Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
13/03/2024, 02:42
General
-
Target
Automatic Mouse and Keyboard 6.6.0.2.exe
-
Size
744KB
-
MD5
1dcf5902e2d46e5fc2e938850b2c35a3
-
SHA1
32af010c58949c92e1e564e117e3787f35fffd6f
-
SHA256
c6a085963b3784d5ac2343554bba2018da1534f836408dca2e92029b1a6d68c5
-
SHA512
665d6fd4d66b1f57a1e7b6f4a47cb5958b98ac3abd4b348080c2f59b04f7169b380d481b64023ca45c7d361bd193ef336a6995761605317c94f0b29464d87bba
-
SSDEEP
12288:uaHc64b888888888888W88888888888aoscV7/9GqeMo30M5omrBq33rD+zG/oBW:F86LjW7/9o0TyOezG/aYFkJR30F6rp8P
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 45 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Automatic Mouse and Keyboard 6.6.0.2.exe"C:\Users\Admin\AppData\Local\Temp\Automatic Mouse and Keyboard 6.6.0.2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-N90JM.tmp\Automatic Mouse and Keyboard 6.6.0.2.tmp"C:\Users\Admin\AppData\Local\Temp\is-N90JM.tmp\Automatic Mouse and Keyboard 6.6.0.2.tmp" /SL5="$701D2,371877,121344,C:\Users\Admin\AppData\Local\Temp\Automatic Mouse and Keyboard 6.6.0.2.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\sub.res" -p"mSR-@sM1tH"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\form.res" -p"mSR-@sM1tH"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-98S38.tmp\misc.res" -p"mSR-@sM1tH"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\SysInfoTool\sitool.exe"C:\Users\Admin\AppData\Roaming\SysInfoTool\sitool.exe" -cr -tu 43⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /tn "Microsoft\Windows\Windows Error Reporting\TerminalSysInfo" /f4⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /f /XML "C:\Users\Admin\AppData\Roaming\SysInfoTool\data.xml" /tn "Microsoft\Windows\Windows Error Reporting\TerminalSysInfo"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\explorer.exe"explorer.exe" "C:\Users\Admin\Desktop\Automatic Mouse and Keyboard 6.6.0.2"3⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Automatic Mouse and Keyboard 6.6.0.2\license.txt2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5e92604e043f51c604b6d1ac3bcd3a202
SHA14154dda4a1e2a5ed14303dc3d36f448953ff6d33
SHA256fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3
SHA512ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43
-
Filesize
74KB
MD5c81ca27a50fd16cb5694460fb44a2690
SHA1d423d50917bc41357455e3a06cdb6fec446aa13e
SHA256e37db5f6557424f2f12d31bddb5a17c2ebb3663eda3eb5d91c83a3cd9b4a96ee
SHA5123f672edca71897a5c09f1315f58cc90bb8624903734ad6762c13dd04b2afd3ae86e7f416e9d551460248015e0856f79770d303978bbb5714a556272f9cbf6778
-
Filesize
31KB
MD52d069905e2b4a94d3dbdd7d0cf75f92a
SHA1585a8fc8aadb123b3b98388579eb44fbae9762bc
SHA25640509f2bdc6c69bd767804038c221521dd74fadf017adba5e8d71a6e9ba117b5
SHA51254097be63a044da55983b1d316ccb0b2f3bc382486f7b7fa49b84a36ee62fa3bf94736b9072d41f9b61a58f2088dfb346394327dbe9177ebb9914dc1d10d4336
-
Filesize
935B
MD5b0dafe58a3367c5e4dc3e81b80ec9da7
SHA11645aacd64989c6adbe095a972ef14875decb991
SHA25642f983fb8f67bff77a4773cb69314aab7768c9e92878e26d979f9a4827385941
SHA512c18c169400b24b34431512acb6b776907ca8b26e7473777e12b21d06d2e396970d66d09e09df93dd2b87f2d75a2d36a8f718d9a8bd51aad0b98c2ea3984747cc
-
Filesize
3KB
MD5d54da888e3c5fd5ba749ec296e0c0fd9
SHA1fd6248400797c98f55a689c7442a3a49deb24d39
SHA256ec58f7e5fe7c18248bf4b987dd3d16a8a67508eae035df5a25f2643e0e53bebf
SHA5120b55511669fd386b849a808b5d55b3eb881b1d8a96c28ffe5c8e68ba55cb03d98188a932d8a17de3e8a0a4adea877557832f913bcba0f434b3ecf75ffceaeed5
-
Filesize
327B
MD581ee6029243d6c780cf69bdf17da7959
SHA1b300c4f120d9919a5ca2392f2d4ca9a68d2b1ff0
SHA256bc494bddac67892c5817663de836ec5968f813246a948dc1e163d154800e7aa1
SHA512769abf77ebfa9a4d9342003a625d56bd59fdd1039fcd036a9bd2988f2e4c0066d0de1b8ea2f33a693a02eb3c2c9bb8ea4b16ea7eb16025135dc9c72d10b68439
-
Filesize
213B
MD5c047508a4a1f583b7ed31ec7b0df9695
SHA19bf6b15318145e7e46682f19d5cd38bed8b2b119
SHA256cd999baa036d44d442fe43a541d69f04ba206c58938f3c22ec0f226493c63e35
SHA512418d3bb5186ecb7c54fdd95cc5b494ad837e8a7e5cf21c0ce3f0cb90264786c13105a93c4c877c85cf14cea5809ed151eceb7ee48be88f788bb2c2a42416ee0a
-
Filesize
228KB
MD5d16d4e6dd510b0ab04221e1ee369b435
SHA11393a958501d9c8400c235bfe8c94f30848fb364
SHA2567f435afb9c1a5acd2aeeef40c3669f2f8b79779e35c86ef45d6fb213ade28c70
SHA5127ab4a00057d00b3a970f92e036ea4e3f298475488a6af4aed6954477a09ca3a99ab988912d005ffc3adc6ae7e4cdbe6c0dabd10ceb2e3b5142009137233194e3
-
Filesize
223B
MD579ac423f812ef0d3206274865720a46e
SHA11e8898915f835287067cfd70ef440de8356927f7
SHA2563e2880be43cdab7ac66dff62ba270ed07b2b6010a1790c0d91c4a3b0d85f03e8
SHA5124caacfe6426278760a5a8f677dfefa35cb77001dda9d4b5d29026d557a78847266c9da9f0e507dc752a1698691dce456575aab04230ec019dc2966968caf0d03
-
Filesize
3KB
MD54a67beeb403f396f94dd991ec12b6719
SHA164fe2ea9b604a91ed6b962725f52f524387fe10b
SHA256c3436995773e8aa309b23c932c00b40996745fdf63faa018f5be142dfa3dab22
SHA5120c390f2114e7380db9d0faa3ee3c95d825532484729e520166482faccb061eb715af5c8b03c179a1f334a5063936e7c22217ac03150d2429b88f2fcca7e728a8
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB