68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e

Sharing

Copy URL

Twitter E-mail

General

Target

StartAllBack.v3.7.9.exe
Size

3.4MB
Sample

240509-far3zsea42
MD5

cfa05e668d40141a0962f8cd63834294
SHA1

8e62d099cd181f3bbe644e3d5a0a264ad2ecce92
SHA256

68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e
SHA512

59adde381e178a9f291d5585ac37a4c1789be2d20d94f81290ad66c471964b18369d6f9143caa9915ad27334ce518e39e39a331d174fecd282b4b949bbc85d6a
SSDEEP

98304:2k8H3G0wUxHEfGNH8iYAxvlD5H2Lz8sC2Wn66Hsn4O:2T6pGNH8yxN5Huz7CTO

Score

8^/10

discovery persistence

Malware Config

Targets

- Target
  
  StartAllBack.v3.7.9.exe
- Size
  
  3.4MB
- MD5
  
  cfa05e668d40141a0962f8cd63834294
- SHA1
  
  8e62d099cd181f3bbe644e3d5a0a264ad2ecce92
- SHA256
  
  68de812ffc84aaf4f7a5b3f7b55472f2a525fe43c60e64539a84506fcf386d0e
- SHA512
  
  59adde381e178a9f291d5585ac37a4c1789be2d20d94f81290ad66c471964b18369d6f9143caa9915ad27334ce518e39e39a331d174fecd282b4b949bbc85d6a
- SSDEEP
  
  98304:2k8H3G0wUxHEfGNH8iYAxvlD5H2Lz8sC2Wn66Hsn4O:2T6pGNH8yxN5Huz7CTO
Score

8^/10

discovery persistence
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  11092c1d3fbb449a60695c44f9f3d183
- SHA1
  
  b89d614755f2e943df4d510d87a7fc1a3bcf5a33
- SHA256
  
  2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
- SHA512
  
  c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
- SSDEEP
  
  96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
Score

3^/10
behavioral2
- Target
  
  $PROGRAMFILES/StartIsBack/Orbs/Shamrock.orb
- Size
  
  295KB
- MD5
  
  ef55e07e1a2e47bb2bb749046cd150b2
- SHA1
  
  68362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa
- SHA256
  
  1a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5
- SHA512
  
  9c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e
- SSDEEP
  
  1536:CFafTY/SHWgaaQSKCufuCk4d8/YDHDIHsZw893lUsne0CS/W/CP98jNPNrku/S/d:CgfTYknuh5BxlUs0S/CR2/Ezg7
Score

1^/10
behavioral3
- Target
  
  $PROGRAMFILES/StartIsBack/Orbs/Windows 7.orb
- Size
  
  295KB
- MD5
  
  85328e698e8a74852b4061a683915dc8
- SHA1
  
  b898267f8574a34e6d605e541e5234c27dd53f5d
- SHA256
  
  e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275
- SHA512
  
  03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f
- SSDEEP
  
  3072:hj4y00PsAyluGSyREq+Dh3SGtdJmH1PakPE3AzpdDh7FVkohILQ:hn0esAylu2d2S4J83tdVYoT
Score

1^/10
behavioral4
- Target
  
  $PROGRAMFILES/StartIsBack/UpdateCheck.exe
- Size
  
  3KB
- MD5
  
  f9756c261aa978c787302debff8f142a
- SHA1
  
  81b5b130741d5df2feccd67bb6edb1a9d08d48aa
- SHA256
  
  a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319
- SHA512
  
  20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3
Score

1^/10
behavioral5
- Target
  
  $PROGRAMFILES64/StartAllBack/Orbs/Shamrock.orb
- Size
  
  295KB
- MD5
  
  ef55e07e1a2e47bb2bb749046cd150b2
- SHA1
  
  68362a1b38f03b8f25fc1f2cfcbd73d90b2ea0fa
- SHA256
  
  1a8dac51758c66a1bb03fbc227b5edb52ef7379fa3603b62eb3307005d06c9b5
- SHA512
  
  9c04a8c14dddf42b1ce6d07a5e562f008922595a9024cfcedb46529ab97804535fee8d1577ba9ee7438602aaac8613237869d5dc658bf7b68d44c250128b7b0e
- SSDEEP
  
  1536:CFafTY/SHWgaaQSKCufuCk4d8/YDHDIHsZw893lUsne0CS/W/CP98jNPNrku/S/d:CgfTYknuh5BxlUs0S/CR2/Ezg7
Score

1^/10
behavioral6
- Target
  
  $PROGRAMFILES64/StartAllBack/Orbs/Windows 7.orb
- Size
  
  295KB
- MD5
  
  85328e698e8a74852b4061a683915dc8
- SHA1
  
  b898267f8574a34e6d605e541e5234c27dd53f5d
- SHA256
  
  e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275
- SHA512
  
  03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f
- SSDEEP
  
  3072:hj4y00PsAyluGSyREq+Dh3SGtdJmH1PakPE3AzpdDh7FVkohILQ:hn0esAylu2d2S4J83tdVYoT
Score

1^/10
behavioral7
- Target
  
  $PROGRAMFILES64/StartAllBack/StartIsBack32.dll
- Size
  
  563KB
- MD5
  
  e4b19c388cf6d649053e7f018388b9a4
- SHA1
  
  9114450f106c4e274c335f4e5d41fe40380a9607
- SHA256
  
  6405b9ad8b1557381de5a3d51502f408891283ba22ad45166343261e703bee07
- SHA512
  
  f990a6765a3bc8c3d36d8617e68237d83cd2cca4e05a71389f4381e6ef8b2c96cc9f04a6f9db74a9af95f30bfd36c72394acff8718e8ab6d16581eafd68ab51e
- SSDEEP
  
  12288:1SEyvDUMVQfYllJs97b3xrtlyXWM59+2cCGM7VxA:wEyvDUMVQfalJs7bhtlyjI2e4O
Score

1^/10
behavioral8
- Target
  
  $PROGRAMFILES64/StartAllBack/StartIsBack64.dll
- Size
  
  667KB
- MD5
  
  7ca847e6522f074352eadc0b62eb3399
- SHA1
  
  84fadc794964373f4098a474c3829d5d1953e07a
- SHA256
  
  584d631fa9f62873409cc51777fbbe8df673887a8af0a092d4b0523da512e577
- SHA512
  
  6c0e8a38a394309fcbb66d9da372cd35114b5a0aea397324f629fbb18866eaa934119483d5048dcb487377cd2d47d85ee23611aae84947a025b494a53bfcd20a
- SSDEEP
  
  12288:OEwKiIRJBYUYiyx51FHh3xb/zybraHM+/qWGgbF:OEPiIRJBYUYiyx5/hhCbrsqWGgbF
Score

1^/10
behavioral9
- Target
  
  $PROGRAMFILES64/StartAllBack/StartIsBackCfg.exe
- Size
  
  2.3MB
- MD5
  
  54873041460fa7a27cfb5008239e11f9
- SHA1
  
  c4fd1fa77a5e079f19cfaed945a83b65bc55431a
- SHA256
  
  3b946870b669af9837a27204e72ebe8e42a3503a6ee4da3822672ff54bdad0c5
- SHA512
  
  78fc2b84dc42e86bec9e802f6a96a3507802a033b54429ac0d2c65b726edfb0dc3ee1cf5c57dde455a5ffa36b49ebf9c1ff4335b5b7fab70b9609d903e59ca8a
- SSDEEP
  
  12288:3P7XcuNzOo7oFYyWxmF9LOFDfMKmm6/5UcVvmAMeJ62LzmHbNvnnnnnnnnn/m94v:/guhXsYycmzGkKmmX3ABxLzmuzF
Score

1^/10
behavioral10
- Target
  
  $PROGRAMFILES64/StartAllBack/Styles/Plain10.msstyles
- Size
  
  48KB
- MD5
  
  a69385279536210958fb9c86cab229d6
- SHA1
  
  6ecb118cfb9b8ef42c79aa0d795c3d8b51f0341d
- SHA256
  
  3955fc60d3b7c4a1badd831fde82269261407cf9d459c65b429e8abc769adeed
- SHA512
  
  f1cf5b1ec22416e645c0dfc128c25166585e300a8db2de6ec51e0689e26e54831dcf2b26a03115423b9b71f1b109389a3e14173fe0a8bbebc2547f9ca33cd412
- SSDEEP
  
  384:JijF/fRDk7ntZ6ITwfNAGPEVNqavB+m43+55lgirNr3all7IQsIUuIUU+ZZxVAKi:JAtv4sSlO6NH
Score

1^/10
behavioral11
- Target
  
  $PROGRAMFILES64/StartAllBack/Styles/Plain8.msstyles
- Size
  
  118KB
- MD5
  
  509fd060516d1971da8d0c2173748358
- SHA1
  
  67ccd63914312b1f491467bec42232916df109c7
- SHA256
  
  43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442
- SHA512
  
  de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6
- SSDEEP
  
  1536:JrsDH9XYblumhuRSPvu8QhVPCQtGwMlw:JrkH9cumhuRSXIhVPCpwMlw
Score

1^/10
behavioral12
- Target
  
  $PROGRAMFILES64/StartAllBack/Styles/Windows 7.msstyles
- Size
  
  405KB
- MD5
  
  b6a2892c151ccd59d0b4c4c1777daac5
- SHA1
  
  b34791b4db3956620dffb2e11e1fa160e2d20889
- SHA256
  
  0c6e681a8091ba888e58473cceeae590c88a405bb30dcb344f940acf27290ce8
- SHA512
  
  e8fc5c96d155bf9657c07d861e2597d681a23ce1d46ec3e779251126e989be41c883e0545e80b5291c96a3ead4eb6c2affe8b419abb506bc5e5376fe2fa212ae
- SSDEEP
  
  6144:e7hUvZn7daDTzgMigyWI12lnCtROpUHQYPxcqe:mhOZ7Qzg/RXthz
Score

1^/10
behavioral13
- Target
  
  $PROGRAMFILES64/StartAllBack/UpdateCheck.exe
- Size
  
  3KB
- MD5
  
  f9756c261aa978c787302debff8f142a
- SHA1
  
  81b5b130741d5df2feccd67bb6edb1a9d08d48aa
- SHA256
  
  a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319
- SHA512
  
  20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3
Score

1^/10
behavioral14
- Target
  
  $PROGRAMFILES64/StartAllBack/startscreen.exe
- Size
  
  71KB
- MD5
  
  a2d6e2201be02973328038457aa64bba
- SHA1
  
  684338bd758a92449d43c49a0aa539f323760215
- SHA256
  
  f4e76abf0df055fae97863708412773b51197bae0ddd9692a9509e824d847df0
- SHA512
  
  21002b3b3cd01beb923692addaef4e5d0fcbee972154e25bea2c4ece591185bf8e6221959fbcc772fc7e7f73dce18747909dcd9c04423a0ade70f6cfba72f135
- SSDEEP
  
  768:cH8C2KZJVCso1iFS4dA38XFKw/v5lUcB6VC2Tl4GLxEFiRS:or5VcUdA32FfvIC6Z2GLxeio
Score

1^/10
behavioral15
- Target
  
  $TEMP/STARTISBACK/DarkMagicLoaderX64.exe
- Size
  
  13KB
- MD5
  
  31a0c563a06323fee612df2dd801add2
- SHA1
  
  d67e3ff1d9ec9c791cae0f90a2d75b8d47d0f678
- SHA256
  
  3c38890144061a23c3322720edcd0866261d25c8763836e773bd5b082dacbe72
- SHA512
  
  3978b636594455dccf4a351b1c16a314a4e41777cd8466d68a6e78168ff4bc3c402a5cb90d45978dafea7e90e750a2bec6922a682fa209793607ce1496d637da
- SSDEEP
  
  192:3TaBb69WU9F6M/YmTveDcPnnCjdAA1m5IxV6hJzsPmHkuug:3OBbAWuFRHvSQnCjdAA1m5wMzsPudL
Score

1^/10
behavioral16
- Target
  
  $TEMP/STARTISBACK/DarkMagicLoaderX86.exe
- Size
  
  13KB
- MD5
  
  53b24dfaaf02118c913e662dbc48acaf
- SHA1
  
  66d61ca3a78edc09cd78e57a2edbd03a0dde6176
- SHA256
  
  9cb9d09799d03d14c58c67521488395a06b084f5d8cece7a45acfd15ffbccada
- SHA512
  
  774efc66c71d02966d0f8961439476e5de4942f4095a760f7928c9de0d3c0f42d371bbe73ddedac1490ec678c7f3f812615896470893423c3b41251fa7cdc1db
- SSDEEP
  
  192:CbrWU9F6M/YmTveDcYDeVCjdAA1m5IxV6hJzsPmHkyjI:CbrWuFRHvSrDeVCjdAA1m5wMzsPudM
Score

1^/10
behavioral17
- Target
  
  $TEMP/STARTISBACK/DarkMagicX64.dll
- Size
  
  156KB
- MD5
  
  106a8be32845eeaced3eef223f317fd9
- SHA1
  
  0dda24c0bf494e685aebf130b0b13df1a5dca2e9
- SHA256
  
  65e8c33ff2e84d9a5e1f6dd74d508cf109f921958bb24a2b766ae06dedc7cbc3
- SHA512
  
  5dd330f0dad03daecdd6a30ff1aff7e3c9506c8b1c4c0fd670b4ec3ad692c0ff078222858b56715d7ab0694ecf36521c46811b932d01f586de4c37d9afa92aea
- SSDEEP
  
  1536:lTEUWaufsPnsbHkpO8GrKvAM40xCj37SHb06v27pvhE4VG8zFLQYSvHceCKsR89o:ZEO5Eb3vJg06vcppRVfQYSvwR8Lx+yba
Score

1^/10
behavioral18
- Target
  
  $TEMP/STARTISBACK/DarkMagicX86.dll
- Size
  
  127KB
- MD5
  
  7162f62910e6c2e0c964b5fb765170c4
- SHA1
  
  e847401f6ff87e03b9b71166562c0beeb0850b72
- SHA256
  
  d68d7e9d4e6ecaff194fb461098fb93ca142b81881400c3e7a05eb0ce10a3b3a
- SHA512
  
  37e85e498f8f78079d61d0ed3efcabbf3007fabe3ce5b45451e246a305d86c3ca4bb71b4e20b430441a5cfc7505d53cb3ca33e53f70ee2e1abdb3f837e129664
- SSDEEP
  
  3072:qQ/dazpCv9KUoQEt3gUYhvFPTBsZAC4TBZv7Sx7y2Ifak:qQlazpGoUohwhvZTq4TX7Sx7y7ik
Score

1^/10
behavioral19
- Target
  
  $TEMP/STARTISBACK/Orbs/Windows 7.orb
- Size
  
  295KB
- MD5
  
  85328e698e8a74852b4061a683915dc8
- SHA1
  
  b898267f8574a34e6d605e541e5234c27dd53f5d
- SHA256
  
  e5b74e9e7bd6758a0154b11462ae3328edd143190865198104d8bd53b9af7275
- SHA512
  
  03945c487c6e697f7b352374a989bfe41d1de7d00624461d2b97fb2027b26d36b35035d5e78ea622c31372087dae647c5d3591c7f9a27941c009993e719ee28f
- SSDEEP
  
  3072:hj4y00PsAyluGSyREq+Dh3SGtdJmH1PakPE3AzpdDh7FVkohILQ:hn0esAylu2d2S4J83tdVYoT
Score

1^/10
behavioral20
- Target
  
  $TEMP/STARTISBACK/StartAllBackCfg.exe
- Size
  
  3.3MB
- MD5
  
  d029e1430bb91cf5506aa05e2e72ef26
- SHA1
  
  47d374ad40833e7317c2729f500eaade45734b91
- SHA256
  
  c7e9712749e51c5c9fa49ab6ebedca97543e5761051c72ca12dfe13fdcf43e07
- SHA512
  
  1850fb38b216fde13aa6daf66cb6082c1d225fd445511d87108c911bdafc13b34b32c6800d30abdc08a0adee3f9ce7ff69e9c65600e369b61374202676a39079
- SSDEEP
  
