Resubmissions
24-02-2024 04:13
240224-etaglshf8z 724-02-2024 04:13
240224-es5alagh32 324-02-2024 04:11
240224-er7dkahf6v 724-02-2024 04:08
240224-eqnvtshf3v 724-02-2024 04:06
240224-ephmesgf98 7Analysis
-
max time kernel
45s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
24-02-2024 04:06
General
-
Target
AnthemScore 4.17.4.exe
-
Size
746KB
-
MD5
11d36e4373ab82e706a37bd672d00486
-
SHA1
2ea19f043a36ca5b16ad8a29434ad98ac473692f
-
SHA256
ecd601112cb36f1501dfe40613ce64b583fb732e34fcd486a0dc207c457e518c
-
SHA512
fe277cf2bea9119ac0611282a5368a545717a4af2723219514a22e4b31fa545f51d0bb2a1137c907e3a418c314a2b4bff058bf808a8f1c91527c969c3bf30718
-
SSDEEP
12288:uaHc64b888888888888W88888888888DoscV7/9GqeMo3oM5omOX2n33rD+zG/ov:F86qjW7/9ooTrGnezG/aYFkJR30F6rpT
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 60 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnthemScore 4.17.4.exe"C:\Users\Admin\AppData\Local\Temp\AnthemScore 4.17.4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-HHAHT.tmp\AnthemScore 4.17.4.tmp"C:\Users\Admin\AppData\Local\Temp\is-HHAHT.tmp\AnthemScore 4.17.4.tmp" /SL5="$50230,373961,121344,C:\Users\Admin\AppData\Local\Temp\AnthemScore 4.17.4.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\sub.res" -p"mSR-@sM1tH"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\form.res" -p"mSR-@sM1tH"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-0PCF8.tmp\misc.res" -p"mSR-@sM1tH"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SysInfoTool\sitool.exe"C:\Users\Admin\AppData\Roaming\SysInfoTool\sitool.exe" -cr -tu 53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /tn "Microsoft\Windows\Windows Error Reporting\TerminalSysInfo" /f4⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /f /XML "C:\Users\Admin\AppData\Roaming\SysInfoTool\data.xml" /tn "Microsoft\Windows\Windows Error Reporting\TerminalSysInfo"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\explorer.exe"explorer.exe" "C:\Users\Admin\Desktop\AnthemScore 4.17.4"3⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AnthemScore 4.17.4\license.txt2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5e92604e043f51c604b6d1ac3bcd3a202
SHA14154dda4a1e2a5ed14303dc3d36f448953ff6d33
SHA256fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3
SHA512ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43
-
Filesize
79KB
MD5d4266d6b37fc3e9374bd6b4874b03851
SHA1ee1e8af807b8a7219af19bbcbdc9a6399b865cbf
SHA256128134083fe7e6ab99ff592270619e38bc1f2f527541cc065651a162c7c9b4bd
SHA512bbe76d6826d0ed4b2e142b91ea62f5c9dccd300881d4899846e0ce320aaaf1d3c1093200b00b6e5217d35be65f7c2d073c9d32cde10ea97adbbb9cc04c3a864b
-
Filesize
33KB
MD501239d3cf730a862ac8a5cf6fb52f642
SHA13f912abbf510df9efc83211ee5ef480ede80bdf7
SHA256e9d54fce3227b64dae37712622de5d9152828b5475ab08d5adba952d956af5af
SHA51202d3b4f49a5300787ccb4644c246c4c57fbacd0c893668db20d73eb8ae8426c638377e4e6b6a75766430409f69ff9bc09d52f140f6c9c8d85a07b14a7646125f
-
Filesize
935B
MD5b0dafe58a3367c5e4dc3e81b80ec9da7
SHA11645aacd64989c6adbe095a972ef14875decb991
SHA25642f983fb8f67bff77a4773cb69314aab7768c9e92878e26d979f9a4827385941
SHA512c18c169400b24b34431512acb6b776907ca8b26e7473777e12b21d06d2e396970d66d09e09df93dd2b87f2d75a2d36a8f718d9a8bd51aad0b98c2ea3984747cc
-
Filesize
3KB
MD5d54da888e3c5fd5ba749ec296e0c0fd9
SHA1fd6248400797c98f55a689c7442a3a49deb24d39
SHA256ec58f7e5fe7c18248bf4b987dd3d16a8a67508eae035df5a25f2643e0e53bebf
SHA5120b55511669fd386b849a808b5d55b3eb881b1d8a96c28ffe5c8e68ba55cb03d98188a932d8a17de3e8a0a4adea877557832f913bcba0f434b3ecf75ffceaeed5
-
Filesize
327B
MD581ee6029243d6c780cf69bdf17da7959
SHA1b300c4f120d9919a5ca2392f2d4ca9a68d2b1ff0
SHA256bc494bddac67892c5817663de836ec5968f813246a948dc1e163d154800e7aa1
SHA512769abf77ebfa9a4d9342003a625d56bd59fdd1039fcd036a9bd2988f2e4c0066d0de1b8ea2f33a693a02eb3c2c9bb8ea4b16ea7eb16025135dc9c72d10b68439
-
Filesize
213B
MD5c047508a4a1f583b7ed31ec7b0df9695
SHA19bf6b15318145e7e46682f19d5cd38bed8b2b119
SHA256cd999baa036d44d442fe43a541d69f04ba206c58938f3c22ec0f226493c63e35
SHA512418d3bb5186ecb7c54fdd95cc5b494ad837e8a7e5cf21c0ce3f0cb90264786c13105a93c4c877c85cf14cea5809ed151eceb7ee48be88f788bb2c2a42416ee0a
-
Filesize
1.1MB
MD534acc2bdb45a9c436181426828c4cb49
SHA15adaa1ac822e6128b8d4b59a54d19901880452ae
SHA2569c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
SHA512134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb
-
Filesize
324B
MD5122ddf9adf1e54a76e85dae843f5e2d6
SHA1511dae9d62f0b7aa6f331b40f65f5eaa27daad2e
SHA25633a4c198eb4661fecfb01bfc6e4ca9f534b657dd08e9f71b8885f5812386973c
SHA51278af36aed817e1adb44e091e086c777ebdcc439e444131979b9cd9ef76d1c5dc21b47e57824015e1603f2cc5694442e2503c0e90e2fcced47d8dcfc80fb81371
-
Filesize
3KB
MD530679c91c2d77852110626038de0419f
SHA10045e2a8aaa2f3856db9bcf861e3b6564b508761
SHA256511d20e0ab1d241b5bfe61f89704e0d2f8a35da9d8533dff9851fe47aedaed64
SHA51296a028c8e20844a890524fbba3220825b61bfc41764c083b0d931fd1335791782a84ffeeec4b34f0dded47c6b063cfca699d0f2416998966f2c49ec910857529
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB