Analysis
-
max time kernel
31s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
23-06-2023 22:56
General
-
Target
BruteForcers PACK/BruteForcers PACK/PORNHUB BRUTER CHECKER 2022/PORNHUB BRUTER.exe
-
Size
179KB
-
MD5
4ba3cee14df6c818fb2f92a628426870
-
SHA1
0ba7d121915d5b99dc56ad2d0c780fd300a1f53b
-
SHA256
e1b8f55a342cdced0434b71883fa6509ea061132a9fdfe96ca14b68da8d17173
-
SHA512
832f2b4b95954509ead01746d5fcb0a80b94100f786db2ab97f0e9ac9a91ad343502002bf672421538ba6bc35d05b11bca504185af9f17e99c794c089b5dd95c
-
SSDEEP
768:6ec4lj/4ePn4wrgszN0cgqlqbjOrJIUKh4SL8tM3J:y4lceP37Z0vuI7j
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\PORNHUB BRUTER CHECKER 2022\PORNHUB BRUTER.exe"C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\PORNHUB BRUTER CHECKER 2022\PORNHUB BRUTER.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\PORNHUB BRUTER CHECKER 2022\DATA\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\PORNHUB BRUTER CHECKER 2022\DATA\Launcher.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\IMF\Windows Services.exe"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\IMF\Secure System Shell.exe"C:\Windows\IMF\Secure System Shell.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\PORNHUB BRUTER CHECKER 2022\DATA\xpti.exe"C:\Users\Admin\AppData\Local\Temp\BruteForcers PACK\BruteForcers PACK\PORNHUB BRUTER CHECKER 2022\DATA\xpti.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jucijs5j.420.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\IMF\Runtime Explorer.exeFilesize
144KB
MD5ec70c6f4dc443c5ab2b91d64ae04fa8e
SHA143eb3b3289782fced204f0b4e3edad2ba1b085b7
SHA256276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d
SHA5126217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584
-
C:\Windows\IMF\Runtime Explorer.exeFilesize
144KB
MD5ec70c6f4dc443c5ab2b91d64ae04fa8e
SHA143eb3b3289782fced204f0b4e3edad2ba1b085b7
SHA256276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d
SHA5126217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584
-
C:\Windows\IMF\Runtime Explorer.exeFilesize
144KB
MD5ec70c6f4dc443c5ab2b91d64ae04fa8e
SHA143eb3b3289782fced204f0b4e3edad2ba1b085b7
SHA256276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d
SHA5126217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584
-
C:\Windows\IMF\Secure System Shell.exeFilesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
C:\Windows\IMF\Secure System Shell.exeFilesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
C:\Windows\IMF\Secure System Shell.exeFilesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
C:\Windows\IMF\Windows Services.exeFilesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
C:\Windows\IMF\Windows Services.exeFilesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
C:\Windows\IMF\Windows Services.exeFilesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
memory/804-213-0x0000000070B80000-0x0000000070BCC000-memory.dmpFilesize
304KB
-
memory/804-202-0x00000000067E0000-0x00000000067FE000-memory.dmpFilesize
120KB
-
memory/804-232-0x0000000007E00000-0x0000000007E08000-memory.dmpFilesize
32KB
-
memory/804-147-0x0000000002F10000-0x0000000002F46000-memory.dmpFilesize
216KB
-
memory/804-148-0x0000000005A60000-0x0000000006088000-memory.dmpFilesize
6.2MB
-
memory/804-231-0x0000000007E20000-0x0000000007E3A000-memory.dmpFilesize
104KB
-
memory/804-230-0x0000000007D10000-0x0000000007D1E000-memory.dmpFilesize
56KB
-
memory/804-151-0x0000000002EE0000-0x0000000002EF0000-memory.dmpFilesize
64KB
-
memory/804-152-0x0000000005710000-0x0000000005732000-memory.dmpFilesize
136KB
-
memory/804-155-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB
-
memory/804-156-0x0000000006090000-0x00000000060F6000-memory.dmpFilesize
408KB
-
memory/804-229-0x0000000007D60000-0x0000000007DF6000-memory.dmpFilesize
600KB
-
memory/804-228-0x0000000007B50000-0x0000000007B5A000-memory.dmpFilesize
40KB
-
memory/804-227-0x0000000007AE0000-0x0000000007AFA000-memory.dmpFilesize
104KB
-
memory/804-226-0x0000000008130000-0x00000000087AA000-memory.dmpFilesize
6.5MB
-
memory/804-225-0x000000007F960000-0x000000007F970000-memory.dmpFilesize
64KB
-
memory/804-224-0x0000000002EE0000-0x0000000002EF0000-memory.dmpFilesize
64KB
-
memory/804-223-0x0000000006D40000-0x0000000006D5E000-memory.dmpFilesize
120KB
-
memory/804-212-0x00000000077B0000-0x00000000077E2000-memory.dmpFilesize
200KB
-
memory/1504-203-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/1504-201-0x0000000000380000-0x0000000000392000-memory.dmpFilesize
72KB
-
memory/1504-236-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/3800-211-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/3800-237-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/3800-208-0x0000000000F80000-0x0000000000F92000-memory.dmpFilesize
72KB
-
memory/4072-146-0x0000000002470000-0x000000000248C000-memory.dmpFilesize
112KB
-
memory/4072-235-0x000000001B3E0000-0x000000001B3F0000-memory.dmpFilesize
64KB
-
memory/4072-144-0x0000000002440000-0x000000000244A000-memory.dmpFilesize
40KB
-
memory/4072-150-0x000000001B3E0000-0x000000001B3F0000-memory.dmpFilesize
64KB
-
memory/4072-142-0x0000000000530000-0x000000000053A000-memory.dmpFilesize
40KB
-
memory/4420-145-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/4420-149-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/4420-186-0x0000000005D30000-0x0000000005D4E000-memory.dmpFilesize
120KB
-
memory/4420-185-0x0000000005D50000-0x0000000005DC6000-memory.dmpFilesize
472KB
-
memory/4420-140-0x0000000000290000-0x00000000002A4000-memory.dmpFilesize
80KB
-
memory/4420-143-0x0000000006170000-0x00000000061EE000-memory.dmpFilesize
504KB
-
memory/4956-134-0x0000000005220000-0x00000000052BC000-memory.dmpFilesize
624KB
-
memory/4956-139-0x0000000005520000-0x0000000005530000-memory.dmpFilesize
64KB
-
memory/4956-133-0x0000000000890000-0x00000000008C2000-memory.dmpFilesize
200KB
-
memory/4956-138-0x0000000005530000-0x0000000005586000-memory.dmpFilesize
344KB
-
memory/4956-135-0x0000000005880000-0x0000000005E24000-memory.dmpFilesize
5.6MB
-
memory/4956-136-0x0000000005370000-0x0000000005402000-memory.dmpFilesize
584KB
-
memory/4956-137-0x0000000005300000-0x000000000530A000-memory.dmpFilesize
40KB