  24576:WdIOTn2jk2xye4khW0y1y4iW6SRX/SrPlPf6cI1N+Nm9p:W+OLQULkhVSRSt7UF
Score

1^/10
behavioral21
- Target
  
  $TEMP/STARTISBACK/StartAllBackLoaderX64.dll
- Size
  
  14KB
- MD5
  
  07496bd0aa53a53fee717c35c3ec5284
- SHA1
  
  bb281ab5eeb23f32290942e6c7308db389ce4415
- SHA256
  
  0dcda75498e5a8754a9f23a941bb5e734d1488c489fac6b2e83d0f13c325584b
- SHA512
  
  39a12a6670205cbe027d32e156b508ac335cc610aaf5ab1fcad1403863fc7e001c3bd1da9062c6e53481161d57734dd4673743168f7188db29a9125ece5a90d3
- SSDEEP
  
  384:R2iaEmJJWuFRHvSkeMQCjdAA1m5wMzsPuExv:4ixmLTlMxCxf1mlzz8
Score

1^/10
behavioral22
- Target
  
  $TEMP/STARTISBACK/StartAllBackX64.dll
- Size
  
  864KB
- MD5
  
  5481406b56b847931d6531a759036e8a
- SHA1
  
  da4e7d7e4ccb59c774253f02c24d15104febcd61
- SHA256
  
  94002f0c7786d6f22011f64ca65fb065af2ca52a1ff8576fc43269f4ae7a965b
- SHA512
  
  81a7b980250a666ccde820df5f829df109298d22ee086d40681b3ba8bb871a0f11653ea2363f34ed206156ddb8d8c7ccf208d2ff2548c778ace83bb6715da39e
- SSDEEP
  
  12288:UqM0OEfhGHuGDnTk84QZZUAzKiaKktaz7ZgGoRiV8VWYwF:iPEfhqLTJHZuiZc0aGoRiuZ
Score

1^/10
behavioral23
- Target
  
  $TEMP/STARTISBACK/Styles/Plain8.msstyles
- Size
  
  118KB
- MD5
  
  509fd060516d1971da8d0c2173748358
- SHA1
  
  67ccd63914312b1f491467bec42232916df109c7
- SHA256
  
  43c7016d950248f52f9512c9e7393c38d61a3ba2235e5fb6deed83564d8e9442
- SHA512
  
  de3d87b7e0a518ffbb10ccd400dbf5f9596177b75dd7aa4785855d36f007ef0417b88b2eb3aa6af7e52fb3670c021f714bcf87a33551ffc4536444d5204aa7e6
- SSDEEP
  
  1536:JrsDH9XYblumhuRSPvu8QhVPCQtGwMlw:JrkH9cumhuRSXIhVPCpwMlw
Score

1^/10
behavioral24
- Target
  
  $TEMP/STARTISBACK/Styles/Windows 7.msstyles
- Size
  
  377KB
- MD5
  
  5bcd1f14702ed1c521a13cec168770c7
- SHA1
  
  60d9b2740ae59e32cb843ae9171db90d24212884
- SHA256
  
  5d7d0f58359bc0017da66b3b893515435add2908f3c10920e0cad2febd3e0e62
- SHA512
  
  ccd3df8072768e42c607d372c35c5e484c51a3ed24545ae29cad8aab61a1cdd2e9c8c33dfed41406566b31ed775c0ffc56859f97d8dd2859f4899af1a670b752
- SSDEEP
  
  6144:YL7hUvZn7daDTzgMigyWI12lnCtROpUHQYPxt:ohOZ7Qzg/RXthz
Score

1^/10
behavioral25
- Target
  
  $TEMP/STARTISBACK/UpdateCheck.exe
- Size
  
  3KB
- MD5
  
  f9756c261aa978c787302debff8f142a
- SHA1
  
  81b5b130741d5df2feccd67bb6edb1a9d08d48aa
- SHA256
  
  a8d52a2653709d93d0d2c05d653dcf8f0cb06f11422d183eb6871528c95df319
- SHA512
  
  20ae445ab28d98ce6c1c8b066b7133541d9f944df7dbfccbc35df724165624c82d76c260c6041e5033e965e4dc0a2a57a67b594057cbc88f8ccc6ac9490c08b3
Score

1^/10
behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Drops desktop.ini file(s)

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26