16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee

Analysis

max time kernel
125s
max time network
203s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Site Hunter Pro By X-Splinter.exe
Size

744KB
MD5

9a450a05657ce80e73171556154adb60
SHA1

9db02ebf6b851397ab6d43d4c79d3785987a56b1
SHA256

16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee
SHA512

c75444be53b8b55d6634ed8c632b78b523bff5b0ad1eb9171fce65778c6444a7728c11b4137bb397a75f0df635d80083aea380d9708b04a5bf97d0c40965f208
SSDEEP

12288:prBjpOUREzLw2f1WrG8HXXQGa3INlTVlRGvk4qOV7l:prBj0+EzLwW1T8HQ93IlTtO

Score

7^/10

agilenet persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Setup.exeSetup.exeSite Hunter Pro By X-Splinter .exesvchost.exe

pid process

1744 Setup.exe
1212 Setup.exe
1760 Site Hunter Pro By X-Splinter .exe
2020 svchost.exe

pid	process
1744	Setup.exe
1212	Setup.exe
1760	Site Hunter Pro By X-Splinter .exe
2020	svchost.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1096-54-0x0000000000060000-0x0000000000122000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Site Hunter Pro By X-Splinter.exeSetup.exe

description	pid	process	target process
PID 1096 wrote to memory of 1744	1096	Site Hunter Pro By X-Splinter.exe	Setup.exe
PID 1096 wrote to memory of 1744	1096	Site Hunter Pro By X-Splinter.exe	Setup.exe
PID 1096 wrote to memory of 1744	1096	Site Hunter Pro By X-Splinter.exe	Setup.exe
PID 1096 wrote to memory of 1212	1096	Site Hunter Pro By X-Splinter.exe	Setup.exe
PID 1096 wrote to memory of 1212	1096	Site Hunter Pro By X-Splinter.exe	Setup.exe
PID 1096 wrote to memory of 1212	1096	Site Hunter Pro By X-Splinter.exe	Setup.exe
PID 1096 wrote to memory of 1760	1096	Site Hunter Pro By X-Splinter.exe	Site Hunter Pro By X-Splinter .exe
PID 1096 wrote to memory of 1760	1096	Site Hunter Pro By X-Splinter.exe	Site Hunter Pro By X-Splinter .exe
PID 1096 wrote to memory of 1760	1096	Site Hunter Pro By X-Splinter.exe	Site Hunter Pro By X-Splinter .exe
PID 1096 wrote to memory of 1760	1096	Site Hunter Pro By X-Splinter.exe	Site Hunter Pro By X-Splinter .exe
PID 1744 wrote to memory of 2020	1744	Setup.exe	svchost.exe
PID 1744 wrote to memory of 2020	1744	Setup.exe	svchost.exe
PID 1744 wrote to memory of 2020	1744	Setup.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe
"C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
3⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
PID:1212

C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
"C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"
2⤵
- Executes dropped EXE
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
memory/1096-54-0x0000000000060000-0x0000000000122000-memory.dmp

Filesize
776KB

Download
memory/1096-55-0x00000000020C0000-0x0000000002140000-memory.dmp

Filesize
512KB

Download
memory/1212-66-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/1744-63-0x0000000000920000-0x000000000099C000-memory.dmp

Filesize
496KB

Download
memory/1744-67-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/1744-64-0x0000000001F70000-0x0000000001FF0000-memory.dmp

Filesize
512KB

Download
memory/1760-76-0x0000000000BB0000-0x0000000000BF8000-memory.dmp

Filesize
288KB

Download
memory/1760-83-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/2020-88-0x0000000001020000-0x000000000107A000-memory.dmp

Filesize
360KB

Download
memory/2020-89-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2020-90-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download
memory/2020-91-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download