Overview

overview

8

Static

static

3

66e876c02a...bf.exe

windows7-x64

8

66e876c02a...bf.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PROGRAMFI...it.dll

windows7-x64

1

$PROGRAMFI...it.dll

windows10-2004-x64

1

$PROGRAMFI...ge.dll

windows7-x64

1

$PROGRAMFI...ge.dll

windows10-2004-x64

1

$PROGRAMFI...er.dll

windows7-x64

1

$PROGRAMFI...er.dll

windows10-2004-x64

1

qoit.exe

windows7-x64

7

qoit.exe

windows10-2004-x64

7

retook.exe

windows7-x64

8

retook.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    retook.exe

  • Size

    922KB

  • MD5

    c81501a4fd4475596ea7af32f4912f72

  • SHA1

    e3a9bd5bc49515f574fc8b66ef2990354aba033b

  • SHA256

    f132a441aa9375dfef0765646f60934d2b95feeb929246272df2beba61787008

  • SHA512

    aaad0a4f28e6a19ff0a201f86f889ad1462304288ff0b0fda29a54c0b28f2a67e1ae733118cff51d39a68cbf3513938918cdd80c4f88e8bc0ae6da1fe9c9b5c9

  • SSDEEP

    24576:Oyoavmlfr+8S6B/fIzgEqVGnwCE8xQuRdIFdtaL2Pv:doi0c6ZfIcEqgn/TxXdS

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\retook.exe
    "C:\Users\Admin\AppData\Local\Temp\retook.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\dllhost.exe
      dllhost.exe
      2⤵
        PID:1200
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Molta.wbk
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^yNmEqrPOypxBlVnuFemmfzGnSPBDoxoqgOjuQxEteLTSbEtnlUplDSaMuqLlBkGLqxjvJsflnxbEmOwhKrzgkYbccmZQIzCQyoReaIOSFYMocOhaZnAnSameXQqpsn$" Bel.wbk
            4⤵
              PID:1724
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
              All.exe.com g
              4⤵
              • Executes dropped EXE
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:908
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
                C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com g
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Checks processor information in registry
                • Modifies registry class
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:4544
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddneorceodib.vbs"
                  6⤵
                  • Blocklisted process makes network request
                  PID:1772
            • C:\Windows\SysWOW64\PING.EXE
              ping FMAEQIOU
              4⤵
              • Runs ping.exe
              PID:2412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\A5D6.tmp
        Filesize

        313B

        MD5

        bee55e52500f967c3d9402e05dd57f65

        SHA1

        d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

        SHA256

        b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

        SHA512

        b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
        Filesize

        765KB

        MD5

        25b093bea5e85fcbf3ca2a384774e25e

        SHA1

        6ac9899764d9fefc42b36720bb2a5681113fd83d

        SHA256

        770f33cfb81ff3960c5e3a959ce5c960330a8aed3e019ed47a28b35612916ab9

        SHA512

        c77c78255d69f77a45ed02d0ada9267e39fc0f380427c7f92f28120c797e2c002b0199640c999e063c53d135e3179e69b9b6d1818af52537ff9888dd0b1559f1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
        Filesize

        518KB

        MD5

        011ecec6789b2157510397d05112f64b

        SHA1

        eb1ca04b901390b50928d005d107fa85bf4eb219

        SHA256

        c6994d8fd2d929081f7b5425583a47f566916a22afc26923d877e39013db8a22

        SHA512

        736c1dd02a03eda087854b3f2817654ee41b15a238dbe306d621e4442bf06cf5afeb800e05ce50188959e45146c57f5c1f8a33deddd05e3d54d4dfac18770254

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
        Filesize

        604KB

        MD5

        12f8350af80b327e5c2771a4105a923e

        SHA1

        c507a452b3d345bca6180a65f3607efb37e933b1

        SHA256

        5f6ba5256ac16f3655f463eacc531b7e568bd4df50f5062f0dd6812ba95c5979

        SHA512

        b4ecff0cbf097511a245d234169862c7c611bdc736e5ea5b35cb801b2d2c47f28b562393b64ad9b313c9a642f34ec68db02a0e0edf1c27604da4c71c9a16bed6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.wbk
        Filesize

        652KB

        MD5

        b90c507273d36e8edaf5ffa8c4d926f8

        SHA1

        026d0c351d78a89beec0fbf924d3aa2db1243809

        SHA256

        c8399dcd16cb51b591eefae657cc071af28647f91e3a8b2d56b0023b1f1bd5de

        SHA512

        3a41d36628020f2865c2ec1438e6cb7e6689021b74eb56b5aa9f36e99b960a450d6316baa6ce4deed1d3bd5d36a69a8456a041728524e901e588d57f5cf8c046

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Molta.wbk
        Filesize

        466B

        MD5

        5c8a283903791aa4630e516bade66942

        SHA1

        757539d1ff447dd52394504342ac4362b68d3196

        SHA256

        fea27f988519d41f6dd26187176a859f471ec4ea2c2441d8e1dfc614535cece1

        SHA512

        95b990630d6568259b0102a6ae7b654a43eee84388a2122556841a02e5a420ec3d625d296682511ca864efae89e620733a0ce1464f8d361baa4391b291044f5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.wbk
        Filesize

        728KB

        MD5

        3724b076bf6b9eebc2631078bb834f25

        SHA1

        37d11b1d24a2b4b142429b0bd30cc3dab6ee77d1

        SHA256

        17dd3ff72ea87c9c9b9979e4b3aa9590d0b55ef75a82b7377aeef5cdda9dddec

        SHA512

        7df150f4a05b10ed04aac02575c4b504ca3a564cf1bba93ff901a2fee1feb49bbd9378cee26e9eba2ffa9259a5d78a6252d350f276b494b6174e16d8b3915432

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g
        Filesize

        709KB

        MD5

        75b9672d8af862d57bbfc61b7b20964b

        SHA1

        7e38aebc2c0585456446b6edb6c542f0a6d2c85a

        SHA256

        17fdb8fb36a0a125b5c94f6f72457bbdfcf4e95ed32637b8ff95e6801d21794e

        SHA512

        2bcb96de9cb75e3f82681ee0917e251be4f82dca033d0abb89495a0e5484a7992d24bf30d6feb2379bf495a8ebbe137e0c62d4eddc62787f7ead53dc74eb5da5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ddneorceodib.vbs
        Filesize

        133B

        MD5

        7e03091641382c647401d0629310ed01

        SHA1

        daec4b40a29f36a3a539eab62c61dd47ebced298

        SHA256

        e140a3e4ec4cd8bdcb71522ee15b88e35989175182cc2dcffc1058064a80c2b6

        SHA512

        63203ee79ce8f0395b640ecacabde1aaeb4b9b536a96c8650897eb54a748b138a60874da9e8c842553bdf3229c121bdc4d7b76943ce6de61c1e659d9155ccea8

        Download Submit

      • memory/4544-20-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-22-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-23-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-24-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-25-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-21-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-37-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download

      • memory/4544-19-0x00000000005D0000-0x00000000005F7000-memory.dmp

        Filesize

        156KB

        Download