Analysis
-
max time kernel
87s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
22-02-2023 10:14
General
-
Target
https://github.com/BootModulex/PwnBox/blob/main/PwnBox.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/BootModulex/PwnBox/blob/main/PwnBox.exe1⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\PwnBox.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\PwnBox.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
471B
MD5893b3e36bbc573b988ad21eda1216ebe
SHA1159d4b8ca7aa2db8c822a2908e6b1a9f1c3a198b
SHA256113099404d4eb5526a1557a7118dc472c64b93024a905d84959226cdfa90667d
SHA51208689569151abf4f2392664613328eabfe0c3cde11e821a0716708b8b4cd4b2964895b48edb249dc0c2b3701e8c6c95304b86f10bd4ead0b7438fce94e0da491
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD534f10d96a48dcc2c76587d53f3863efe
SHA10f557a5b3548ca74fa22e057edc039b1f66a0569
SHA2565fbcd680c4f40bd0a9c846128419bf520abb1ef55c25cbdb9fcefe518a3947b8
SHA5126e93f6865e79d505132c266a229bd5fc95e84d5f7a04e3c68365b3137a9e9fb42157d8cb39e8556d9363fb6bad744b2f82491b8b3472e4c310045ab5ce96e1eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59d76ab339efc8678e6d993bc4e4be423
SHA1e796736d682bd37731c8e8a486deef8d9ba5d5f5
SHA256937835d2ce5093e8bc4319ab03233f8eada9005a89fac133784b6a650a0ab5b3
SHA512326054023f9558e285742694c4d02d5c23cf5c55e53725d62b106720018a96c9fd016d663a81e0b1b170120ac73a6a7cfac91373b6c3aa91d227dc348c67b7ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50fbab940c836c2d19b303ee6714db039
SHA14b4f3f8c94d8dc4a96c443ecafcbaf5b5947e9b3
SHA256a089db84d9c5e1d8be875a0b6ff2ba92c47184dff54d20f9c4ff4587ecae7a92
SHA5120292f475a4159518b696a0eb9a074ef3571864295679995f169adc280422f81429ee3145df0ce6f5ea5b1d0cc7dc839c91935636271059547b5928567b3c6904
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a3cbaeb7d9433ccdf1ab2818f0bfca50
SHA1aa2a32c0427226690ab3e501132f6a990b69444b
SHA256e3a8237723c6579f0b12ee5e99547e74fd3d1d9a195ab652be18ed3b992fa63e
SHA5122bc284fd0278e1aeac90e5fdf6f9b980af375075edc7c5b567ce1cd88c36bd3f4413e25d12796761d89001debb9b475f2cdf6fba3ca82c3a8a27e4fb1cfd6e90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55b88dbc43422b6d7c0511ceec00b5f7d
SHA1d9bca9b470e99041e5c47aabe33ef1fd149f961c
SHA256e36deaaa0f1313d187594b6bc812212630366e19bb9ba8b9cb79f163d47a87f4
SHA512f565195c0a21ae3b4b022a66f0b05896d36e6525b5276a2bf7d43d07b5e38c2fee6d4ad44ed567e32c963b80bdd0c605e0157148b98d9a7c88e2b6320db59f20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ba29339e6292b374cff9a793a57dd6c0
SHA10abac3a85c986efb97f471d4c3354198469065f5
SHA256bffead8510c32d88cdf88097420bcf31282d3a29881fa5520676c64f582c1799
SHA5121eaef0e221465ad7abbdb168bd58a9353dfc9d2e1bd18f4f281edebf8fe53bcc264bca5410d8b21e75761874cb6ef2f56bad7160de459daccc16028fb139f851
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD52867475d9d08cea1965a62926f658d45
SHA1dd362aa08b3013aa275693c6577bc5838ba3670d
SHA256d58c87bb5b0b8248f369002ce647fd9387b04aeaef94d1dbe68a3ea925eb3fbb
SHA51265d0d51b7de636db5c574d99ebff6df28c32fae1b7cda77986e3252f268c17a2760c6adb30e14cb5a13da05fad598ef497d124d3e4b99b84a83bc0d46215eeef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58df75aa088eb33ec132c55f466f3e295
SHA10bccdb891e6c50e29860ccbb06b13452300dd42f
