Analysis
-
max time kernel
108s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-02-2023 10:14
General
-
Target
https://github.com/BootModulex/PwnBox/blob/main/PwnBox.exe
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/BootModulex/PwnBox/blob/main/PwnBox.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\PwnBox.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\PwnBox.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9afmek3\imagestore.datFilesize
1KB
MD57ab132444d0e320123294e5e1c958c31
SHA1795e542b0d0d2ed7fd86ded4e888131c97bc309e
SHA256228a0a8ae32a45d882bfe4b1873fae39103bedf16122b74f76239bb455ec7cce
SHA512f0e67b14b7e8d544d04e606820c9d971058ddd6f34d4af2c4322c9a413ca24b1916b7fe6c5a67a5b20a9858838755c7125c4c49e58c766f365015c4834527a22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\PwnBox[1].exeFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\favicon[1].pngFilesize
958B
MD5346e09471362f2907510a31812129cd2
SHA1323b99430dd424604ae57a19a91f25376e209759
SHA25674cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08
SHA512a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\PwnBox.exeFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\PwnBox.exe.455nh0u.partialFilesize
497KB
MD55df0c3d93724c65654890ef86dd5f7f7
SHA141273476acd20a6955131c779bba3207b1d53ca3
SHA2563a70295ff7bdbae5ff42ab3bf25d2a405d166327b3e6c9d42f233669560c4359
SHA5125438fe2ccad941056f8da9457bf620368e1b85b5d327ef5206ea114396bf181b6bd04157a11e8345d710a577e367fa91c8500f9d845d3dcc7b6c96984feb43a9
-
memory/4308-309-0x0000023A6A050000-0x0000023A6A060000-memory.dmpFilesize
64KB
-
memory/4308-310-0x0000023A6A050000-0x0000023A6A060000-memory.dmpFilesize
64KB
-
memory/4308-311-0x0000023A6A050000-0x0000023A6A060000-memory.dmpFilesize
64KB
-
memory/4308-312-0x0000023A6A050000-0x0000023A6A060000-memory.dmpFilesize
64KB
-
memory/4308-313-0x0000023A6A050000-0x0000023A6A060000-memory.dmpFilesize
64KB
-
memory/4308-314-0x0000023A6A050000-0x0000023A6A060000-memory.dmpFilesize
64KB
-
memory/4308-308-0x0000023A4FA10000-0x0000023A4FA92000-memory.dmpFilesize
520KB
