Analysis

  • max time kernel
    137s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    @_136 @828#-138389J-SJFJDSM.exe

  • Size

    5.2MB

  • MD5

    8951c21e3a189b73a567f1078f67671d

  • SHA1

    54b99b503f8a6c70fbc0c9791a21d2705fed0a4f

  • SHA256

    955ca46af9ec9f1a8f1f51da125ed7fa05ab25ae5cdadada73feb37542626384

  • SHA512

    eb6f50bf15c7b7224df9ef7d139a7adffbf5b28e96611a4475d3b7f5ee62751d37a3ff0ca7123107196a033d73adb7aab7f2c1541b8b50fe6a546448671126cc

  • SSDEEP

    49152:5Y/zzz/zTzjzTzTzTzwrDrTrDrTrDrTrDrTrDr3CnX/fX3Xfn7X3LX/fX3Xfn7Xc:5ezzz/zTzjzTzTzTzwJv

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 4 IoCs
  • Kills process with taskkill 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe
    "C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1D50.tmp\1D51.bat "C:\Users\Admin\AppData\Local\Temp\@_136 @828#-138389J-SJFJDSM.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\system32\cscript.exe
        cscript prompt.vbs
        3⤵
          PID:2692
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe
          mbr.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Writes to the Master Boot Record (MBR)
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe"
            4⤵
            • Creates scheduled task(s)
            PID:2468
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.exe
          bytebeat.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2560
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\Magix.exe
          Magix.exe
          3⤵
          • Executes dropped EXE
          PID:2440
        • C:\Windows\system32\timeout.exe
          timeout 30
          3⤵
          • Delays execution with timeout.exe
          PID:2740
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im bytebeat.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im Magix.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1296
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.exe
          bytebeat1.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2484
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\test.exe
          test.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2668
        • C:\Windows\system32\timeout.exe
          timeout 40
          3⤵
          • Delays execution with timeout.exe
          PID:1940
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im bytebeat1.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\rgb.exe
          rgb.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:660
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\snd.exe
          snd.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1468
        • C:\Windows\system32\timeout.exe
          timeout 50
          3⤵
          • Delays execution with timeout.exe
          PID:1716
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im rgb.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:844
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im snd.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:352
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\gl1.exe
          gl1.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2340
        • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\circle.exe
          circle.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1712
        • C:\Windows\system32\timeout.exe
          timeout 65
          3⤵
          • Delays execution with timeout.exe
          PID:2916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\1D51.bat

      Filesize

      557B

      MD5

      66f47a843ad967cd8824d29bbca65017

      SHA1

      d5a01629302123b6289a7bd677035ed5e237baaf

      SHA256

      3f2b8da496e474625ade273d664cf76b8a1b8ea2ba42e8656e92b7819793cab9

      SHA512

      1e151e4e1fb69aa7311d8b754e435972e7f6bf47fbf4ad3a06516821b5d5a698e80cb03cec022137643c4c38d09527c5adfbe3846962f71cc7797c81093f034e

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\Magix.exe

      Filesize

      59KB

      MD5

      026992ed7c38fae57e8839a6c0d883c8

      SHA1

      9b389aa3dd774f3cfff3dcbe8ea8779ef005b31f

      SHA256

      68cb1fe2ee7c3f69fe2d508d117b502ed19337bd332e722605e491a823f89645

      SHA512

      d20fe47538b9e1fa0ccf198f5a4a31506cc59622b2492e9f64435fb06b66ccf93cde056693656da626ebf56ab434425fbf3291db979fe6c67b2a7a14649d9dc7

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.exe

      Filesize

      102KB

      MD5

      445d48408fd9cb1bcadfb8243027a12b

      SHA1

      cb1382d3870a4a821ce8e731d9401f7ba0c0da40

      SHA256

      7a5b8795aed94dca80cc5e956f1b409135735637cc556c7b533acd6b2fbaee58

      SHA512

      b89d121f13a574d6b51125cb7b35ad68af22eeaa7b68b8cfbdcbdd228b941235a8a841906023274d93ee68ab64ca59251f6f7ffb2b59034616879e111359297f

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat.wav

      Filesize

      1.3MB

      MD5

      d6c579826cfdb4716612eefb5ee07c78

      SHA1

      a179e34b8811935942846451b98064c973c02c1a

      SHA256

      aa2e99a722498dbc75870a1abc7a351da46b1bde1b349148efb5a237312c46fd

      SHA512

      ada16dfef3f9e264108dff6ee975b79f38a38a733cff82b788897a140fa197f6816be1bea0ef425a56380d03fd6d45652ae4c8fbaef1a964bb1b7055af989c10

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.exe

      Filesize

      102KB

      MD5

      6b673ece600bcc8a665ebf251d7d926e

      SHA1

      64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e

      SHA256

      41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b

      SHA512

      feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\bytebeat1.wav

      Filesize

      1.3MB

      MD5

      cea9d2316f0e62a4fe233d6d9445fc53

      SHA1

      b058e7d7d96b717e6a47606eb6f632c4444ff800

      SHA256

      f61e579cdd011ea354c4d19bdfe140df9870f372ebe7b3ec747140a0771fe1a1

      SHA512

      e73aaeae358dc340c046f61dd29a629a3b2a20ebed7966a1d92da820c484154093bf42330cd0e0ad96373d2a25d1f0237abd8e34cdfd3ca9ccb3d6d310400394

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\circle.exe

      Filesize

      12KB

      MD5

      ed169e40a69cf73fd3ac59215b24063f

      SHA1

      32d49462e74e6c08b941d8cd530a5f3c0f3b5764

      SHA256

      b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

      SHA512

      f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\gl1.exe

      Filesize

      105KB

      MD5

      ac0cdb57f020158a4f356f0f819ac9a8

      SHA1

      2fa07803943314ff4ff9a6ece448caccf327db54

      SHA256

      a47b0210f10011d86c59f19f929a860eaa2bd363ec1e01927c4edad404656b4b

      SHA512

      a12a7441a107df43682bfe581d56891910bf8906b18a4049e822828c5d6d376e32ee69fc7f983afe98e9c1067e2962fa2895b643e4699568c4e053d89ca7b1eb

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\mbr.exe

      Filesize

      101KB

      MD5

      a15d67f06d5bb68b5a22283d84fb5077

      SHA1

      3fd6fd5f561e1a540d3d24956e1e61d6a31f0a68

      SHA256

      7d36b6c3cefa53f821f955a7a47d11db0a10d781e0ca2d2d2217feca4fc9c235

      SHA512

      6ff79aac54e27d41f3323bea8c3f305a8b64d88fe9fa11e7eb39913242b731821020de11b7c759ba8cdf0241746ffa2eb29e02eb8e523f1c06b592dbac474e2e

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\noise.wav

      Filesize

      937KB

      MD5

      5144895869d5441a2a997bdb6d1b8576

      SHA1

      357c7710b18c60ac13538506e43c4558c1422252

      SHA256

      2cf498b82d0d0c51cf10a82e7221d24ad4afd378f31f79253261729e71e95b73

      SHA512

      1c6d6cec3c2b9666b2c673fdda49eb431d2d321d77c7ce82a8033ff05dedb30a4145deec85f56235db1ad07b3540125b8d33fafc13f9e0569e55ea49a207215f

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\prompt.vbs

      Filesize

      234B

      MD5

      a1b56af69ace7a3738f2aeec477c4a33

      SHA1

      bfec32c379a396612d16624c8548943647d15c96

      SHA256

      3c5331020e62e93f1ea06df0f227af2a5dd2355307be8e728282e9ddf5a1962c

      SHA512

      ffaff006ca9115cb259fa92309836c08b9772f6d65907236bc210532ff4dd2b38c635175d346d6818266364f6c1e5a2109e01f841594222bac10f9f890f7c337

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\rgb.exe

      Filesize

      105KB

      MD5

      bfc9e8ab494313d6efb67fc8942f5ee9

      SHA1

      1b42cc97803221538e020cb90517cb808cf19381

      SHA256

      33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13

      SHA512

      2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\snd.exe

      Filesize

      102KB

      MD5

      7baad7b6dcd387183540a1a771e1b8d5

      SHA1

      8fb4bc170b6e3050135e0c7b651441dbe963d7fc

      SHA256

      57e598fa7a93d50258afb6e563266521ae0bd35e6f80b247eb24a31a56a32461

      SHA512

      cfb85b10af70cc053a7c31a5d64741286b64eebd8ac9f3a97e6ed9989e81c629041808ce337d7b8c590f069da9a05e38e9b8dcf89b70e561362bff010732800b

    • C:\Users\Admin\AppData\Local\Temp\1D50.tmp\test.exe

      Filesize

      74KB

      MD5

      64a69d3a6620009ebe49595a5d8d119e

      SHA1

      4d478712f6503dc7f32e600d7b5aa0118c83214d

      SHA256

      199e4e84b644b264d170b04945880f095790206c65fdfb5a88c8ab73bd29357d

      SHA512

      b2e6ace579201f74abea5d4aecf416980ab028d1876ffc57e474b2b2142489ec4589a4c151eafa4a9067b446396829a370c882b0d40ab8073ad7ff266bd6653f

    • memory/660-63-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/1468-64-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/1712-78-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2340-77-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/2440-48-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/2440-46-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/2440-44-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/2484-54-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/2560-43-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/2736-42-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB