Overview

overview

8

Static

static

7

Site Hunte...er.exe

windows7-x64

8

Site Hunte...er.exe

windows10-2004-x64

7

Resubmissions

07-10-2024 06:34

241007-hb9qja1djk 10

05-05-2023 20:23

230505-y54pdaeg8y 8

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2023 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Site Hunter Pro By X-Splinter.exe

  • Size

    744KB

  • MD5

    9a450a05657ce80e73171556154adb60

  • SHA1

    9db02ebf6b851397ab6d43d4c79d3785987a56b1

  • SHA256

    16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee

  • SHA512

    c75444be53b8b55d6634ed8c632b78b523bff5b0ad1eb9171fce65778c6444a7728c11b4137bb397a75f0df635d80083aea380d9708b04a5bf97d0c40965f208

  • SSDEEP

    12288:prBjpOUREzLw2f1WrG8HXXQGa3INlTVlRGvk4qOV7l:prBj0+EzLwW1T8HQ93IlTtO

Score
7/10
agilenetpersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe
    "C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3288
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      PID:848
    • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
      "C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"
      2⤵
      • Executes dropped EXE
      PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
    Filesize

    408B

    MD5

    70f08e6585ed9994d97a4c71472fccd8

    SHA1

    3f44494d4747c87fb8b94bb153c3a3d717f9fd63

    SHA256

    87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

    SHA512

    d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    477KB

    MD5

    0e6c9432cba1614fccc232f201028c72

    SHA1

    6082cf9489faa785c066195f108548e705a6d407

    SHA256

    c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

    SHA512

    c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    477KB

    MD5

    0e6c9432cba1614fccc232f201028c72

    SHA1

    6082cf9489faa785c066195f108548e705a6d407

    SHA256

    c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

    SHA512

    c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    477KB

    MD5

    0e6c9432cba1614fccc232f201028c72

    SHA1

    6082cf9489faa785c066195f108548e705a6d407

    SHA256

    c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

    SHA512

    c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    477KB

    MD5

    0e6c9432cba1614fccc232f201028c72

    SHA1

    6082cf9489faa785c066195f108548e705a6d407

    SHA256

    c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

    SHA512

    c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
    Filesize

    250KB

    MD5

    2552f20645b607660b68b578f809491a

    SHA1

    358c95c27218925f2a9b3558995129e06ff65ae5

    SHA256

    f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

    SHA512

    2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
    Filesize

    250KB

    MD5

    2552f20645b607660b68b578f809491a

    SHA1

    358c95c27218925f2a9b3558995129e06ff65ae5

    SHA256

    f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

    SHA512

    2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
    Filesize

    250KB

    MD5

    2552f20645b607660b68b578f809491a

    SHA1

    358c95c27218925f2a9b3558995129e06ff65ae5

    SHA256

    f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

    SHA512

    2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    339KB

    MD5

    301e8d9a2445dd999ce816c17d8dbbb3

    SHA1

    b91163babeb738bd4d0f577ac764cee17fffe564

    SHA256

    2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

    SHA512

    4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    339KB

    MD5

    301e8d9a2445dd999ce816c17d8dbbb3

    SHA1

    b91163babeb738bd4d0f577ac764cee17fffe564

    SHA256

    2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

    SHA512

    4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    339KB

    MD5

    301e8d9a2445dd999ce816c17d8dbbb3

    SHA1

    b91163babeb738bd4d0f577ac764cee17fffe564

    SHA256

    2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

    SHA512

    4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

    Download Submit

  • memory/848-172-0x0000000001930000-0x0000000001940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1016-195-0x0000000005520000-0x0000000005530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1016-170-0x0000000000AC0000-0x0000000000B08000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1016-193-0x0000000005520000-0x0000000005530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1016-178-0x00000000056A0000-0x000000000573C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3288-192-0x0000000002B70000-0x0000000002B78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3288-191-0x0000000000840000-0x000000000089A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4352-165-0x0000000001020000-0x000000000104C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4352-151-0x0000000000730000-0x00000000007AC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4352-150-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-135-0x000000001BC20000-0x000000001C0EE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4868-134-0x000000001B600000-0x000000001B6A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/4868-133-0x0000000000500000-0x00000000005C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/4868-137-0x0000000001030000-0x0000000001040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-136-0x000000001C190000-0x000000001C22C000-memory.dmp

    Filesize

    624KB

    Download