Overview
overview
10Static
static
3Wondershar...D).exe
windows7-x64
10Wondershar...D).exe
windows10-2004-x64
10$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/Shoe.exe
windows7-x64
$TEMP/Shoe.exe
windows10-2004-x64
$TEMP/Stood.ps1
windows7-x64
1$TEMP/Stood.ps1
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 06:23
Static task
static1
Behavioral task
behavioral1
Sample
Wondershare Filmora 13 (UPDATED).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Wondershare Filmora 13 (UPDATED).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/Shoe.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/Shoe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/Stood.ps1
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/Stood.ps1
Resource
win10v2004-20240226-en
General
-
Target
Wondershare Filmora 13 (UPDATED).exe
-
Size
774KB
-
MD5
06b5ebeab0285c6d167dead56303e005
-
SHA1
f8d55410377dd6bab971f7e492be53a5018663c4
-
SHA256
bd60fb33b1bd8fcebb8cf0d0e64fbceaa7b7c609330d7f790200fcf706e86152
-
SHA512
c781c028c7b6ccf5a7350b775f361c676c9a346bd28fac27c524b433fc958e10d535c9cb441670491a9cb15d43f3ad03d7410c99cc8cd5432802cd969c06aade
-
SSDEEP
24576:MbkDON6CN9EHg54d3Npl/xXn1DWFI4wPMoIwu:25N/95YVx31aaDPMH
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1116 created 1400 1116 Bros.pif 21 -
Executes dropped EXE 2 IoCs
pid Process 1116 Bros.pif 3000 Bros.pif -
Loads dropped DLL 3 IoCs
pid Process 2224 Wondershare Filmora 13 (UPDATED).exe 2516 cmd.exe 1116 Bros.pif -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1116 set thread context of 3000 1116 Bros.pif 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2904 tasklist.exe 2696 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2484 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1116 Bros.pif 1116 Bros.pif 1116 Bros.pif 1116 Bros.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2696 tasklist.exe Token: SeDebugPrivilege 2904 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1116 Bros.pif 1116 Bros.pif 1116 Bros.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1116 Bros.pif 1116 Bros.pif 1116 Bros.pif -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2516 2224 Wondershare Filmora 13 (UPDATED).exe 28 PID 2224 wrote to memory of 2516 2224 Wondershare Filmora 13 (UPDATED).exe 28 PID 2224 wrote to memory of 2516 2224 Wondershare Filmora 13 (UPDATED).exe 28 PID 2224 wrote to memory of 2516 2224 Wondershare Filmora 13 (UPDATED).exe 28 PID 2516 wrote to memory of 2696 2516 cmd.exe 30 PID 2516 wrote to memory of 2696 2516 cmd.exe 30 PID 2516 wrote to memory of 2696 2516 cmd.exe 30 PID 2516 wrote to memory of 2696 2516 cmd.exe 30 PID 2516 wrote to memory of 2720 2516 cmd.exe 31 PID 2516 wrote to memory of 2720 2516 cmd.exe 31 PID 2516 wrote to memory of 2720 2516 cmd.exe 31 PID 2516 wrote to memory of 2720 2516 cmd.exe 31 PID 2516 wrote to memory of 2904 2516 cmd.exe 33 PID 2516 wrote to memory of 2904 2516 cmd.exe 33 PID 2516 wrote to memory of 2904 2516 cmd.exe 33 PID 2516 wrote to memory of 2904 2516 cmd.exe 33 PID 2516 wrote to memory of 2444 2516 cmd.exe 34 PID 2516 wrote to memory of 2444 2516 cmd.exe 34 PID 2516 wrote to memory of 2444 2516 cmd.exe 34 PID 2516 wrote to memory of 2444 2516 cmd.exe 34 PID 2516 wrote to memory of 3028 2516 cmd.exe 35 PID 2516 wrote to memory of 3028 2516 cmd.exe 35 PID 2516 wrote to memory of 3028 2516 cmd.exe 35 PID 2516 wrote to memory of 3028 2516 cmd.exe 35 PID 2516 wrote to memory of 2572 2516 cmd.exe 36 PID 2516 wrote to memory of 2572 2516 cmd.exe 36 PID 2516 wrote to memory of 2572 2516 cmd.exe 36 PID 2516 wrote to memory of 2572 2516 cmd.exe 36 PID 2516 wrote to memory of 2692 2516 cmd.exe 37 PID 2516 wrote to memory of 2692 2516 cmd.exe 37 PID 2516 wrote to memory of 2692 2516 cmd.exe 37 PID 2516 wrote to memory of 2692 2516 cmd.exe 37 PID 2516 wrote to memory of 1116 2516 cmd.exe 38 PID 2516 wrote to memory of 1116 2516 cmd.exe 38 PID 2516 wrote to memory of 1116 2516 cmd.exe 38 PID 2516 wrote to memory of 1116 2516 cmd.exe 38 PID 2516 wrote to memory of 2484 2516 cmd.exe 39 PID 2516 wrote to memory of 2484 2516 cmd.exe 39 PID 2516 wrote to memory of 2484 2516 cmd.exe 39 PID 2516 wrote to memory of 2484 2516 cmd.exe 39 PID 1116 wrote to memory of 3000 1116 Bros.pif 40 PID 1116 wrote to memory of 3000 1116 Bros.pif 40 PID 1116 wrote to memory of 3000 1116 Bros.pif 40 PID 1116 wrote to memory of 3000 1116 Bros.pif 40 PID 1116 wrote to memory of 3000 1116 Bros.pif 40 PID 1116 wrote to memory of 3000 1116 Bros.pif 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe"C:\Users\Admin\AppData\Local\Temp\Wondershare Filmora 13 (UPDATED).exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.exe"cmd" /k move Sexually Sexually.bat & Sexually.bat & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2720
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2444
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 109104⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Shoe + Called + Ap + Extend + Characteristic + Anybody 10910\Bros.pif4⤵PID:2572
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Va + Modem + Stood 10910\o4⤵PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\10910\Bros.pif10910\Bros.pif 10910\o4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1116
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2484
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10910\Bros.pifC:\Users\Admin\AppData\Local\Temp\10910\Bros.pif2⤵
- Executes dropped EXE
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
532KB
MD5c89326d2551a0973a051d5dd01966446
SHA1b654271a170d90a210d56a5f90401e316f19d289
SHA256a8fad4f4b3cc432bafd32c0e4565519dba94fe73682c4528161f5ac8931f685d
SHA5122830a484cafba746e04b9ee292e6f2ef21528ca86029365f7e2d9628d08ba8cf0704ce64ed29f8d25cc4e5d7ec5a200917d319df4040b28b233372de1c9d9c9a
-
Filesize
46KB
MD57937be6856fbfc313a4d6dfdef3e716d
SHA1935e1c279ae63e009216cd4810c60b0ad2b4f64d
SHA256d912920ebda9945eb75f25f572ca83e5edf847cb6a33c49fef4e8a2b0f155a4f
SHA512c5e8d6262d0f65e3f65e905b1973fa8e862854423666ff1759745c70db70de2fe19801f43cdd37b65c7effc0afcd1478b126d14ae4d73145572bfcf08bdd1797
-
Filesize
265KB
MD55c4115ade8e3ca9fbf0d5feee5bdd9d3
SHA11ea59c742297ebd520a97a460df9bd6ba456edc3
SHA25643f962374be47a19e91dbb9c9e5cac76c9406c0718533c7e232a78d04d43c178
SHA5122b23ee48b4cefe12a44643e96a68a11ed8721bb0a87b3ddffe0a7e401ef2418e40379a9cbadaac62a97d9f3c95b0b8b862be775016bb97c526cfc10cb1c124ed
-
Filesize
118KB
MD5d5008d637b577128400ea5c30b3ad1e8
SHA1617ecf0776f1d2f4638043e5ace1d904dd46612d
SHA256357d06fd988cff87f16f12c79d7f8d084502bf0622a3accf278988c718d8f809
SHA512ead5105ae8265cf680723c7cac19ebeb698a0a2327ef244747070b971d29abe0f1424d729e7ee09006725e53e64dd81ec4e89086266b82eeaf7bd273cb4eef1f
-
Filesize
193KB
MD5cbef2199e1f6ff01e45db56b3a944007
SHA1d55d82f4244fe0b4b13e92ff22db6163376c6e09
SHA256ef555412266493269fbc15e702ef1f8a30e2bb31f8b6272bcb38fa49edc112c1
SHA5120d54f7213a7400019ccf028b2889aab0f4130cf4b4c6cf194cb74d265bfbcda38641af7481ef4a9ac1adee3b472b15b034ad4c709ba3bfd2153c70c45fa75f8d
-
Filesize
124KB
MD5df57f97e6eae1022797fb643cb684762
SHA1e4c61f84ba1cc58bde57693f81b334a248c3657d
SHA256726cc11273fb2bebdd881eaf1c3851ee43c35c7904119f0a93246b5c0846f421
SHA5122ecdd54334105e68992e1a1ee125790c9a20181a1f7ed816bc17557d85abf42fe8b1b28c4dd8630d5b8785fab9a21634202f822c33c411830104d292e05a3f30
-
Filesize
227KB
MD52598f9c23fea20eebbab1ee31483525e
SHA145d400e96c576092b3c2bff47732ffa0784569b6
SHA256525f662ff407f2fb42628bc5a838865b6abcbe1487a625587fd0495bb90a62c6
SHA5129badc58ca1b09b7941b2ed031f025b26169cbea66d04392ea92b33ad6004268629512a29ba5ef1c3f0392e9cb053166d735ec0b476121dae2d8c4953cdf05c04
-
Filesize
11KB
MD58c94c45366d520581deae7733e55d53d
SHA15d4081b31f366f941d44d073f96bdc9c302b81f2
SHA256cb6e00d2d385dd6988245438534de2be67cd9ea3ce9a3efef93fa2778787c0b2
SHA5125c8053f61610495b6b91b9e5808de7c2804959210b8d65cb918c9731b4d1b8e7b2824927da2ae102c373450c77bedb1100c176f9a410dae55fb82d2a8c053a22
-
Filesize
178KB
MD568c0513a3c2315614b461cc10a66c438
SHA1c9eeb00f03dcf790abef25e09e0b59ab1225748d
SHA256fde0ef0e07eff281420a21edf4a8a83b2b1047ea567d1819161a70cf2a32fd69
SHA5121af68a061f502623cc4ce6b505d56938862208736d09470f46b963741ce9d74c64771107c8f02ce2347010c59f4c06cb4e7802e6243387d3f4e07000d496537f
-
Filesize
53KB
MD523887b360a8d24e7670ffe58729297a5
SHA1c2488c86d46f62cde0a525a55f7411d1a51930ce
SHA256d93784bef64a291bcd941c0f9631aa50fc1deaede80fab5ba0be668f985e1ff6
SHA512ab96022a4508a3be1ae9b4e98defd7be11077d60de2e857b3c5ab3936bc513ea47d91d0a0a9543aa5d948db46eed57e669281c1e69df0ef3c88e19154b156c22
-
Filesize
252KB
MD5656a795f7ece4b52fd4a365de3e55f1b
SHA13f5c6d331266b8e775ea457ad9e2a8331db37967
SHA2562c72540237b39807c9fac12d7137e4107f57c6e1f4541e01d89ef86a6ad1e8ea
SHA5122851d3937272c661dc26ecede08cc1ae33e3df23128a81d13958427a3110081e636daab8c1a1a696b3aba1d70d7483183c4556810276046b5b130215f9b902c0
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
7KB
MD5675c4948e1efc929edcabfe67148eddd
SHA1f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SHA2561076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
SHA51261737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683