Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
05-02-2024 07:11
General
-
Target
915c009707adbeb04949f9bca59f70a5.exe
-
Size
267KB
-
MD5
915c009707adbeb04949f9bca59f70a5
-
SHA1
c3647dc26328adc3524ed09c357f39ab3505fd77
-
SHA256
ff9c3064d93fa3b8b83077b9e87b0b4eb320860147dce902a694c5d7dc7adb54
-
SHA512
22c8418c86dfe0cc9d459a4ef6eb53cde7d6f52251b15526b9cc19d5d096beb0843648028c750102e1b85ab1a580ecaab4a10f04c3d8ff99ac748776c40c21f4
-
SSDEEP
6144:949Yb2RsSriSbn7ZFf4JLtf6Zf/3iQMTCAEW7HaxAOx:94Ze8nNFg5hi/3Uubc
Malware Config
Signatures
-
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 19 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\915c009707adbeb04949f9bca59f70a5.exe"C:\Users\Admin\AppData\Local\Temp\915c009707adbeb04949f9bca59f70a5.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\boo.exe"C:\Users\Admin\AppData\Local\boo.exe" -gav C:\Users\Admin\AppData\Local\Temp\915c009707adbeb04949f9bca59f70a5.exe2⤵
- Deletes itself
- Executes dropped EXE
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\boo.exeFilesize
267KB
MD58800fa37fa54aadeb0d3f43ed7ca960f
SHA16b49f0fc80421e4f7d3165ae24507c08b1136319
SHA256ccc0a14f58046baba72a729e08997a812ef3a365675371a86b43b663e85615e0
SHA512139149ef9337684b6656e7a03212b265c116d6a8208d00b903a7c6c1df400a809499ca053c5da22aeb51505ba0f39ed6adf1e8c855621a376a4adacd067a5482
-
memory/812-12-0x0000000000400000-0x0000000000461F90-memory.dmpFilesize
391KB
-
memory/812-0-0x0000000000400000-0x0000000000461F90-memory.dmpFilesize
391KB
-
memory/812-4-0x0000000001F10000-0x000000000202D000-memory.dmpFilesize
1.1MB
-
memory/812-1-0x0000000001F10000-0x000000000231E000-memory.dmpFilesize
4.1MB
-
memory/812-2-0x0000000000400000-0x0000000000461F90-memory.dmpFilesize
391KB
-
memory/2692-15-0x0000000003D10000-0x0000000003D11000-memory.dmpFilesize
4KB
-
memory/2692-19-0x0000000003D10000-0x0000000003D11000-memory.dmpFilesize
4KB
-
memory/2692-33-0x0000000002640000-0x0000000002650000-memory.dmpFilesize
64KB
-
memory/2880-13-0x0000000000400000-0x0000000000461F90-memory.dmpFilesize
391KB
-
memory/2880-14-0x0000000000400000-0x0000000000461F90-memory.dmpFilesize
391KB
-
memory/2880-16-0x0000000000400000-0x0000000000461F90-memory.dmpFilesize
391KB
-
memory/2880-17-0x0000000001E50000-0x000000000225E000-memory.dmpFilesize
4.1MB