Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 17:57
Static task
static1
Behavioral task
behavioral1
Sample
adolf hitler.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral2
Sample
adolf hitler.exe
Resource
macos-20220504-en
General
-
Target
adolf hitler.exe
-
Size
81KB
-
MD5
62daa7edf22d47fe771da3087fc59219
-
SHA1
bb0569f5cc93ba4fbff98aad87dbb9ec48417678
-
SHA256
16680a2e8b11094a0c681edb9ba9bda7bbfdfb1216c4e4a3e9666798c134fd6e
-
SHA512
6a5b231cb91ec3e6ffd2ab8eec7541fa9033b778e4fbb76eee710b0b7e7b8b17e61cf745ec8003242c3cfb498cdfc16b4b0f43d756e91c52ff6b701a007ef740
-
SSDEEP
1536:gAlrJ/53OdSF43hs4B6GVd84yc0ctJronDhyU2VMYslIa1Z/YMIMxMm:gA5J48qdB6ex90cL7U25eYy7
Malware Config
Extracted
xworm
considered-arrest.at.ply.gg:19159
-
install_file
USB.exe
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
adolf hitler.exeSamp Hack Injector Bypass 2023.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation adolf hitler.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation Samp Hack Injector Bypass 2023.exe -
Drops startup file 2 IoCs
Processes:
Samp Hack Injector Bypass 2023.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samp Hack Injector Bypass 2023.lnk Samp Hack Injector Bypass 2023.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samp Hack Injector Bypass 2023.lnk Samp Hack Injector Bypass 2023.exe -
Executes dropped EXE 4 IoCs
Processes:
Samp Hack Injector Bypass 2023.exeSamp Hack Injector Bypass 2023.exeSamp Hack Injector Bypass 2023.exeSamp Hack Injector Bypass 2023.exepid process 4260 Samp Hack Injector Bypass 2023.exe 4604 Samp Hack Injector Bypass 2023.exe 4668 Samp Hack Injector Bypass 2023.exe 3056 Samp Hack Injector Bypass 2023.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Samp Hack Injector Bypass 2023.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Samp Hack Injector Bypass 2023 = "C:\\Users\\Admin\\AppData\\Roaming\\Samp Hack Injector Bypass 2023.exe" Samp Hack Injector Bypass 2023.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
adolf hitler.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings adolf hitler.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1104 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Samp Hack Injector Bypass 2023.exepid process 4260 Samp Hack Injector Bypass 2023.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Samp Hack Injector Bypass 2023.exeSamp Hack Injector Bypass 2023.exeSamp Hack Injector Bypass 2023.exeSamp Hack Injector Bypass 2023.exedescription pid process Token: SeDebugPrivilege 4260 Samp Hack Injector Bypass 2023.exe Token: SeDebugPrivilege 4260 Samp Hack Injector Bypass 2023.exe Token: SeDebugPrivilege 4604 Samp Hack Injector Bypass 2023.exe Token: SeDebugPrivilege 4668 Samp Hack Injector Bypass 2023.exe Token: SeDebugPrivilege 3056 Samp Hack Injector Bypass 2023.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Samp Hack Injector Bypass 2023.exepid process 4260 Samp Hack Injector Bypass 2023.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
adolf hitler.exeSamp Hack Injector Bypass 2023.exedescription pid process target process PID 2352 wrote to memory of 4260 2352 adolf hitler.exe Samp Hack Injector Bypass 2023.exe PID 2352 wrote to memory of 4260 2352 adolf hitler.exe Samp Hack Injector Bypass 2023.exe PID 2352 wrote to memory of 1104 2352 adolf hitler.exe NOTEPAD.EXE PID 2352 wrote to memory of 1104 2352 adolf hitler.exe NOTEPAD.EXE PID 4260 wrote to memory of 4240 4260 Samp Hack Injector Bypass 2023.exe schtasks.exe PID 4260 wrote to memory of 4240 4260 Samp Hack Injector Bypass 2023.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\adolf hitler.exe"C:\Users\Admin\AppData\Local\Temp\adolf hitler.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Samp Hack Injector Bypass 2023" /tr "C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\asasa.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Samp Hack Injector Bypass 2023.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
C:\Users\Admin\AppData\Roaming\Samp Hack Injector Bypass 2023.exeFilesize
67KB
MD5404dee8c8fe0b8c25ac39f60960dcbf0
SHA1078b5427a3c29a2f410f0e09f667389ad630ed60
SHA25690d2777179534bb5746559397a767aeee141f30a57b53c5d9c2122278b4bc4b7
SHA5129d7c6c2cceff330acea030002c4c7fde0a9ebe4f6a94a035e6fd6f08d7f5fea407680e5acd5baef687a19f40e116c47e8615dd4f728bdac7636529665e83956e
-
memory/2352-133-0x0000000000600000-0x000000000061A000-memory.dmpFilesize
104KB
-
memory/4260-145-0x0000000000260000-0x0000000000278000-memory.dmpFilesize
96KB
-
memory/4260-147-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4260-150-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB