16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee

Resubmissions

07-10-2024 06:34

241007-hb9qja1djk 10

05-05-2023 20:23

230505-y54pdaeg8y 8

Analysis

max time kernel
142s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Site Hunter Pro By X-Splinter.exe
Size

744KB
MD5

9a450a05657ce80e73171556154adb60
SHA1

9db02ebf6b851397ab6d43d4c79d3785987a56b1
SHA256

16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee
SHA512

c75444be53b8b55d6634ed8c632b78b523bff5b0ad1eb9171fce65778c6444a7728c11b4137bb397a75f0df635d80083aea380d9708b04a5bf97d0c40965f208
SSDEEP

12288:prBjpOUREzLw2f1WrG8HXXQGa3INlTVlRGvk4qOV7l:prBj0+EzLwW1T8HQ93IlTtO

Score

8^/10

agilenet evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1112	netsh.exe

Executes dropped EXE 5 IoCs

pid	Process
2044	Setup.exe
1988	Setup.exe
1980	Site Hunter Pro By X-Splinter .exe
908	svchost.exe
808	explorer.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1848-54-0x0000000000E40000-0x0000000000F02000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 1580	808	explorer.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
808	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	explorer.exe
Token: SeDebugPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe
Token: 33	1580	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1580	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2044	1848	Site Hunter Pro By X-Splinter.exe	26
PID 1848 wrote to memory of 2044	1848	Site Hunter Pro By X-Splinter.exe	26
PID 1848 wrote to memory of 2044	1848	Site Hunter Pro By X-Splinter.exe	26
PID 1848 wrote to memory of 1988	1848	Site Hunter Pro By X-Splinter.exe	27
PID 1848 wrote to memory of 1988	1848	Site Hunter Pro By X-Splinter.exe	27
PID 1848 wrote to memory of 1988	1848	Site Hunter Pro By X-Splinter.exe	27
PID 1848 wrote to memory of 1980	1848	Site Hunter Pro By X-Splinter.exe	28
PID 1848 wrote to memory of 1980	1848	Site Hunter Pro By X-Splinter.exe	28
PID 1848 wrote to memory of 1980	1848	Site Hunter Pro By X-Splinter.exe	28
PID 1848 wrote to memory of 1980	1848	Site Hunter Pro By X-Splinter.exe	28
PID 1988 wrote to memory of 908	1988	Setup.exe	30
PID 1988 wrote to memory of 908	1988	Setup.exe	30
PID 1988 wrote to memory of 908	1988	Setup.exe	30
PID 908 wrote to memory of 808	908	svchost.exe	31
PID 908 wrote to memory of 808	908	svchost.exe	31
PID 908 wrote to memory of 808	908	svchost.exe	31
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 808 wrote to memory of 1580	808	explorer.exe	32
PID 1580 wrote to memory of 1112	1580	RegAsm.exe	33
PID 1580 wrote to memory of 1112	1580	RegAsm.exe	33
PID 1580 wrote to memory of 1112	1580	RegAsm.exe	33
PID 1580 wrote to memory of 1112	1580	RegAsm.exe	33

C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe
"C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        #cmd
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1112
- C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
  "C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"
  2⤵
  - Executes dropped EXE
  PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe

Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe

Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe

Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
304KB

MD5
f42ee7d45e7e664d16ed9ec193489d6f

SHA1
26236ca875a474a41a054baacc34541d719ac60c

SHA256
fcce84799336106770e70395ddb10150360f37bd8afb692d4b7c9231e4565372

SHA512
be4f1d42dd4ae2d013105d5f12e125f4d051402a1a882173644a135c8a9a62b6057994bade9f9d5d380ed33b19edf84edeff98280f6c59e5d9e65a884e2c3ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
304KB

MD5
f42ee7d45e7e664d16ed9ec193489d6f

SHA1
26236ca875a474a41a054baacc34541d719ac60c

SHA256
fcce84799336106770e70395ddb10150360f37bd8afb692d4b7c9231e4565372

SHA512
be4f1d42dd4ae2d013105d5f12e125f4d051402a1a882173644a135c8a9a62b6057994bade9f9d5d380ed33b19edf84edeff98280f6c59e5d9e65a884e2c3ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
304KB

MD5
f42ee7d45e7e664d16ed9ec193489d6f

SHA1
26236ca875a474a41a054baacc34541d719ac60c

SHA256
fcce84799336106770e70395ddb10150360f37bd8afb692d4b7c9231e4565372

SHA512
be4f1d42dd4ae2d013105d5f12e125f4d051402a1a882173644a135c8a9a62b6057994bade9f9d5d380ed33b19edf84edeff98280f6c59e5d9e65a884e2c3ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
memory/808-106-0x0000000000DE0000-0x0000000000E32000-memory.dmp

Filesize
328KB

Download
memory/808-108-0x0000000000C60000-0x0000000000CE0000-memory.dmp

Filesize
512KB

Download
memory/908-99-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/908-89-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/908-90-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/908-91-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/1580-119-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-112-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-117-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1580-113-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-120-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/1580-110-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1580-111-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1848-54-0x0000000000E40000-0x0000000000F02000-memory.dmp

Filesize
776KB

Download
memory/1848-55-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/1980-83-0x00000000010F0000-0x0000000001138000-memory.dmp

Filesize
288KB

Download
memory/1980-92-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1988-70-0x00000000010D0000-0x000000000114C000-memory.dmp

Filesize
496KB

Download
memory/1988-75-0x00000000005E0000-0x000000000060C000-memory.dmp

Filesize
176KB

Download
memory/1988-77-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download