Overview
overview
7Static
static
7trojan-lea...64.exe
windows10-1703-x64
7trojan-lea...64.exe
windows7-x64
7trojan-lea...64.exe
windows10-2004-x64
7trojan-lea...net.7z
windows10-1703-x64
3trojan-lea...net.7z
windows7-x64
3trojan-lea...net.7z
windows10-2004-x64
3trojan-lea...e).rar
windows10-1703-x64
3trojan-lea...e).rar
windows7-x64
3trojan-lea...e).rar
windows10-2004-x64
3trojan-lea...rn.exe
windows10-1703-x64
1trojan-lea...rn.exe
windows7-x64
1trojan-lea...rn.exe
windows10-2004-x64
trojan-lea....1.zip
windows10-1703-x64
1trojan-lea....1.zip
windows7-x64
1trojan-lea....1.zip
windows10-2004-x64
1trojan-lea...ME.txt
windows10-1703-x64
1trojan-lea...ME.txt
windows7-x64
1trojan-lea...ME.txt
windows10-2004-x64
1trojan-lea...an.exe
windows10-1703-x64
7trojan-lea...an.exe
windows7-x64
7trojan-lea...an.exe
windows10-2004-x64
7trojan-lea...ME.txt
windows10-1703-x64
1trojan-lea...ME.txt
windows7-x64
1trojan-lea...ME.txt
windows10-2004-x64
trojan-lea...86.exe
windows10-1703-x64
7trojan-lea...86.exe
windows7-x64
7trojan-lea...86.exe
windows10-2004-x64
7trojan-lea...ta.exe
windows10-1703-x64
7trojan-lea...ta.exe
windows7-x64
7trojan-lea...ta.exe
windows10-2004-x64
7Resubmissions
09-05-2023 19:22
230509-x3fn4adg58 1009-05-2023 19:14
230509-xxsrgaff7x 1009-05-2023 19:14
230509-xxr5yadg42 709-05-2023 19:14
230509-xxrt6sff7w 809-05-2023 19:14
230509-xxrjeaff7v 809-05-2023 19:14
230509-xxqxwadg39 709-05-2023 19:14
230509-xxql4sff7t 1009-05-2023 19:14
230509-xxqbcadg38 709-05-2023 19:10
230509-xvl6xadf64 10Analysis
-
max time kernel
169s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 19:14
Behavioral task
behavioral1
Sample
trojan-leaks-main/TheEye-x64.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
trojan-leaks-main/TheEye-x64.exe
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
trojan-leaks-main/TheEye-x64.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral4
Sample
trojan-leaks-main/Win32.SAW-by_DesConnet.7z
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
trojan-leaks-main/Win32.SAW-by_DesConnet.7z
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
trojan-leaks-main/Win32.SAW-by_DesConnet.7z
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
trojan-leaks-main/Win32.Trojan.Amnesia (pass AnCoMalware).rar
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
trojan-leaks-main/Win32.Trojan.Amnesia (pass AnCoMalware).rar
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
trojan-leaks-main/Win32.Trojan.Amnesia (pass AnCoMalware).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
trojan-leaks-main/cleansaturn.exe
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
trojan-leaks-main/cleansaturn.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
trojan-leaks-main/cleansaturn.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
trojan-leaks-main/deckufniw 1.1.zip
Resource
win10-20230220-en
Behavioral task
behavioral14
Sample
trojan-leaks-main/deckufniw 1.1.zip
Resource
win7-20230220-en
Behavioral task
behavioral15
Sample
trojan-leaks-main/deckufniw 1.1.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral16
Sample
trojan-leaks-main/dobrota/Clean/README.txt
Resource
win10-20230220-en
Behavioral task
behavioral17
Sample
trojan-leaks-main/dobrota/Clean/README.txt
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
trojan-leaks-main/dobrota/Clean/README.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
trojan-leaks-main/dobrota/Clean/dobrota_clean.exe
Resource
win10-20230220-en
Behavioral task
behavioral20
Sample
trojan-leaks-main/dobrota/Clean/dobrota_clean.exe
Resource
win7-20230220-en
Behavioral task
behavioral21
Sample
trojan-leaks-main/dobrota/Clean/dobrota_clean.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral22
Sample
trojan-leaks-main/dobrota/README.txt
Resource
win10-20230220-en
Behavioral task
behavioral23
Sample
trojan-leaks-main/dobrota/README.txt
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
trojan-leaks-main/dobrota/README.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
trojan-leaks-main/dobrota/VC_redist.x86.exe
Resource
win10-20230220-en
Behavioral task
behavioral26
Sample
trojan-leaks-main/dobrota/VC_redist.x86.exe
Resource
win7-20230220-en
Behavioral task
behavioral27
Sample
trojan-leaks-main/dobrota/VC_redist.x86.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
trojan-leaks-main/dobrota/dobrota.exe
Resource
win10-20230220-en
Behavioral task
behavioral29
Sample
trojan-leaks-main/dobrota/dobrota.exe
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
trojan-leaks-main/dobrota/dobrota.exe
Resource
win10v2004-20230220-en
General
-
Target
trojan-leaks-main/dobrota/Clean/dobrota_clean.exe
-
Size
7.7MB
-
MD5
c8b999419a3c103270290e99189f794c
-
SHA1
90148745b61d2c77c1694e43f11faaa9a3d05a0a
-
SHA256
9093ff3bc7e78cfe84cadc3a993eeb1c15ce497e94efdcf51c1adcafd0aedf18
-
SHA512
6e95c693eef199c511c81052b1b4e9bdbd94bcd2fee2b16660ece026e86e3535c2389fe91049407842c2cad81ab9f0521865edb28708f961d804f32111d4c47c
-
SSDEEP
98304:JJx19RrCwXU7tTao36KJt6Oe2NhqCZao4+Axhy4V7FLEMUH82Z3dFRsFVsKtOepA:9thk7IInbrIh17FFWZnR0VsAHndDNE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedobrota_clean.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation dobrota_clean.exe -
Executes dropped EXE 6 IoCs
Processes:
erroricons.exeINVERS.execrazywarningicons.execrazyinvers.exeerroriconscursor.exetoonel.exepid process 64 erroricons.exe 1320 INVERS.exe 1272 crazywarningicons.exe 4688 crazyinvers.exe 2876 erroriconscursor.exe 4628 toonel.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WScript.exedescription ioc process File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\F: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\Y: WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{A6D51A21-D48E-4138-90E6-30941E700981} WScript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
WScript.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1312 WScript.exe Token: SeCreatePagefilePrivilege 1312 WScript.exe Token: 33 2240 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2240 AUDIODG.EXE Token: SeShutdownPrivilege 1312 WScript.exe Token: SeCreatePagefilePrivilege 1312 WScript.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
dobrota_clean.execmd.exedescription pid process target process PID 2932 wrote to memory of 2192 2932 dobrota_clean.exe cmd.exe PID 2932 wrote to memory of 2192 2932 dobrota_clean.exe cmd.exe PID 2932 wrote to memory of 2192 2932 dobrota_clean.exe cmd.exe PID 2192 wrote to memory of 1312 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 1312 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 1312 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 64 2192 cmd.exe erroricons.exe PID 2192 wrote to memory of 64 2192 cmd.exe erroricons.exe PID 2192 wrote to memory of 64 2192 cmd.exe erroricons.exe PID 2192 wrote to memory of 1320 2192 cmd.exe INVERS.exe PID 2192 wrote to memory of 1320 2192 cmd.exe INVERS.exe PID 2192 wrote to memory of 1320 2192 cmd.exe INVERS.exe PID 2192 wrote to memory of 1272 2192 cmd.exe crazywarningicons.exe PID 2192 wrote to memory of 1272 2192 cmd.exe crazywarningicons.exe PID 2192 wrote to memory of 1272 2192 cmd.exe crazywarningicons.exe PID 2192 wrote to memory of 4688 2192 cmd.exe crazyinvers.exe PID 2192 wrote to memory of 4688 2192 cmd.exe crazyinvers.exe PID 2192 wrote to memory of 4688 2192 cmd.exe crazyinvers.exe PID 2192 wrote to memory of 2876 2192 cmd.exe erroriconscursor.exe PID 2192 wrote to memory of 2876 2192 cmd.exe erroriconscursor.exe PID 2192 wrote to memory of 2876 2192 cmd.exe erroriconscursor.exe PID 2192 wrote to memory of 4628 2192 cmd.exe toonel.exe PID 2192 wrote to memory of 4628 2192 cmd.exe toonel.exe PID 2192 wrote to memory of 4628 2192 cmd.exe toonel.exe PID 2192 wrote to memory of 1640 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 1640 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 1640 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 4392 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 4392 2192 cmd.exe WScript.exe PID 2192 wrote to memory of 4392 2192 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\dobrota\Clean\dobrota_clean.exe"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\dobrota\Clean\dobrota_clean.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start_dobrota.bat" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sound.vbs"3⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exeerroricons.exe3⤵
- Executes dropped EXE
PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\INVERS.exeINVERS.exe3⤵
- Executes dropped EXE
PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.execrazywarningicons.exe3⤵
- Executes dropped EXE
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.execrazyinvers.exe3⤵
- Executes dropped EXE
PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroriconscursor.exeerroriconscursor.exe3⤵
- Executes dropped EXE
PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\toonel.exetoonel.exe3⤵
- Executes dropped EXE
PID:4628
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages2.vbs"3⤵PID:1640
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\messages.vbs"3⤵PID:4392
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x4b41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b17223e59994f60c5833030795f2bcac
SHA166f5f5caf68849cfe574cbef7f8278dacdafdd5f
SHA25649fdaa4ee215c3a142144184d0e82964efb4c11c7d8ce726c5806bfca13888ca
SHA512c7aea16c9327e9c19860c4a1487a94cb7edc8953d57aef9617a6d9accd645eb3fecf5e81f0eca6348f9dea86077d55d00546fc270bcd5d5cb9d8c864d9bf0003
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
2.3MB
MD55134f289dbf4abae370e3f36b637b73e
SHA1c78d3f2d00dc47da0112a74df665c7a84a8e32c3
SHA256e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2
SHA5120bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5
-
Filesize
2.3MB
MD5a44458813e819777013eb3e644d74362
SHA12dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA25647f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA5121a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215
-
Filesize
1.2MB
MD5e21bb4749a8b1b6fc26a7bcf57781836
SHA189cb0bd80d691ca650ad01551be3acefa2256ebd
SHA2560ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b
-
Filesize
6.6MB
MD5fad2e8c2a096f4593a03a771bbe99458
SHA188af47f279b9ea008901a6a242466f40f44e8a5c
SHA256a40dd9aedae52766593bce06a9a68d47fcf8d430f254ce5e50b0c55587d46213
SHA5127b607d2927bfb5d2ae3da7ad40fc842f6c1cd12cbc8814a043950d65f50d8084aaa8a544fe51312e68bde9434b138c5c8df50568650658ed0600f447a4a32441
-
Filesize
316KB
MD57f31508d95be3fe50e4e9aa646e86a12
SHA1c61b439d6e17d630728f48c09b36af2647940748
SHA256994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA5122e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda
-
Filesize
316KB
MD5135eeb256e92d261066cfd3ffd31fb3e
SHA15c275ffd2ab1359249bae8c91bebcab19a185e91
SHA256f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d
SHA512a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b
-
Filesize
37B
MD535fbf9bf29760b9e120b37900b3c1343
SHA18a231c37ee13e72f27a38411668fde6fef3ff5bc
SHA256e1cdab59df6508013e8b91c71043c8ecfe81b94a037706147ed19adf992539e6
SHA512d1c12b6690c6b90dda5ad3e226e30adc848b3c324f929dec373ab6c7606fbcab716c49c4446efadf14036583924f8f094491bfe8bef380fd877c00cf9feaacc6
-
Filesize
37B
MD563954d8930e517637c254f9da0749e7a
SHA127f6a13c0e9530166d62b4586c3d2bda5cb5064c
SHA256bffa14678b8c39c2fbfa54b76fbac5f750aebc8dc2954da10a55b7f1f90f351c
SHA512dd5df6b8a64523fedb5aaced7d864013d12e6930015d8fd2267b11cffe76741c3a7907814a832ff7589476a51d16e8ab0fc566f4ac0784f6a599070080c7008d
-
Filesize
216B
MD5c36c15e1f99e1c0d093b9b089b1073c5
SHA147a237639f83d8de0c2034831ff3e12a3bad7408
SHA2563d6123cae8ac645d9c9d33b0dada869a7fdd5117a2bf0f9080e4e30fe5bed736
SHA5124283b45c6483e2ed6e9741f5937bb7851e101fb4710bd687a73a77b5abcb820d2480deaee50c8e87a7f225cee2430836da75d201838e9d989e91f3c0c0c60d1f
-
Filesize
205B
MD547fef7e366f39175f9467a5a33675b40
SHA14a55fdc489cb4b67517e04fe1eadc63dfff7b232
SHA2567670d34d64f41ae60bffdd902e4d566b7fdd0c7782738782d5a8dbe59cce2001
SHA512ea5ee454f8fa4ce2e7519c3b8772a8083586d4c4eefa981410c17d67d0ae8e8e716f8693d331a040d5fd29cb007988af2472a0b36840805098be492f863a4e28
-
Filesize
317KB
MD5a84257e64cfbd9f6c0a574af416bc0d1
SHA1245649583806d63abb1b2dc1947feccc8ce4a4bc
SHA256fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7
SHA5126fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2