Overview
overview
10Static
static
3Media-Play...89.exe
windows7-x64
3Media-Play...89.exe
windows10-2004-x64
5Empire of dicks.exe
windows7-x64
8Empire of dicks.exe
windows10-2004-x64
102903faf44...7b.exe
windows7-x64
1002903faf44...7b.exe
windows10-2004-x64
10073731fa5a...56.exe
windows7-x64
10073731fa5a...56.exe
windows10-2004-x64
10172c26f891...27.exe
windows7-x64
1172c26f891...27.exe
windows10-2004-x64
101b59b0fa61...12.ps1
windows7-x64
11b59b0fa61...12.ps1
windows10-2004-x64
11d801e2756...cf.exe
windows7-x64
71d801e2756...cf.exe
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 20:34
Behavioral task
behavioral1
Sample
Media-Player_160889.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Media-Player_160889.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Empire of dicks.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
Empire of dicks.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
02903faf446ed43d79a8509e7743b41eab9605cfb48261bb2105176c3d4a877b.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
02903faf446ed43d79a8509e7743b41eab9605cfb48261bb2105176c3d4a877b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
073731fa5a5ef41b39784ec7db9846f1286d7000add6c0b5dd20357c81e23456.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
172c26f8914c92702cdbe134bf65280a1381a91e869f7eac0e62f7527.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral10
Sample
172c26f8914c92702cdbe134bf65280a1381a91e869f7eac0e62f7527.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
1b59b0fa612e7c3d9ce272143058be6815b4ec563dfd7e1782657fe7c2f23812.ps1
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
1b59b0fa612e7c3d9ce272143058be6815b4ec563dfd7e1782657fe7c2f23812.ps1
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
1d801e2756c864d01cd456f68752a86c52981576839625759ae9e400f0d2a2cf.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
1d801e2756c864d01cd456f68752a86c52981576839625759ae9e400f0d2a2cf.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
Empire of dicks.exe
-
Size
12.6MB
-
MD5
2cacf6978bf86759896f7cf92802e355
-
SHA1
fb14acec191284c52323f23c3ad69dfd3c6a7836
-
SHA256
657aa8705f6fe122e55048380304f8d593504f42556abf1f08aa4ab8be90c0f1
-
SHA512
bb13a31382a16edbcac91b7c7df4c191e66ecb7d086f59160661bc598ebd4cf39cd8716af5ece95ab5511adf74fe817a5bf78826ba0020c2973f616f43c6acc8
-
SSDEEP
393216:oLJ/lV0TkP3jQPjn+rKUEF5lxx2Xtj4SwVBplc:eliTejQL+YFAtj4SwVBplc
Malware Config
Signatures
-
Blocks application from running via registry modification 8 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ProcessHacker = "ProcessHacker.exe" Empire of dicks.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\msconfig = "msconfig.exe" Empire of dicks.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\procexp = "procexp.exe" Empire of dicks.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Empire of dicks.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Empire of dicks.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ &debug = " &debug.exe" Empire of dicks.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\powershell = "powershell.exe" Empire of dicks.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\taskkill = "taskkill.exe" Empire of dicks.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Empire of dicks.exe -
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2972 Empire of dicks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2972 Empire of dicks.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe Token: SeShutdownPrivilege 2588 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe 2588 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2036 2972 Empire of dicks.exe 28 PID 2972 wrote to memory of 2036 2972 Empire of dicks.exe 28 PID 2972 wrote to memory of 2036 2972 Empire of dicks.exe 28 PID 2972 wrote to memory of 2036 2972 Empire of dicks.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Empire of dicks.exe"C:\Users\Admin\AppData\Local\Temp\Empire of dicks.exe"1⤵
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe"2⤵PID:2036
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2568