Analysis
-
max time kernel
4294211s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 05:12
Static task
static1
Behavioral task
behavioral1
Sample
SHITYOURSELF.exe
Resource
win7-20220311-en
General
-
Target
SHITYOURSELF.exe
-
Size
121KB
-
MD5
c497c71621630045eb8d0673ae817d70
-
SHA1
74c6e0b93f8c6d5d5634bf32a47a6c4968fefc01
-
SHA256
b8e40ed3d1f01fd75f0f43d4784d92aaa9596f289f23c35969af1a4c1e149c30
-
SHA512
73a8f54b95ccdfaa5f2e42dca771687612e514de87904840f4eac5fc87f0262051e614c0b0f4d576fe99f58b421dc106f45fe3bea011e0eb8bdc2d99e92f6463
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SHITYOURSELFSrv.exeDesktopLayer.exepid process 1016 SHITYOURSELFSrv.exe 1924 DesktopLayer.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe upx behavioral1/memory/1016-59-0x0000000000400000-0x0000000000436000-memory.dmp upx \Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral1/memory/1924-66-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
SHITYOURSELF.exeSHITYOURSELFSrv.exepid process 628 SHITYOURSELF.exe 1016 SHITYOURSELFSrv.exe -
Drops file in Program Files directory 3 IoCs
Processes:
SHITYOURSELFSrv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px7A8D.tmp SHITYOURSELFSrv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe SHITYOURSELFSrv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe SHITYOURSELFSrv.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353999706" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C29ACB1-A355-11EC-9547-6600847C1211} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SHITYOURSELF.exeDesktopLayer.exepid process 628 SHITYOURSELF.exe 1924 DesktopLayer.exe 1924 DesktopLayer.exe 1924 DesktopLayer.exe 1924 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2000 iexplore.exe -
Suspicious behavior: MapViewOfSection 21 IoCs
Processes:
SHITYOURSELF.exepid process 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe 628 SHITYOURSELF.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SHITYOURSELF.exedescription pid process Token: SeDebugPrivilege 628 SHITYOURSELF.exe Token: SeTakeOwnershipPrivilege 628 SHITYOURSELF.exe Token: SeRestorePrivilege 628 SHITYOURSELF.exe Token: SeBackupPrivilege 628 SHITYOURSELF.exe Token: SeChangeNotifyPrivilege 628 SHITYOURSELF.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2000 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2000 iexplore.exe 2000 iexplore.exe 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE 1272 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SHITYOURSELF.exedescription pid process target process PID 628 wrote to memory of 1016 628 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 628 wrote to memory of 1016 628 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 628 wrote to memory of 1016 628 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 628 wrote to memory of 1016 628 SHITYOURSELF.exe SHITYOURSELFSrv.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 368 628 SHITYOURSELF.exe wininit.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 376 628 SHITYOURSELF.exe csrss.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 408 628 SHITYOURSELF.exe winlogon.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 460 628 SHITYOURSELF.exe services.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 476 628 SHITYOURSELF.exe lsass.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 484 628 SHITYOURSELF.exe lsm.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 580 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 656 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 732 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 732 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 732 628 SHITYOURSELF.exe svchost.exe PID 628 wrote to memory of 732 628 SHITYOURSELF.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:1712
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:1892
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"C:\Users\Admin\AppData\Local\Temp\SHITYOURSELF.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeC:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1016 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1924 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1272
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1336
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1028
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:580
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:484
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:460
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:408
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:376
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6BI7NQDF.txtMD5
fe3b869208fab64802ae498375f7bd27
SHA126a728d513854f6b6ab436b8e9944067f92a092f
SHA2560d46ba0cb49c5c0aab4186efb4b7d856be37d64d8b0bef7c35b96d5fdc26a075
SHA5126def5fc68234bd3e35cd956a917b25d41b584556a94dfe0ba9d408bd061011a203bc9f38b2de3c37d9673bf6786c7465d83abc055c4efee2fd4047af1392992d
-
\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
\Users\Admin\AppData\Local\Temp\SHITYOURSELFSrv.exeMD5
69dc6baf34bc7dc2197cfc6d15bc0a83
SHA1193e9f44ce7e10fff6691ae05eb0a7c391698b25
SHA25660b9314940039281b6bb2216330400cf2b12d2125326ba2e69f251fb049409b2
SHA512c430d975aafafe90e97942b6fb54084c9985e50454320a33ab3b458ff2eac6b6c907e14ae105be8b0926222cd3298b62356d81b796128e620406b33fffc6a40c
-
memory/1016-59-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1016-64-0x0000000077760000-0x00000000778E0000-memory.dmpFilesize
1.5MB
-
memory/1016-56-0x0000000075471000-0x0000000075473000-memory.dmpFilesize
8KB
-
memory/1016-65-0x000000007EFA0000-0x000000007EFAC000-memory.dmpFilesize
48KB
-
memory/1924-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1924-67-0x0000000077760000-0x00000000778E0000-memory.dmpFilesize
1.5MB
-
memory/1924-66-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB