Overview
overview
7Static
static
7Gruel.exe
windows7-x64
7Gruel.exe
windows10-2004-x64
7Happy99.exe
windows7-x64
5Happy99.exe
windows10-2004-x64
5MeltingScreen.exe
windows7-x64
1MeltingScreen.exe
windows10-2004-x64
1MsWorld.exe
windows7-x64
5MsWorld.exe
windows10-2004-x64
1MyDoom.exe
windows7-x64
7MyDoom.exe
windows10-2004-x64
7out.exe
windows7-x64
3out.exe
windows10-2004-x64
3NetSky.exe
windows7-x64
7NetSky.exe
windows10-2004-x64
7Parrot.exe
windows7-x64
6Parrot.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 21:21
Behavioral task
behavioral1
Sample
Gruel.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Gruel.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Happy99.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Happy99.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
MeltingScreen.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
MeltingScreen.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
MsWorld.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
MsWorld.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
MyDoom.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MyDoom.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
out.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
out.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
NetSky.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
NetSky.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Parrot.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Parrot.exe
Resource
win10v2004-20240226-en
General
-
Target
Parrot.exe
-
Size
51KB
-
MD5
73d35451dbfbba5ac051d36f095a629f
-
SHA1
0a1c087e6f91506f96e284b89d99a283d650de07
-
SHA256
af983d2bf8f90fe563159983521b110e8560a409391254cb8ba7662df88fa3c3
-
SHA512
9d74bb098aafa7cf3a9dee0f9a0638015d4be8ea26631082db810560748d2da85607d3bc67c9d75cfa2642e93dca3e0b0c6d214b38176a3b6ac2ba44cbe27836
-
SSDEEP
768:oN2SaAr2oCgNHt9WoxayWIHZuvxulndbdb+UWEkrRNK+rR8NeJf9XR6idH6A3s:oASnrpNHt9bUYoWdbdb+VEkr+WXdHvc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Parrot.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Parrot.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Parrot.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hello.mp3" Parrot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "msg.vbs" Parrot.exe -
Drops file in System32 directory 1 IoCs
Processes:
Parrot.exedescription ioc process File created C:\Windows\SysWOW64\regedit.exe Parrot.exe -
Drops file in Windows directory 25 IoCs
Processes:
Parrot.exevlc.exedescription ioc process File created C:\Windows\bfsvc.prt Parrot.exe File created C:\Windows\write.exe Parrot.exe File created C:\Windows\msg.vbs Parrot.exe File created C:\Windows\explorer.exe Parrot.exe File created C:\Windows\notepad.prt Parrot.exe File created C:\Windows\regedit.prt Parrot.exe File created C:\Windows\write.prt Parrot.exe File created C:\Windows\hello.mp3 Parrot.exe File created C:\Windows\hh.prt Parrot.exe File created C:\Windows\hh.exe Parrot.exe File created C:\Windows\bfsvc.exe Parrot.exe File created C:\Windows\sysmon.exe Parrot.exe File created C:\Windows\winhlp32.exe Parrot.exe File created C:\Windows\HelpPane.prt Parrot.exe File created C:\Windows\splwow64.exe Parrot.exe File created C:\Windows\explorer.prt Parrot.exe File created C:\Windows\sysmon.prt Parrot.exe File opened for modification C:\Windows\parrot.mp3 vlc.exe File created C:\Windows\winhlp32.prt Parrot.exe File created C:\Windows\parrot.mp3 Parrot.exe File created C:\Windows\winstart.bat Parrot.exe File created C:\Windows\HelpPane.exe Parrot.exe File created C:\Windows\splwow64.prt Parrot.exe File created C:\Windows\parrot.scr Parrot.exe File created C:\Windows\notepad.exe Parrot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Parrot.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings Parrot.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 3912 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 3912 vlc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEvlc.exedescription pid process Token: 33 2372 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2372 AUDIODG.EXE Token: 33 3912 vlc.exe Token: SeIncBasePriorityPrivilege 3912 vlc.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
vlc.exepid process 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe 3912 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 3912 vlc.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Parrot.exedescription pid process target process PID 4648 wrote to memory of 2912 4648 Parrot.exe WScript.exe PID 4648 wrote to memory of 2912 4648 Parrot.exe WScript.exe PID 4648 wrote to memory of 2912 4648 Parrot.exe WScript.exe PID 4648 wrote to memory of 3912 4648 Parrot.exe vlc.exe PID 4648 wrote to memory of 3912 4648 Parrot.exe vlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Parrot.exe"C:\Users\Admin\AppData\Local\Temp\Parrot.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\mail.vbs"2⤵PID:2912
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\parrot.mp3"2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3912
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x154 0x4b81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ab4ee6036a4bd4db7808838411c44ac9
SHA17fcad4012fe4976e0d14828a58814acfa33136f5
SHA256b5f09e2de74cbcc29b92612ded3ed2e24fdf5c6704d3ccb888a663dcb8c75da4
SHA512b1ddcf096161e67ccdad111a1d2cae34b955abf6aa8cae9c4bc9c0fc65491a5b6f6537b16fca28e8034f1db3cc55ddccb963c51c9133f3b79d5d2baa06043354
-
Filesize
671B
MD50fb2174f62406bf056bb79fc7a11d855
SHA1356e41229d24c51f6ee723d2db936e13db770508
SHA2562e4986c2fa63e89e96492fdf7aaed9f82edf54039ee9d6f073e39f1290da4e8e
SHA512b939ee5ea959212d2b777868a5bb843981e9873885bf4eb2900c0fc638bcd3d6e24fbe495ec68839512578e9246f89052f17e1d2a101a1b5e737b63f565bf6fa