Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2023 01:49
Behavioral task
behavioral1
Sample
16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe
Resource
win10v2004-20230220-en
General
-
Target
16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe
-
Size
744KB
-
MD5
9a450a05657ce80e73171556154adb60
-
SHA1
9db02ebf6b851397ab6d43d4c79d3785987a56b1
-
SHA256
16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee
-
SHA512
c75444be53b8b55d6634ed8c632b78b523bff5b0ad1eb9171fce65778c6444a7728c11b4137bb397a75f0df635d80083aea380d9708b04a5bf97d0c40965f208
-
SSDEEP
12288:prBjpOUREzLw2f1WrG8HXXQGa3INlTVlRGvk4qOV7l:prBj0+EzLwW1T8HQ93IlTtO
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
Processes:
Setup.exeSetup.exeSite Hunter Pro By X-Splinter .exesvchost.exeexplorer.exepid process 1188 Setup.exe 560 Setup.exe 860 Site Hunter Pro By X-Splinter .exe 1316 svchost.exe 676 explorer.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1288-54-0x0000000001090000-0x0000000001152000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Setup.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
explorer.exedescription pid process target process PID 676 set thread context of 1008 676 explorer.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
explorer.exepid process 676 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
explorer.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 676 explorer.exe Token: SeDebugPrivilege 1008 RegAsm.exe Token: 33 1008 RegAsm.exe Token: SeIncBasePriorityPrivilege 1008 RegAsm.exe Token: 33 1008 RegAsm.exe Token: SeIncBasePriorityPrivilege 1008 RegAsm.exe Token: 33 1008 RegAsm.exe Token: SeIncBasePriorityPrivilege 1008 RegAsm.exe Token: 33 1008 RegAsm.exe Token: SeIncBasePriorityPrivilege 1008 RegAsm.exe Token: 33 1008 RegAsm.exe Token: SeIncBasePriorityPrivilege 1008 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exeSetup.exesvchost.exeexplorer.exeRegAsm.exedescription pid process target process PID 1288 wrote to memory of 1188 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Setup.exe PID 1288 wrote to memory of 1188 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Setup.exe PID 1288 wrote to memory of 1188 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Setup.exe PID 1288 wrote to memory of 560 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Setup.exe PID 1288 wrote to memory of 560 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Setup.exe PID 1288 wrote to memory of 560 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Setup.exe PID 1288 wrote to memory of 860 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Site Hunter Pro By X-Splinter .exe PID 1288 wrote to memory of 860 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Site Hunter Pro By X-Splinter .exe PID 1288 wrote to memory of 860 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Site Hunter Pro By X-Splinter .exe PID 1288 wrote to memory of 860 1288 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe Site Hunter Pro By X-Splinter .exe PID 560 wrote to memory of 1316 560 Setup.exe svchost.exe PID 560 wrote to memory of 1316 560 Setup.exe svchost.exe PID 560 wrote to memory of 1316 560 Setup.exe svchost.exe PID 1316 wrote to memory of 676 1316 svchost.exe explorer.exe PID 1316 wrote to memory of 676 1316 svchost.exe explorer.exe PID 1316 wrote to memory of 676 1316 svchost.exe explorer.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 676 wrote to memory of 1008 676 explorer.exe RegAsm.exe PID 1008 wrote to memory of 2036 1008 RegAsm.exe netsh.exe PID 1008 wrote to memory of 2036 1008 RegAsm.exe netsh.exe PID 1008 wrote to memory of 2036 1008 RegAsm.exe netsh.exe PID 1008 wrote to memory of 2036 1008 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe"C:\Users\Admin\AppData\Local\Temp\16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe#cmd5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exeFilesize
250KB
MD52552f20645b607660b68b578f809491a
SHA1358c95c27218925f2a9b3558995129e06ff65ae5
SHA256f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3
SHA5122f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c
-
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exeFilesize
250KB
MD52552f20645b607660b68b578f809491a
SHA1358c95c27218925f2a9b3558995129e06ff65ae5
SHA256f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3
SHA5122f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c
-
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exeFilesize
250KB
MD52552f20645b607660b68b578f809491a
SHA1358c95c27218925f2a9b3558995129e06ff65ae5
SHA256f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3
SHA5122f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
304KB
MD5f42ee7d45e7e664d16ed9ec193489d6f
SHA126236ca875a474a41a054baacc34541d719ac60c
SHA256fcce84799336106770e70395ddb10150360f37bd8afb692d4b7c9231e4565372
SHA512be4f1d42dd4ae2d013105d5f12e125f4d051402a1a882173644a135c8a9a62b6057994bade9f9d5d380ed33b19edf84edeff98280f6c59e5d9e65a884e2c3ab2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
304KB
MD5f42ee7d45e7e664d16ed9ec193489d6f
SHA126236ca875a474a41a054baacc34541d719ac60c
SHA256fcce84799336106770e70395ddb10150360f37bd8afb692d4b7c9231e4565372
SHA512be4f1d42dd4ae2d013105d5f12e125f4d051402a1a882173644a135c8a9a62b6057994bade9f9d5d380ed33b19edf84edeff98280f6c59e5d9e65a884e2c3ab2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
304KB
MD5f42ee7d45e7e664d16ed9ec193489d6f
SHA126236ca875a474a41a054baacc34541d719ac60c
SHA256fcce84799336106770e70395ddb10150360f37bd8afb692d4b7c9231e4565372
SHA512be4f1d42dd4ae2d013105d5f12e125f4d051402a1a882173644a135c8a9a62b6057994bade9f9d5d380ed33b19edf84edeff98280f6c59e5d9e65a884e2c3ab2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
339KB
MD5301e8d9a2445dd999ce816c17d8dbbb3
SHA1b91163babeb738bd4d0f577ac764cee17fffe564
SHA2562ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
SHA5124941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
339KB
MD5301e8d9a2445dd999ce816c17d8dbbb3
SHA1b91163babeb738bd4d0f577ac764cee17fffe564
SHA2562ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
SHA5124941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
339KB
MD5301e8d9a2445dd999ce816c17d8dbbb3
SHA1b91163babeb738bd4d0f577ac764cee17fffe564
SHA2562ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
SHA5124941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3
-
memory/560-72-0x0000000000180000-0x00000000001AC000-memory.dmpFilesize
176KB
-
memory/560-76-0x0000000002070000-0x00000000020F0000-memory.dmpFilesize
512KB
-
memory/676-105-0x00000000009C0000-0x0000000000A40000-memory.dmpFilesize
512KB
-
memory/676-104-0x0000000000D00000-0x0000000000D52000-memory.dmpFilesize
328KB
-
memory/860-88-0x0000000004B30000-0x0000000004B70000-memory.dmpFilesize
256KB
-
memory/860-90-0x0000000004B30000-0x0000000004B70000-memory.dmpFilesize
256KB
-
memory/860-73-0x0000000000980000-0x00000000009C8000-memory.dmpFilesize
288KB
-
memory/1008-118-0x0000000000970000-0x00000000009B0000-memory.dmpFilesize
256KB
-
memory/1008-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1008-117-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1008-115-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1008-119-0x0000000000970000-0x00000000009B0000-memory.dmpFilesize
256KB
-
memory/1008-113-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1008-108-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1008-109-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1008-110-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1008-111-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1188-63-0x0000000000270000-0x00000000002EC000-memory.dmpFilesize
496KB
-
memory/1288-56-0x0000000000440000-0x00000000004C0000-memory.dmpFilesize
512KB
-
memory/1288-54-0x0000000001090000-0x0000000001152000-memory.dmpFilesize
776KB
-
memory/1316-86-0x0000000000F50000-0x0000000000FAA000-memory.dmpFilesize
360KB
-
memory/1316-87-0x0000000000380000-0x0000000000388000-memory.dmpFilesize
32KB
-
memory/1316-91-0x0000000000AD0000-0x0000000000B50000-memory.dmpFilesize
512KB
-
memory/1316-89-0x0000000000AD0000-0x0000000000B50000-memory.dmpFilesize
512KB