SHA256121f673d100724096e2683e6de5307c2d9420a73205709e8899e9c0e7f38a6e2
SHA512bab4ad71269be40b39197b8e007486ebf204f907c0df8a7c4fb461ec414b01e9454bf2764b53383513a399f4f391470af64aae856fd57ba8128891ec42463029
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5710236f856cb21b7a5eabcb407fff945
SHA1c20165c20c67f566464af8f3c327d2c576456faa
SHA256efb5b649c3b7b4064edeb1450a53b8b95ea18d927974665acb4b618205b0958c
SHA512b7595a40c76be16d47b9abc58c809d962d9ccfc54df207fc02f44f5f00f8ff1e4d329c98feb941ec6de5a149ff3ab6f9267a0d9673f2a4979bada0849b09da74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
430B
MD5c281d594fe239a322c34afb5fdbc309a
SHA1c963ca9eae6fe73086c7bf4db24beb7e26ed12da
SHA256f744119561758829805460ca48141a2fcf6b8ceccf705feda63cd449c1a99998
SHA5122fd950bc367e1a7c25c59577e914152554662454e11156fa16df3a0de7df35d7e0c0b4e95a94af86e9173688939b5a3bc54ad180a40c593a30ded66dfe40490f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\62yy7f8\imagestore.datFilesize
5KB
MD5def28160e8950956c0045d51c98e96c5
SHA1e6309a28f90e8613aec0b408f90df2242aeb3a60
SHA256832f05c8528f9edba854f7d0ac121406bcc8d43d924dc7f14c3a0a0e8e3d5786
SHA51234caea7a0f97650ea089e50576a326e073c0e762c394afc3dce19674176991c80942b18fa2fe37b83c632261b657241ca32f0c0ca87b88da5e27d0dced741735
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJWXLGAS\PwnBox[1].exeFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJWXLGAS\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\PwnBox.exeFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\PwnBox.exe.x7ld9fw.partialFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\favicon[1].pngFilesize
958B
MD5346e09471362f2907510a31812129cd2
SHA1323b99430dd424604ae57a19a91f25376e209759
SHA25674cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08
SHA512a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd
-
C:\Users\Admin\AppData\Local\Temp\Cab7F03.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar7EF3.tmpFilesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P5GEYWW5.txtFilesize
607B
MD5552bd3bc0f3745597754abde2db8a86a
SHA1a5c3197da1b47a3e28186c10ae6d1871524a9612
SHA256ea93c9e15decc09bbef50554656becdd6baba0322b112220c8dd68904357c9f6
SHA5122eeb8b8d7cbfbca0fdb82275edc82f5eaa175f4172dc60fe3b224525c8724b61ef5e94425544bdfd78724a3ecff3319722abc78bb95fe9b161c1537a49fe23d9
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\PwnBox.exeFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\PwnBox.exeFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
memory/268-55-0x0000000002580000-0x0000000002582000-memory.dmpFilesize
8KB
-
memory/964-709-0x000000001B060000-0x000000001B0E0000-memory.dmpFilesize
512KB
-
memory/964-708-0x0000000000A70000-0x0000000000AAE000-memory.dmpFilesize
248KB
-
memory/964-707-0x00000000006C0000-0x0000000000718000-memory.dmpFilesize
352KB
-
memory/964-711-0x000000001B060000-0x000000001B0E0000-memory.dmpFilesize
512KB
-
memory/964-712-0x000000001B060000-0x000000001B0E0000-memory.dmpFilesize
512KB
-
memory/964-713-0x000000001B060000-0x000000001B0E0000-memory.dmpFilesize
512KB
-
memory/964-706-0x0000000001390000-0x0000000001412000-memory.dmpFilesize
520KB
-
memory/1976-54-0x0000000002A80000-0x0000000002A90000-memory.dmpFilesize
64KB
