eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
207s
max time network
641s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/dobrota/Clean/dobrota_clean.exe
Size

7.7MB
MD5

c8b999419a3c103270290e99189f794c
SHA1

90148745b61d2c77c1694e43f11faaa9a3d05a0a
SHA256

9093ff3bc7e78cfe84cadc3a993eeb1c15ce497e94efdcf51c1adcafd0aedf18
SHA512

6e95c693eef199c511c81052b1b4e9bdbd94bcd2fee2b16660ece026e86e3535c2389fe91049407842c2cad81ab9f0521865edb28708f961d804f32111d4c47c
SSDEEP

98304:JJx19RrCwXU7tTao36KJt6Oe2NhqCZao4+Axhy4V7FLEMUH82Z3dFRsFVsKtOepA:9thk7IInbrIh17FFWZnR0VsAHndDNE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

INVERS.execrazyinvers.exetoonel.exeerroricons.execrazywarningicons.exeerroriconscursor.exe

pid process

188 INVERS.exe
1204 crazyinvers.exe
268 toonel.exe
1608 erroricons.exe
1368 crazywarningicons.exe
568 erroriconscursor.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exe

pid process

1004 cmd.exe
1004 cmd.exe
1004 cmd.exe
1004 cmd.exe
1004 cmd.exe
1004 cmd.exe

pid	process
188	INVERS.exe
1204	crazyinvers.exe
268	toonel.exe
1608	erroricons.exe
1368	crazywarningicons.exe
568	erroriconscursor.exe

pid	process
1004	cmd.exe
1004	cmd.exe
1004	cmd.exe
1004	cmd.exe
1004	cmd.exe
1004	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\F:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEWScript.exe

description	pid	process
Token: 33	1516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1516	AUDIODG.EXE
Token: 33	1516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1516	AUDIODG.EXE
Token: 33	1528	WScript.exe
Token: SeIncBasePriorityPrivilege	1528	WScript.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

dobrota_clean.execmd.exe

description	pid	process	target process
PID 1476 wrote to memory of 1004	1476	dobrota_clean.exe	cmd.exe
PID 1476 wrote to memory of 1004	1476	dobrota_clean.exe	cmd.exe
PID 1476 wrote to memory of 1004	1476	dobrota_clean.exe	cmd.exe
PID 1476 wrote to memory of 1004	1476	dobrota_clean.exe	cmd.exe
PID 1004 wrote to memory of 1528	1004	cmd.exe	WScript.exe
PID 1004 wrote to memory of 1528	1004	cmd.exe	WScript.exe
PID 1004 wrote to memory of 1528	1004	cmd.exe	WScript.exe
PID 1004 wrote to memory of 1528	1004	cmd.exe	WScript.exe
PID 1004 wrote to memory of 1608	1004	cmd.exe	erroricons.exe
PID 1004 wrote to memory of 1608	1004	cmd.exe	erroricons.exe
PID 1004 wrote to memory of 1608	1004	cmd.exe	erroricons.exe
PID 1004 wrote to memory of 1608	1004	cmd.exe	erroricons.exe
PID 1004 wrote to memory of 188	1004	cmd.exe	INVERS.exe
PID 1004 wrote to memory of 188	1004	cmd.exe	INVERS.exe
PID 1004 wrote to memory of 188	1004	cmd.exe	INVERS.exe
PID 1004 wrote to memory of 188	1004	cmd.exe	INVERS.exe
PID 1004 wrote to memory of 1368	1004	cmd.exe	crazywarningicons.exe
PID 1004 wrote to memory of 1368	1004	cmd.exe	crazywarningicons.exe
PID 1004 wrote to memory of 1368	1004	cmd.exe	crazywarningicons.exe
PID 1004 wrote to memory of 1368	1004	cmd.exe	crazywarningicons.exe
PID 1004 wrote to memory of 1204	1004	cmd.exe	crazyinvers.exe
PID 1004 wrote to memory of 1204	1004	cmd.exe	crazyinvers.exe
PID 1004 wrote to memory of 1204	1004	cmd.exe	crazyinvers.exe
PID 1004 wrote to memory of 1204	1004	cmd.exe	crazyinvers.exe
PID 1004 wrote to memory of 568	1004	cmd.exe	erroriconscursor.exe
PID 1004 wrote to memory of 568	1004	cmd.exe	erroriconscursor.exe
PID 1004 wrote to memory of 568	1004	cmd.exe	erroriconscursor.exe
PID 1004 wrote to memory of 568	1004	cmd.exe	erroriconscursor.exe
PID 1004 wrote to memory of 268	1004	cmd.exe	toonel.exe
PID 1004 wrote to memory of 268	1004	cmd.exe	toonel.exe
PID 1004 wrote to memory of 268	1004	cmd.exe	toonel.exe
PID 1004 wrote to memory of 268	1004	cmd.exe	toonel.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\dobrota\Clean\dobrota_clean.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\dobrota\Clean\dobrota_clean.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
crazyinvers.exe
3⤵
- Executes dropped EXE
PID:1204

C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
toonel.exe
3⤵
- Executes dropped EXE
PID:268

C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
erroriconscursor.exe
3⤵
- Executes dropped EXE
PID:568

C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
crazywarningicons.exe
3⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
INVERS.exe
3⤵
- Executes dropped EXE
PID:188

C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
erroricons.exe
3⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
Filesize
2.3MB

MD5
a44458813e819777013eb3e644d74362

SHA1
2dd0616ca78e22464cf0cf68ef7915358a16f9ee

SHA256
47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

SHA512
1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
Filesize
2.3MB

MD5
a44458813e819777013eb3e644d74362

SHA1
2dd0616ca78e22464cf0cf68ef7915358a16f9ee

SHA256
47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

SHA512
1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
Filesize
1.2MB

MD5
e21bb4749a8b1b6fc26a7bcf57781836

SHA1
89cb0bd80d691ca650ad01551be3acefa2256ebd

SHA256
0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

SHA512
b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
Filesize
1.2MB

MD5
e21bb4749a8b1b6fc26a7bcf57781836

SHA1
89cb0bd80d691ca650ad01551be3acefa2256ebd

SHA256
0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

SHA512
b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dobrota.mp3
Filesize
6.6MB

MD5
fad2e8c2a096f4593a03a771bbe99458

SHA1
88af47f279b9ea008901a6a242466f40f44e8a5c

SHA256
a40dd9aedae52766593bce06a9a68d47fcf8d430f254ce5e50b0c55587d46213

SHA512
7b607d2927bfb5d2ae3da7ad40fc842f6c1cd12cbc8814a043950d65f50d8084aaa8a544fe51312e68bde9434b138c5c8df50568650658ed0600f447a4a32441

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
Filesize
316KB

MD5
135eeb256e92d261066cfd3ffd31fb3e

SHA1
5c275ffd2ab1359249bae8c91bebcab19a185e91

SHA256
f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

SHA512
a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
Filesize
316KB

MD5
135eeb256e92d261066cfd3ffd31fb3e

SHA1
5c275ffd2ab1359249bae8c91bebcab19a185e91

SHA256
f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

SHA512
a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs
Filesize
216B

MD5
c36c15e1f99e1c0d093b9b089b1073c5

SHA1
47a237639f83d8de0c2034831ff3e12a3bad7408

SHA256
3d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736

SHA512
4283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat
Filesize
205B

MD5
47fef7e366f39175f9467a5a33675b40

SHA1
4a55fdc489cb4b67517e04fe1eadc63dfff7b232

SHA256
7670d34d64f41ae60bffdd902e4d566b7fdd0c7782738782d5a8dbe59cce2001

SHA512
ea5ee454f8fa4ce2e7519c3b8772a8083586d4c4eefa981410c17d67d0ae8e8e716f8693d331a040d5fd29cb007988af2472a0b36840805098be492f863a4e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat
Filesize
205B

MD5
47fef7e366f39175f9467a5a33675b40

SHA1
4a55fdc489cb4b67517e04fe1eadc63dfff7b232

SHA256
7670d34d64f41ae60bffdd902e4d566b7fdd0c7782738782d5a8dbe59cce2001

SHA512
ea5ee454f8fa4ce2e7519c3b8772a8083586d4c4eefa981410c17d67d0ae8e8e716f8693d331a040d5fd29cb007988af2472a0b36840805098be492f863a4e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
Filesize
317KB

MD5
a84257e64cfbd9f6c0a574af416bc0d1

SHA1
245649583806d63abb1b2dc1947feccc8ce4a4bc

SHA256
fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

SHA512
6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
Filesize
317KB

MD5
a84257e64cfbd9f6c0a574af416bc0d1

SHA1
245649583806d63abb1b2dc1947feccc8ce4a4bc

SHA256
fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

SHA512
6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
Filesize
2.3MB

MD5
a44458813e819777013eb3e644d74362

SHA1
2dd0616ca78e22464cf0cf68ef7915358a16f9ee

SHA256
47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

SHA512
1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
Filesize
1.2MB

MD5
e21bb4749a8b1b6fc26a7bcf57781836

SHA1
89cb0bd80d691ca650ad01551be3acefa2256ebd

SHA256
0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

SHA512
b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exe
Filesize
316KB

MD5
135eeb256e92d261066cfd3ffd31fb3e

SHA1
5c275ffd2ab1359249bae8c91bebcab19a185e91

SHA256
f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

SHA512
a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exe
Filesize
317KB

MD5
a84257e64cfbd9f6c0a574af416bc0d1

SHA1
245649583806d63abb1b2dc1947feccc8ce4a4bc

SHA256
fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

SHA512
6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

Download Submit
memory/188-146-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/268-150-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/568-149-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1204-148-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1368-147-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/1608-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads