wrote to memory of 1228 1832 freebobux.exe cmd.exe PID 1228 wrote to memory of 1356 1228 cmd.exe CLWCP.exe PID 1228 wrote to memory of 1356 1228 cmd.exe CLWCP.exe PID 1228 wrote to memory of 1356 1228 cmd.exe CLWCP.exe PID 1228 wrote to memory of 1356 1228 cmd.exe CLWCP.exe PID 1228 wrote to memory of 912 1228 cmd.exe WScript.exe PID 1228 wrote to memory of 912 1228 cmd.exe WScript.exe PID 1228 wrote to memory of 912 1228 cmd.exe WScript.exe PID 1228 wrote to memory of 912 1228 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\freebobux.exe"C:\Users\Admin\AppData\Local\Temp\freebobux.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5CB.tmp\freebobux.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5CB.tmp\CLWCP.execlwcp c:\temp\bg.bmp3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5CB.tmp\x.vbs"3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5CB.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\5CB.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
C:\Users\Admin\AppData\Local\Temp\5CB.tmp\bg.bmpMD5
2229bdea09783e544015db10917ea91c
SHA19d8fd01f98f6de2f2889bc441847f25146190660
SHA25613ff1d9aee82f15e4df8621c0b68ca31844bea8a0a5e5b194dfeabac7a646521
SHA512c1abd12398bf749fcc07de144ada40e23985cde634d7ba756f0199614ec4eec918c706f0d8af2f4fbec2539c256e638496e8c57cd18e2f5cbefe204d3770d089
-
C:\Users\Admin\AppData\Local\Temp\5CB.tmp\freebobux.batMD5
202d76eb2952aeb2e241c13defe48045
SHA134e26a3407288c7ea63bd1cd305c27b06b163386
SHA2569d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab
SHA5126a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3
-
C:\Users\Admin\AppData\Local\Temp\5CB.tmp\x.vbsMD5
ab30794d761af418b216eab48d003536
SHA1edd4c2f1813c70cb8739b5c3b8efa425072a4911
SHA256a6154ba12e45de717c0f6cef752c68897ac80438d1ad60750b258f1d35a39e25
SHA51296214a59bd691d2210a758d1679e2db7e6b186c2f0b8bd9a4286ea3a8aeaa1f35632c6c078371bf474e7dffca9e23bd0d6cc4e9c0c114c883ab3374be81f291d
-
\??\c:\temp\bg.bmpMD5
2229bdea09783e544015db10917ea91c
SHA19d8fd01f98f6de2f2889bc441847f25146190660
SHA25613ff1d9aee82f15e4df8621c0b68ca31844bea8a0a5e5b194dfeabac7a646521
SHA512c1abd12398bf749fcc07de144ada40e23985cde634d7ba756f0199614ec4eec918c706f0d8af2f4fbec2539c256e638496e8c57cd18e2f5cbefe204d3770d089
-
\Users\Admin\AppData\Local\Temp\5CB.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
\Users\Admin\AppData\Local\Temp\5CB.tmp\CLWCP.exeMD5
e62ee6f1efc85cb36d62ab779db6e4ec
SHA1da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA25613b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA5128142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69
-
memory/268-18-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/912-14-0x0000000000000000-mapping.dmp
-
memory/912-17-0x00000000025F0000-0x00000000025F4000-memory.dmpFilesize
16KB
-
memory/1228-3-0x0000000000000000-mapping.dmp
-
memory/1356-9-0x0000000000000000-mapping.dmp
-
memory/1356-12-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1832-2-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB