Overview
overview
10Static
static
102222-main/Build.exe
windows7-x64
102222-main/Build.exe
windows10-2004-x64
102222-main/...se.dll
windows7-x64
12222-main/...se.dll
windows10-2004-x64
2222-main/OTC.dll
windows7-x64
12222-main/OTC.dll
windows10-2004-x64
12222-main/OTC2.dll
windows7-x64
12222-main/OTC2.dll
windows10-2004-x64
12222-main/aurora.dll
windows7-x64
12222-main/aurora.dll
windows10-2004-x64
12222-main/...ty.dll
windows7-x64
32222-main/...ty.dll
windows10-2004-x64
32222-main/gan.exe
windows7-x64
62222-main/gan.exe
windows10-2004-x64
102222-main/mySThe.exe
windows7-x64
102222-main/mySThe.exe
windows10-2004-x64
102222-main/myporno.exe
windows7-x64
72222-main/myporno.exe
windows10-2004-x64
102222-main/pandora.dll
windows7-x64
32222-main/pandora.dll
windows10-2004-x64
32222-main/pass.exe
windows7-x64
102222-main/pass.exe
windows10-2004-x64
102222-main/petya.exe
windows7-x64
62222-main/petya.exe
windows10-2004-x64
62222-main/sheyhST.exe
windows7-x64
102222-main/sheyhST.exe
windows10-2004-x64
102222-main/...io.exe
windows7-x64
62222-main/...io.exe
windows10-2004-x64
72222-main/test.exe
windows7-x64
32222-main/test.exe
windows10-2004-x64
72222-main/token.exe
windows7-x64
62222-main/token.exe
windows10-2004-x64
6Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 18:51
Behavioral task
behavioral1
Sample
2222-main/Build.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2222-main/Build.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
2222-main/NanoSense.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2222-main/NanoSense.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
2222-main/OTC.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
2222-main/OTC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
2222-main/OTC2.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
2222-main/OTC2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
2222-main/aurora.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
2222-main/aurora.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
2222-main/fatality.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
2222-main/fatality.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
2222-main/gan.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
2222-main/gan.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
2222-main/mySThe.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
2222-main/mySThe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
2222-main/myporno.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
2222-main/myporno.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
2222-main/pandora.dll
Resource
win7-20240215-en
Behavioral task
behavioral20
Sample
2222-main/pandora.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
2222-main/pass.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
2222-main/pass.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
2222-main/petya.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
2222-main/petya.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
2222-main/sheyhST.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
2222-main/sheyhST.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
2222-main/stpastio.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
2222-main/stpastio.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
2222-main/test.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
2222-main/test.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
2222-main/token.exe
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
2222-main/token.exe
Resource
win10v2004-20240226-en
General
-
Target
2222-main/myporno.exe
-
Size
871KB
-
MD5
a5e7145dc17d160b41d36dbea524c3f0
-
SHA1
2ad6faea0f967df37e404d14a4c1ccca607a924e
-
SHA256
99dfe0c0529b4122889ac7023330f2749df048d0b11a91e92155d991e189f0d8
-
SHA512
672a08a7e62b1129cc2997dd77e1709e86281d89d6ab88d12e771120b7a7a15638b9e2e110d3f95cf04e319da31dedbac4727d8b67e2a2343c68d280967d83c9
-
SSDEEP
24576:GR1wvcupUr/Tbp0g7kpRmxC98+/WQ8mkU:AfupUzTbmzpRtWzmL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation myporno.exe -
Executes dropped EXE 2 IoCs
pid Process 2584 1.exe 3388 2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 20 discord.com 21 discord.com 37 discord.com -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 wtfismyip.com 9 api.ipify.org 10 wtfismyip.com 11 api.ipify.org 25 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3008 3388 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2584 1.exe 2584 1.exe 3388 2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3388 2.exe Token: SeDebugPrivilege 2584 1.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2584 2016 myporno.exe 91 PID 2016 wrote to memory of 2584 2016 myporno.exe 91 PID 2016 wrote to memory of 3388 2016 myporno.exe 92 PID 2016 wrote to memory of 3388 2016 myporno.exe 92 PID 2016 wrote to memory of 3388 2016 myporno.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe"C:\Users\Admin\AppData\Local\Temp\2222-main\myporno.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 19723⤵
- Program crash
PID:3008
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3388 -ip 33881⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5dd3c11b27f04d8117c742743aee371fd
SHA11565d444ad28de48c4bf0ce25b07ef4651092621
SHA2560ccd702f7d3bac8ad10a6690819e875dd7a1ba2a09e66b027f371e93a51bce49
SHA5128ac46760ed0462a0e2765999b265eb6cd196ab1d7d38676d77f3ea5061d1a794d1f5e5f0d253c55bf539838e1a2764265fa16c4712fe91eeaac435a1a0046a5c
-
Filesize
7KB
MD53947b2cc3f68a712d431b5c2a2c2ee4d
SHA1db0443ba8a6d5839e93bf59f3eed0e69c545df3b
SHA256abfcccc38dd5217e0bc9af26c9902c22450b3ac5ae203142e89164f019419262
SHA512f1d0b3279cffaa2bc121f6ac7b068416ebe3cc5824222e5a73d118e0528c3438d9f1e0d1c698dc9306a1a0eebfd78f29a3df283c6ed68e466d694b9a344d0991
-
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Browsers\Passwords\Passwords_Edge.txt
Filesize292B
MD5ae9fee87cd34e9026867a460c0afd595
SHA1d5015017ca1463c434c7f438decfe4a26378d4f1
SHA2562217079fde440a3e8f14398828561c86f9f4f80e6781dd7eef3be8bf0e36caa0
SHA5129b59342c7ac9fc3f9818e2475a78f6827ba62da76f1312dbb4c28f7b23769785e79d61f1f494998194d714d69c6b62de07a3084542f15d51ca0259392280ff2d
-
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Browsers\Passwords\Passwords_Edge.txt
Filesize426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007
-
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Grabber\OptimizeMeasure.png
Filesize1.1MB
MD529d44ae25f763ee37677f4dfe23ad055
SHA1a846f95870f660bdebbb2e3b940fcf9aeb0c8874
SHA25683f1a5ef64b7af80a903563bc7314890beb10555d62943490c93395c0e60962b
SHA512c1148d4d6c9c5c4beac7759e97534670b77741ac5294457a4fd415957a5a61014e035028ceb16cdc960fcf5b7db7a94abfd48937a7a6a82eede70776cac6810f
-
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Grabber\SyncBackup.jpg
Filesize448KB
MD5d3104fc5f153880e58d379732ea2d9dc
SHA11fd4ed06efc2bd51b43954a9cd92c473724e6293
SHA25674583d4bb2d0843bbb974e1360145a6ff7d695d480b75bcc7bed79e939028b8f
SHA5126257268d9aaed21b91f13ce1e5c20cf0bd0cb1c1b1946efb2fa3439bcf7e974ae2cf2cfb5eac0655816536534f2be9c3e5973f1cd36d942fb21005be9da9a8b4
-
C:\Users\Admin\AppData\Roaming\BRHyLyHX078BFBFF000306D266EA2EA938\38078BFBFF000306D266EA2EA9BRHyLyHX\Grabber\UninstallOptimize.txt
Filesize626KB
MD53c9ca95aed2a18c4ca454b59da376013
SHA1ddd0225655bb91832b417f408de89a2f608f68a7
SHA256d6dffc590ac2242114441db1b5b415889f1b085f14719a296c342fdf92f87b67
SHA5120935f7f978341ebe8d32ebc450c1fe3f67859d6b060c0294676a327d44cecb8f04ecbfe4401e6242630da818ab314bd50849df836a1aee2dee458b59984e7f70