Analysis

  • max time kernel
    183s
  • max time network
    217s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 20:59

General

  • Target

    Lost in the World of Succubi_e8-w8e1.exe

  • Size

    13.8MB

  • MD5

    42b0828a300ff9641620a1ab43cb9547

  • SHA1

    aea4f6eefcc2aca7f04220daf688565f66b4c212

  • SHA256

    0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0

  • SHA512

    60341d9363a09636b1ccf19ff4ee20bc361c41488bba108ff546b8393aad2652988923d16e958ac889a13265a10f7ffce74b311acbc5986ac1d75c6cb3efa7d5

  • SSDEEP

    196608:4j6kU9NYlObEk0Lp2dd/kZzkmxgy9NSW7I7GIXSpINbhiTGIwTh3kC3uDEN9TrSi:yLSN30LpEiSCC9XSpIFwah3RuINhkUP

Score
6/10

Malware Config

Signatures

  • Checks for any installed AV software in registry 1 TTPs 9 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe
    "C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp" /SL5="$50158,13603942,780800,C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"
      2⤵
      • Checks for any installed AV software in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe "qBittorrent" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:808
      • C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe
        "C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:608

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          db4350ca8802703b4b68bff706f9f5bc

          SHA1

          2119300fd09b412aefc5ca473d9e8a7734c92ba2

          SHA256

          715212748babd4f9dc1fca7dde8f910dd70094ae328b802978450480ef9efda7

          SHA512

          c8ce2e0d826b9455d741e6d67414fe9271fbba5817aea4daec81d4f8f758757d38b5e9005bb9a3cb1ae2a8b9aacb0a8ca1aaf1ebd787c5b708daccc35922975f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          fb07809dcab0eaa99d801991d9437de3

          SHA1

          2296af3ba28318e319bd058065546c02826a1b51

          SHA256

          e489d9f296a603ab98ad17f6ba4323dd773aec1f45c07a66a4c4aeba4bb51eee

          SHA512

          a48563430d5fee0bac51370863af395d7f5e6a9fa02a4e95dfd79049314297f2fec3fa19f3f253fdc273ec05ff526d1383959a65dfafcd64da35d39eed0667cc

        • C:\Users\Admin\AppData\Local\Temp\Cab7ABD.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar7AFF.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\AVG_AV.png

          Filesize

          114KB

          MD5

          5ef5291810c454a35f76d976105f37cc

          SHA1

          8ce0cc65ae1786cef1c545d40d081eda13239fa6

          SHA256

          03e69e8c87732c625df2f628ac63bd145268f9dea9c5f3dd3670b1cf349a995c

          SHA512

          3bec461bb3cbbbdb3c05171fcc5ab7e648b2b60d7b811261662f14d35c3836148b14cda1a3f2be127c89cc732de8cf1644d2e55e049eeeb2da8e397c58cc919e

        • C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\finish.png

          Filesize

          2KB

          MD5

          7afaf9e0e99fd80fa1023a77524f5587

          SHA1

          e20c9c27691810b388c73d2ca3e67e109c2b69b6

          SHA256

          760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0

          SHA512

          a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

        • C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

          Filesize

          8.7MB

          MD5

          0359bb9304cd1255be588dfebfc2ef11

          SHA1

          d0b205a3d876d8e74e27051e89ff8b7075e202a3

          SHA256

          927d000a3a54fcb100345690d3f68f40d021c6d12d02c9b7c2cab5adb815cf3e

          SHA512

          21478da87531ae4934ff6995d91416eb5a23d96f99e2e11a40120a7f004713e7d052f9198d60d4180c7636c88515aca84362aa2b16d177f148bdb78a813de77b

        • C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

          Filesize

          1.9MB

          MD5

          fb6a50e02daf6c781d601cd4f11a3bbb

          SHA1

          c1c06d64f476c04510d2cd0afd3a12a2d8ad3871

          SHA256

          69229ea1bbb20ea7181e6e1febd54790bf21467a27df360b30547a655b6d494a

          SHA512

          d9b6775c6dee41ee58fb447a9b1e0ee0a328b87b842ff9956a8474f642fc2bcffc8d1ef33af966fdde679f492fc0d27bf5a392bfef03ecc280f1aa591635578b

        • C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent.ini

          Filesize

          1KB

          MD5

          df23cc2f6ce018627abf87f3e022970b

          SHA1

          38327c60b3e7ad2e10f80b00ebd5f8294346f606

          SHA256

          a5a25b95446f5427e21adaf5d42206bc120c10507f65530bcc5187308e9a32dd

          SHA512

          d36340b91106d5fddb7eba13348fc9febb4849b9790c91363998b7e7d224a30e303a6b7a6dbce492cc799181d75ad32fb713c138e84c00376adb988cac0915a0

        • C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent_new.ini

          Filesize

          2KB

          MD5

          eff130c6bcf4608c2ca94f436ebcc748

          SHA1

          044fe240414d071e45eeae6227f5379f44f7bf84

          SHA256

          ba0e6af739d8c55a57d35bae89250e68686198762817498839e1be47b31bb9bf

          SHA512

          181f86127e253b9b3b53dd68fa6bee1e731b0e95f8d37f0024f8dee9006cf048b532c93bd84da67dbd92c16a78e1c956ca67987d4e95ee20f893d083d7fec3c1

        • C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

          Filesize

          4B

          MD5

          5b76b0eef9af8a2300673e0553f609f9

          SHA1

          0b56d40c0630a74abec5398e01c6cd83263feddc

          SHA256

          d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817

          SHA512

          cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

        • C:\Users\Admin\Downloads\Purble place\purble_place.zip

          Filesize

          10.1MB

          MD5

          2dee83cdac14d0ddd959bc2b649b1266

          SHA1

          8f1b70a77343ab96abeb442d5bd249dfb1fb06b7

          SHA256

          fa80f8a2dd7c94e3d79f7b898964aafd55603bd9676214f65af6d994ea4ff951

          SHA512

          2e571c06134f528eca9e57b0618de45eaf88c7c7cf722f5e5e7885ab7acb68a267006d1e416ef7e0537ed5f700517412152232bb6be4495f85bdaef596a77450

        • C:\Users\Admin\Downloads\Purble place\purble_place.zip

          Filesize

          7.1MB

          MD5

          25f423e6f34094be52aa38db3903c5db

          SHA1

          2126d7af016be0b3f9e8b1a1cf010075641f1229

          SHA256

          103fde1b502e8e8978780a2a535434ebcce253ebc183b7111c7502ba85e7fecb

          SHA512

          330c00a643e4e833199ba1d1e42a24a85db7c6d28f431d2022f24e0bde148ab86ee5c88258d38691471ce0d0472f0e0856948a113bc42a7eff23bfa22a636b31

        • \Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp

          Filesize

          2.9MB

          MD5

          392188858aab78d544835de0fe665a04

          SHA1

          e2c06e4d926bbecee75887c83b5a9e732b0103b8

          SHA256

          eaa483432e2cae37fcf1350c160b848948f8e512ed085fab67d901bfcd8d5d07

          SHA512

          0d0d1d1196d705af2a755d054372b45e8540edeb201d2b9ac2d48a08240399314130f3e78e7e962ce708d3da90ed933fa848023f7db9ecaf7fc6ec7979cb05a5

        • \Users\Admin\AppData\Local\Temp\is-R30BU.tmp\botva2.dll

          Filesize

          37KB

          MD5

          67965a5957a61867d661f05ae1f4773e

          SHA1

          f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

          SHA256

          450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

          SHA512

          c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

        • \Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

          Filesize

          8.6MB

          MD5

          0dbb91794caab7f8a4149746f30b8226

          SHA1

          0d6627779baa5e247ec6fba4450b5aa3108d99c3

          SHA256

          d7bccbb4223e469ed94776a336ec777b0ec366fac5c5248a5ed311dbd4d26c64

          SHA512

          28ae3e1553b04b5815eb0325a02b30ed5ea032b6909b3b37b84180ae8b19f6d46943e0ce045e44a25b5b1ea9c19c1338f2a688fd6ca719d7cca2bfd2f80e0cde

        • \Users\Admin\AppData\Local\Temp\is-R30BU.tmp\zbShieldUtils.dll

          Filesize

          2.0MB

          MD5

          c79e3df659cdee033a447a8f372760ce

          SHA1

          f402273e29a6fa39572163e4595e72bde3d9330a

          SHA256

          7d09715c4e0735a0832bf81d92d84600df1815a2ba451586bd25eb16f7c450a5

          SHA512

          490cc30ccfac209f1f5332ce4168b0dc849d7e4d86f3c198ddd23b39ddc950001928a1e071c2ace74c4710508265c0872adb02e3f068e521d28ed8b19ea36492

        • memory/608-186-0x00000000001B0000-0x00000000001BA000-memory.dmp

          Filesize

          40KB

        • memory/608-185-0x00000000001B0000-0x00000000001BA000-memory.dmp

          Filesize

          40KB

        • memory/608-237-0x00000000001B0000-0x00000000001BA000-memory.dmp

          Filesize

          40KB

        • memory/608-236-0x00000000001B0000-0x00000000001BA000-memory.dmp

          Filesize

          40KB

        • memory/608-183-0x00000000001A0000-0x00000000001B0000-memory.dmp

          Filesize

          64KB

        • memory/2896-145-0x0000000000400000-0x00000000006EE000-memory.dmp

          Filesize

          2.9MB

        • memory/2896-166-0x0000000002120000-0x000000000212F000-memory.dmp

          Filesize

          60KB

        • memory/2896-189-0x0000000000400000-0x00000000006EE000-memory.dmp

          Filesize

          2.9MB

        • memory/2896-141-0x0000000000400000-0x00000000006EE000-memory.dmp

          Filesize

          2.9MB

        • memory/2896-137-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2896-158-0x0000000002120000-0x000000000212F000-memory.dmp

          Filesize

          60KB

        • memory/2896-165-0x0000000000400000-0x00000000006EE000-memory.dmp

          Filesize

          2.9MB

        • memory/2896-134-0x0000000000400000-0x00000000006EE000-memory.dmp

          Filesize

          2.9MB

        • memory/2896-15-0x0000000000400000-0x00000000006EE000-memory.dmp

          Filesize

          2.9MB

        • memory/2896-8-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/2948-1-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/2948-191-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/2948-10-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB