9425a0976e1267fc8a3456319104fc3dafe160aefde77f634d9796e77fffa3b6

Analysis

max time kernel
14s
max time network
32s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LION/SilverBulletPro.exe
Size

607KB
MD5

51666fad35ec11f3a5fb9c80498a4d81
SHA1

12dd29c24714f702e0ef407c0c77157182bfe273
SHA256

3f61563d5bf3c78e6fdbef2dc5dd80ffbffb4ad4ee2238f7b89d7b1b3652ae9e
SHA512

ffee8484a75174c0deee479f3bff919583b1344f1709e8f1486613f2703baec951fcc390478f1e2ab6cd61ef4ae12bd7ad7eef0bf82fc1270ff0f30024ebf428
SSDEEP

6144:f8l4uMXTf0Ms7c8zt6PkvxcqxZ653hiJuURfFafi/GSlJqc2KYvnsBOjpqCGzYsy:fUA0MhahIRMJuAfki/U7vsBqpq/S1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4999ABE1-452E-11EE-91F8-F2F391FB7C16} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2996	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2996	iexplore.exe
2996	iexplore.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2996	2248	SilverBulletPro.exe	30
PID 2248 wrote to memory of 2996	2248	SilverBulletPro.exe	30
PID 2248 wrote to memory of 2996	2248	SilverBulletPro.exe	30
PID 2996 wrote to memory of 1548	2996	iexplore.exe	32
PID 2996 wrote to memory of 1548	2996	iexplore.exe	32
PID 2996 wrote to memory of 1548	2996	iexplore.exe	32
PID 2996 wrote to memory of 1548	2996	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\LION\SilverBulletPro.exe
"C:\Users\Admin\AppData\Local\Temp\LION\SilverBulletPro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.8&gui=true
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
187d57595090bf08cde408b3989221a1

SHA1
6cd78750333192461453a157cde93806470c35e1

SHA256
1ade029a52889c83ea4d193676467f902403d0f3502dbd110a7cb21cb8418b71

SHA512
e64d946f3db9fc4b261600fdc71cb293980429ea0a4b5c459ccfac037c5c9ca61175fc40bd0435bfd0a8f257a4fc8586a0ca6ced3fdded68b5ffae23b92859e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
166523ddb756c004a3d87b5ec99e67b4

SHA1
3a6c654187aa94839364b01310bb48ed504e6f3f

SHA256
bd1449a217034a8412a70676a9670bd3fbeee3fbbfb4710b231540f89ae12f8a

SHA512
a1da3ffe9f835c4aaee17bdb89a3dc05fafdf3b25b629c5b81464c86f0f611af3e2e047a7bc8f2d7b3c33e7c6c5185b2aff01f49579ff1f21c6a10ebdb23e61f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e41e380a804ef1eb989114cfcdab556

SHA1
ee2d04092ba59e38258c2c755b9a86a49f3a4649

SHA256
53f28a7814fe8df23174582aa7bdfcb55a1d4e493117795d7b961912c4e4d190

SHA512
d5ac3a8d8ac03a062a3b966c0162ca80ddea9c75ac24a4cb029c519100b494deb16b54b36ad275b46349e3daff8959f3e886520ca814ff8564694a61ac573d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a1b59dd58da078403a8a25dba238a43

SHA1
bcb7eddb911e34e3e8255dacaaacc43b19e8cfa7

SHA256
d19aee1e358691726f95955c4cc760858e780d993f045f038d424c89639a56a0

SHA512
c2847a256b8063258057839d08291e8d8616168cb253b38f5d8ae09fb538b8999e4a781e8bb0446c68ac08b9ef953f277388bfd4b67fd4fe0d2ab47dba59eacd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
133981663b5d8951133ffd60df85c70d

SHA1
a464b142abbb0922e5a9f5f9a60dd5c4b1e57c56

SHA256
1b473686a0ca5c679bb66266bc10f8d5a8c79564fa0c371c09003ba3537548a8

SHA512
0780fb70ee3b86ab7db013d19bcd5c87daae3f20e441bbc5bd86412c3f40042a0d9c42e9f311fc9067674d89f326c54ccddffb8e27bc7d7b6abfdc42b6232835

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c76aa18ae9a6f49dab76fefc4c9b8f38

SHA1
d4f4d28029f22de6ceb69fe522fd8f1da6ccc8ef

SHA256
40ce8d2fb52d3797144633a5df2f4a0e9a0642436a6ef99260bab5bd96eb14ef

SHA512
114f74944333bf7988c23dfcdcb2b6fbf955970722fe4abbf297086e0384c77a17673f541f38f7d841ec8f64e3c1a195e2a8fba9ebb6789db40fdedd4586f647

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE3CA.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE564.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5C6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit