Analysis

  • max time kernel
    30s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 16:48

General

  • Target

    x2s443bc.cs1.exe

  • Size

    15.9MB

  • MD5

    cf2a00cda850b570f0aa6266b9a5463e

  • SHA1

    ab9eb170448c95eccb65bf0665ac9739021200b6

  • SHA256

    c62cb66498344fc2374c0924d813711ff6fa00caea8581ae104c3c03b9233455

  • SHA512

    12d58063ccad16b01aaa5efb82a26c44c0bf58e75d497258da5cc390dcf03c2f06481b7621610305f9f350729ac4351ef432683c0f366cb3b4e24d2ffb6fc2a0

  • SSDEEP

    393216:x4qAB9wufflSR+eSHLZBsUOAyyYpqf9pzJfvht54QY3lZUEsB0:ODwuFeELZay06BJfpr4d4zB0

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Downloads MZ/PE file
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe
    "C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp" /SL5="$8011E,15784509,779776,C:\Users\Admin\AppData\Local\Temp\x2s443bc.cs1.exe"
      2⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2920
      • C:\Users\Admin\Programs\Downloadly\Downloadly.exe
        "C:\Users\Admin\Programs\Downloadly\Downloadly.exe" EnablePro
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
          C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
          4⤵
          • Executes dropped EXE
          PID:432
  • C:\Users\Admin\Programs\Downloadly\Downloadly.exe
    "C:\Users\Admin\Programs\Downloadly\Downloadly.exe"
    1⤵
    • Executes dropped EXE
    PID:1360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

          Filesize

          1KB

          MD5

          55540a230bdab55187a841cfe1aa1545

          SHA1

          363e4734f757bdeb89868efe94907774a327695e

          SHA256

          d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

          SHA512

          c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          67KB

          MD5

          753df6889fd7410a2e9fe333da83a429

          SHA1

          3c425f16e8267186061dd48ac1c77c122962456e

          SHA256

          b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

          SHA512

          9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

          Filesize

          230B

          MD5

          382a7e928c9c5a02dea7c3460db888b8

          SHA1

          0e280033590a278a0a47bda810cef8b4bebffe3c

          SHA256

          dbce99c9f569624bbdff29e14a61cb711865e78dbd112cedccfa4ac334eff579

          SHA512

          b2fd70e2ec0ca4c8d518856a34a3c77846c075cc2b15c440a225e8e5bdfcf5dbe81de54f6a63a343bfaf5e85b20f644f8ceb7c1b523189cf11416c4fd7342849

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          51f01421ebbc13fa5f5f257b303250f6

          SHA1

          3953ae333046c486aec5c195edcaff90b481019e

          SHA256

          f4218ab1b355bde5e77beb713c5b5e74c0b216e68f9ac0eca0bafb2aac7fe759

          SHA512

          b0dafffe27f1ef4a862d253a22b1eef3771801e8254fd3c797b946b5cead1b5c6ee485dabe175d6110b3a69484a224c8ca8d6efde935fbdb41caf4af674a00c3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          3c419e3f761156e725f8e1a95aba4aa8

          SHA1

          893f9ac5e8f5b2df1bcc928cd8f264f104603e49

          SHA256

          c6b5af4bc63b93671eecad6b6268d9a5d39ebafeb65e686840f99bce62411e92

          SHA512

          cc154a54d578d49ba193a853ceff2b10b78f0d88e36a829b2f5330608e21b1e04743300e1ab881769bb69c928d3d09967babe435629a8d94a8223397ccfe668e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          af611a84dc72b58877799efbe93028ec

          SHA1

          14b74a620562f57d8b97ced027a7c81098f32f2b

          SHA256

          6eaca4b391ede5356b20445c405e096dfafe3035538791d36a7047e9664416eb

          SHA512

          79b9d77b73dd9553bd4d7bd12968c3886ea72ce704aff75d27bc57b787bb8e0d2cb43206589665ef8ccb8ea1447161b4df626dc4d6994fb7715ed04053408c49

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          9ae14c7e6612143f5fdb38ad48654247

          SHA1

          e28e842c401b1e1c357184f62bca93666a1a6e72

          SHA256

          5558c463b4b547db5e24226074f54fe889f72ba4e4f7f077852c9d5021c0aaf1

          SHA512

          b1baa10ac7551d122dcf364151ce4b282909408264a7c4e441ef9035013bc2b06ca8cc2e850200f84d8d1ae36707a64100374fbc5dd7b6d7a39d4fad55d34dd3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e23f201f682d75254eefa16564cbb247

          SHA1

          6b149415704a3253c9ac6f0583ec0a846155754f

          SHA256

          c3f3b80e0e25594fc9881353a0b0f4ca623d1147945eb7c31e7689da338bec85

          SHA512

          971b638786e4c5a674c78e9aa50b71a70ac93f3441b3ccbc874fb033b3db44dd6cb30b24c975093b1cdf99d578e9707e0cb97a5f376580994817aa427066252b

        • C:\Users\Admin\AppData\Local\Temp\CabFCA9.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\TarFE55.tmp

          Filesize

          175KB

          MD5

          dd73cead4b93366cf3465c8cd32e2796

          SHA1

          74546226dfe9ceb8184651e920d1dbfb432b314e

          SHA256

          a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

          SHA512

          ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

        • C:\Users\Admin\Programs\Downloadly\Analytics.dll

          Filesize

          49KB

          MD5

          4bfda9b9b1176dc30c84a70fed2c1316

          SHA1

          72b1921cec6686f52d05a5d0cbed274cd01a0f00

          SHA256

          2d17ed0895df0d2f958573eb601a1485604e63d9f8ff905fc1fc74f1c43b2904

          SHA512

          178939745a74943c239db8c740a8f547649004df5c5b469d55967d69008803377bb47befc158b1d6faef421f0c5b583e975d55207c6f92a5b8769c2ae83ce9d1

        • C:\Users\Admin\Programs\Downloadly\AppIcon\icon.ico

          Filesize

          3KB

          MD5

          3387dda8a9109717168b2691a8c5bdd9

          SHA1

          ede213dc7dc627177aca420745a883b4cc1fde13

          SHA256

          99c2bab37ee04bc9dc210bef0365120ceb55f7d2f859eb1823c1a9d23ad75482

          SHA512

          581f0fe668584b5872cbc64e03296090ba323d83d250cee9aa65430cffb35c1dc367c04245f7f89643c752cfc3b8a681fa7a842355d52da1e98e1708c6749ff9

        • C:\Users\Admin\Programs\Downloadly\Downloadly.exe

          Filesize

          526KB

          MD5

          c64463e64b12c0362c622176c404b6af

          SHA1

          7002acb1bc1f23af70a473f1394d51e77b2835e4

          SHA256

          140dcfc3bde8405d26cfe50e08de2a084fb3be7cf33894463a182e12001f5ce7

          SHA512

          facd1c639196d36981c89048c4e9ccf5f4e2a57b37efc4404af6cafb3ec98954fe5695b0d3a3ee200b849d45d3718b52cce0af48efba7c23b1f4613bcaa35c0a

        • C:\Users\Admin\Programs\Downloadly\Downloadly.exe.config

          Filesize

          4KB

          MD5

          894f0bab00555ff07b8a97a05ef659fc

          SHA1

          e3a469e2654ab2630e13243b432abdbcd269836c

          SHA256

          6b56cc5c8bbc5cad7f55212643ed4a7408b43fa297642f250a05d3a59be21a8f

          SHA512

          697673191d1491652d0d42ca727b1be11cdf59ab11fe3330bdea8134de3ae32f4e83482c09e588b5b542ed869e1e5dc9e1094533b666d30f28b298f9046e8785

        • C:\Users\Admin\Programs\Downloadly\Massive.dll

          Filesize

          3.1MB

          MD5

          aa8a9be864bb1e25c6c371834beace33

          SHA1

          e3904292b2ca564258c9278d6cd5cc7dfc69f95e

          SHA256

          b384459db379a1f47877f38b5d0e6f615ee1811230ad5d1f456c800e63f0246d

          SHA512

          8ba1bcb21509276ac21146329c5b3508cd68fdaabf462d1579fd6e63992d72d74fbe095e0c242eec9d9f1e1c165b5d0be065b341b5e74c1ab84441cca7358806

        • C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe

          Filesize

          3.3MB

          MD5

          d0281d1056c23d6df08c5475aed431ed

          SHA1

          6dc430f44945a04533fb303b621cbea02601f47f

          SHA256

          c11d3a7f835d0ce0fa06ed1bfb54fabdc94fd4dd2e43468d0f9a5aa47b92588e

          SHA512

          14104544b99ded467d9aac44d56265aa7eda4ceb6fd2899f0384294ceaaab8d1030dd3a4aee2428db17f203981eade8184e9152a924400f3927760ecdda801d4

        • C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe

          Filesize

          3.7MB

          MD5

          c9c91145c227822491ef989de89c61c3

          SHA1

          1cfd0305db7744fe055a37e2f63f1b44dc13a1f0

          SHA256

          cd99293dbc2f06811ab6b5185c865e43c2a717584f71a64cc70fe427ec58820c

          SHA512

          627a2634650f02a75f2e3bba2ef17e582c10c36caf1d16a61831c3d3c9a0b4d1454db1b3589039925969718ad55d15971dba987ddb785294504cd817ef4ec7fd

        • C:\Users\Admin\Programs\Downloadly\Newtonsoft.Json.dll

          Filesize

          686KB

          MD5

          785ee25cc12c75540fbcf20dbdd08140

          SHA1

          e94dac0a508e27a30a5472b2ebfa1016889a42f5

          SHA256

          d091c67e46698a82bf806eaf2d2c13c3da5d5aa858ba2ad1891fc7a5ddbb4de1

          SHA512

          a70cae48b3291b9abcfb003289c1567dbc2be9b542501c3bb70c58ec6c730d545b7aaff8f4c6e3a254225670c3b4ce91e0436515089173d020dd09ba6eef8873

        • C:\Users\Admin\Programs\Downloadly\WinSparkle.dll

          Filesize

          2.0MB

          MD5

          598e7f89a37d006066a497440a8fbfd8

          SHA1

          067508e7621e8106a7d32587d2b17176172417ad

          SHA256

          f5f8540822f4c449364e0f71fdf85b33dfca50e73bdc0d59dd6de2cbde367bf3

          SHA512

          f8c2c73498f0e42ed7dadd8b8af257ead79e8404856bf0877cd71028564a9be9e9787fe40b54e5ffe00f863140fa987302a52399143d97b23bcc0df83b12626b

        • C:\Users\Admin\Programs\Downloadly\log4net.dll

          Filesize

          274KB

          MD5

          e4b95eee136c9c270f9b69b72162f300

          SHA1

          2b774fcfe5072b4c9ad61c9ebe7d0f26a57dc0ab

          SHA256

          02017ccacc6855755e8568f411ed248394606c004689119b59bb9ec8134caa39

          SHA512

          223e593a6bfa57353685ab4b5d77cced8c0dbf07ebdbd2b21077460f0a176428e8fea18eda98e65adc5e95844f089bbe5cc07362eda8cc1afdd9a4d5d95c3d46

        • \Users\Admin\AppData\Local\Temp\is-AAHTF.tmp\x2s443bc.cs1.tmp

          Filesize

          3.0MB

          MD5

          0d5dc73779288fd019d9102766b0c7de

          SHA1

          d9f6ea89d4ba4119e92f892541719c8b5108f75f

          SHA256

          0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289

          SHA512

          b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

        • memory/432-185-0x0000000000400000-0x0000000000516000-memory.dmp

          Filesize

          1.1MB

        • memory/1360-170-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

          Filesize

          9.9MB

        • memory/1360-171-0x0000000000810000-0x0000000000890000-memory.dmp

          Filesize

          512KB

        • memory/1360-174-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

          Filesize

          9.9MB

        • memory/1708-1-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/1708-15-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/1708-156-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/1972-167-0x000000001E1B0000-0x000000001E260000-memory.dmp

          Filesize

          704KB

        • memory/1972-155-0x0000000000530000-0x0000000000576000-memory.dmp

          Filesize

          280KB

        • memory/1972-188-0x000000001C420000-0x000000001C4A0000-memory.dmp

          Filesize

          512KB

        • memory/1972-164-0x00000000005B0000-0x00000000005BA000-memory.dmp

          Filesize

          40KB

        • memory/1972-163-0x00000000005C0000-0x00000000005D0000-memory.dmp

          Filesize

          64KB

        • memory/1972-158-0x000000001C420000-0x000000001C4A0000-memory.dmp

          Filesize

          512KB

        • memory/1972-157-0x000000001C420000-0x000000001C4A0000-memory.dmp

          Filesize

          512KB

        • memory/1972-165-0x00000000005B0000-0x00000000005BA000-memory.dmp

          Filesize

          40KB

        • memory/1972-451-0x000000001C420000-0x000000001C4A0000-memory.dmp

          Filesize

          512KB

        • memory/1972-150-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

          Filesize

          9.9MB

        • memory/1972-149-0x000000013F840000-0x000000013F8C4000-memory.dmp

          Filesize

          528KB

        • memory/1972-423-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

          Filesize

          9.9MB

        • memory/3024-16-0x0000000000400000-0x0000000000705000-memory.dmp

          Filesize

          3.0MB

        • memory/3024-8-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

        • memory/3024-153-0x0000000000400000-0x0000000000705000-memory.dmp

          Filesize

          3.0MB