Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03-02-2024 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Unlocker1.9.2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$TEMP/DeltaTB.exe
Resource
win7-20231129-en
Behavioral task
behavioral5
Sample
Unlocker.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
UnlockerDriver5.sys
Resource
win7-20231215-en
Behavioral task
behavioral7
Sample
UnlockerInject32.exe
Resource
win7-20231215-en
General
-
Target
$TEMP/DeltaTB.exe
-
Size
767KB
-
MD5
eb2764885565b6c01cb32e5f51f213b3
-
SHA1
cc41cadbbd6ba6ed0bfdd17798b4c9f94d7955e0
-
SHA256
d7146999ff94b3ae092f3213ddf0217615f1d38798393b66778d11aae2b68eaf
-
SHA512
ac88795b2e8260ace9eb57d2a3fdc4aadb18e2cb0afd780459f51d25f83b34f7033425dc712655e423eba4e011fd2776f53463042f2c2d9dd427554c04cc840e
-
SSDEEP
12288:XSsZfDKTpv0aNjLDiIx56qQDtOZTIzOjAWe0YiZ2PADaRx6Zfuc//yTuXbdir7+:XSiGTpTLDxxwqQcqOj5eyHox6ZGmAuXr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid Process 2172 Setup.exe -
Loads dropped DLL 6 IoCs
Processes:
DeltaTB.exerundll32.exeSetup.exepid Process 2196 DeltaTB.exe 2512 rundll32.exe 2512 rundll32.exe 2512 rundll32.exe 2512 rundll32.exe 2172 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
rundll32.exeSetup.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
rundll32.exeSetup.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main Setup.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Setup.exe -
Modifies registry class 2 IoCs
Processes:
Setup.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap Setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exepid Process 2172 Setup.exe 2172 Setup.exe 2172 Setup.exe 2172 Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Setup.exepid Process 2172 Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Setup.exedescription pid Process Token: SeTakeOwnershipPrivilege 2172 Setup.exe Token: SeTakeOwnershipPrivilege 2172 Setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Setup.exepid Process 2172 Setup.exe 2172 Setup.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DeltaTB.exerundll32.exedescription pid Process procid_target PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2196 wrote to memory of 2172 2196 DeltaTB.exe 28 PID 2512 wrote to memory of 2524 2512 rundll32.exe 30 PID 2512 wrote to memory of 2524 2512 rundll32.exe 30 PID 2512 wrote to memory of 2524 2512 rundll32.exe 30 PID 2512 wrote to memory of 2524 2512 rundll32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\DeltaTB.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\DeltaTB.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\0CB96F82-BAB0-7891-953B-6E617FCBE68D\Setup.exe"C:\Users\Admin\AppData\Local\Temp\0CB96F82-BAB0-7891-953B-6E617FCBE68D\Setup.exe" -xprm="cat=delta" -expg=none Files\Common Files2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\0CB96F~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files (x86)\Internet Explorer\IELowutil.exe"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding4⤵PID:2524
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5963fd4b53ad57ff23de23dd5ed09ed72
SHA14d3a351de3aa8d789076a6a39d9b4a54957852d5
SHA256850ed48de2c1d0fd8870f457fb12907de9838e26e836a88b1453bbdcc00b5cb3
SHA512d50b48ae06a6137f99581e4f6ea6b417fe6e1871c82e655b042436b8dcc260e00fa8e7ebbfbb0aef5ab489fed4530a830f3f2c9a2dff4307509154c3b614eb58
-
Filesize
199KB
MD562e00fbeebeedc16bf6b380683f3004d
SHA1817b3699db1949b96f85207da262a3f5419a5c11
SHA256d7c19d0748531c279a322522f7b45b3bb2373d5d11242956f7956c672cf9394e
SHA5122a265e75bc2c0453810f5f7827bf03032a33fe7fcca036f7a0ab7620caa447909308c2fb95be34e5df6d9b5f5da22a0bc30f97cf9a04810496aba301431f000a
-
Filesize
57KB
MD566760773be28f40d555765224f649a78
SHA128af276b377e9a9a3a207e0f4ec70c2053cce4d3
SHA2567d09da216b30e3a238468f1a120215cced74d419694a2f4b2e67c624ebf57c7d
SHA5121f97a0c03a93b6aa16b3d48e84c24ddf424ff9f22f4f42e635349fcab3dc07230d2b742a710b9fcc614920502d9af8c559a73d2b7e323f4f20025d94e9e5464d
-
Filesize
250B
MD5f208d9600a80f6c8225f1b5577ee98dc
SHA1252e3ead4d3fedd2a1e7135c400b7f62ef46fe9b
SHA2565cd7adcf0cbe5d4054bf43605d44c40b75ca9b0797ce660ccad1a7ab86d28f60
SHA5128b8d2129398c44762b61dce2de561f8a8302c98efe63beb7e1c68b52202cc11aa6671b72a5b4f5ee04129a22284616631432e0290e1a77c771378c0b4890f35e
-
Filesize
53B
MD5ff7a2f8d37673fc7e5e42dd793086a5b
SHA1346ebc40da9f9d70697f5fe7adf4d431f12d79e8
SHA256963d6ac315b0e5a0b77a3de5e8c6497a5d0f5f1a2a6d53bbd1af274816095954
SHA512616acf62d52b5fa19a1380dfb315ca39d38b69d23bb44e51995360be057112dc8c6f6365c09a964daecc5f0513f92805c4d1cbe10dbd6918994b4803f8b904bf
-
Filesize
142KB
MD54d507fc2ad32d1d8a8e74aaa8c01c1ca
SHA16fe219d6c97c2482e386de8618b5814a04eef635
SHA256a551b5fbdfbb2a519edada9902b6dae5be9810db1c6acdf2dfe4bee2aa4caf7d
SHA512db9caa9fe8bab0d57cf4c8164e2ca5dcb5df8be6ec988f6cd11ff6128ecd31913ac5bbabc6a197948396045e471fd43139bc6a404b44ac31b573503eb58bd443
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HT7C13LY\setup[1].js
Filesize15KB
MD5700748709448840b582cc3237fd45b50
SHA16788cf8294890f199a9587aed1bed1b8041685d9
SHA256f5ab1728a8ec2b0a1c19c123bb662f5ad4b098c974ec1e5a168886b71d4dd9f1
SHA512111bf048e0e590aee11e11f9224a3ca71dfa3e3483030a26da898f5aad8b6610f2927ac4d76d97d9804323cf93015644378aa2cdd01b1ec64182a797850eb340
-
Filesize
12KB
MD5825e5733974586a0a1229a53361ed13e
SHA19ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA2560a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e
-
Filesize
644B
MD5f50fa4673555652289652753183fd1ee
SHA1f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA5126e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da
-
Filesize
3KB
MD526621cb27bbc94f6bab3561791ac013b
SHA14010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA5129a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6
-
Filesize
89KB
MD5407846797c5ba247abeb5fa7c0c0ba05
SHA144386455eed8e74d75e95e9e81e96a19f0b27884
SHA2560147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA5127399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af
-
Filesize
205B
MD590713ab7a74884cd36a5fb4cfcdece8a
SHA17bb56d08fd69a98e543b923bd0a9156f92a9c473
SHA256bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb
SHA512639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191
-
Filesize
174B
MD54f6e1fdbef102cdbd379fdac550b9f48
SHA15da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA51254efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe
-
Filesize
249B
MD5a4af0a0c254b38f2f9eecbf0e00b08fe
SHA1ef730bce77699730dda378dc444b997ce7ceea7a
SHA256810e0e32d54b9e1557da7ccf1ca9f6354814e90dadc6b4af5e1cbdf87fac925a
SHA512b74596e55e75413303559c135db393a04d6fd6cbab147a51ac2f46435f52b92b82868de4e67917a7b388d82c672fa36b525b88e2eefe7ec40695f028395dcd84
-
Filesize
234B
MD56358860cd0c336c1f91f86be701d77c4
SHA15dd38b818bf0860b4c5144ba670a759d4345e4ec
SHA2562ed42e3c958eb21352bae4b00db2fa5be94149abc64eec93e5258b9c4a715457
SHA5127df3b3e1487d3a65000b6208969f1e695815133c052f369beb36877fe5c6f64d979aefd030a193b04a5e46fb0d97a3cc06837aa381efe6bc24a0c084c768dac1
-
Filesize
178B
MD50b7be9c4b72c2c5166bfd61ca5ebbfed
SHA1aea0aa4e8226c1b4efce92e909da773744baa6d4
SHA256673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd
SHA5124dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8
-
Filesize
174B
MD57e72d256e34635d351092955d1f8516b
SHA17f240f8f4bd61ae59247d84d0ec85f5bc8729f36
SHA25639eb1667a67149b5d930e5408896027e3c3fc06282735e61cb8d85f5b38f587c
SHA512621eb4bf2864db2fa0f861c233ced790124e9060c081948beb7117f8c058a36ecca23ee05ce2d6d42af15533c050f648d276589682d91dfe699ebe871cc9ae8c
-
Filesize
1.8MB
MD526f6d1b6756a83de9755a05f7c030d75
SHA1935f58155f74b051f9123b6022b7d358b52b146f
SHA2562acab7c986bbf80578c3bd998dd2d853257719ceb74c9d30bb4ea28952403d5b
SHA512af9603572bddb6244a7ab0484cb3ac9ed7c91b1cea3e3f8c8886478930dbc102925b45ed094eaa2801755644e3bb4a4c0685a423f937f4b02af16feec56e4f6f
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
6KB
MD5a21de5067618d4f2df261416315ed120
SHA17759a3318de2abc3755ebb7f50322c6d586b5286
SHA2566d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA5126b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a