Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
13-05-2024 11:02
General
-
Target
2IPStartGuard.exe
-
Size
492KB
-
MD5
af6513111d716fb785873eb7a1b82be0
-
SHA1
f5cef19010bc3536048bca085b70c95356414e08
-
SHA256
92b1e608f6db89b696b672d9fa653174de7b2cb6a78282a83cee11f4c8907740
-
SHA512
61451f24d09b99c07127a9f93285f2ec33eab0cdfe79f88cca86d2e0da4afa92d7de9920af9ad315245052270f11cd80018fb43fe4d82dabffd193a3a0b15612
-
SSDEEP
12288:Z2eavDVp0149mp2XGuR0TJ0GjHF9eKY2QZww+Pq0k:Z2eWBEsZyfY2Q6w+Pq7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2IPStartGuard.exe"C:\Users\Admin\AppData\Local\Temp\2IPStartGuard.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-57LH9.tmp\is-LVNUH.tmp"C:\Users\Admin\AppData\Local\Temp\is-57LH9.tmp\is-LVNUH.tmp" /SL4 $400F6 "C:\Users\Admin\AppData\Local\Temp\2IPStartGuard.exe" 265593 527362⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE"C:\Program Files (x86)\2IPStartGuard\StartGuard.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\2IPStartGuard\keys.iniFilesize
546B
MD514124be1218ff90bf9095cce3dc3eff6
SHA135d59a6721e3a333bbd7cd20396b6826901d42cb
SHA25620f4d3e8ea2844bee912511a97872c3d6ec3982d0a5c5f7fc1f94780441ff6d6
SHA5124de9929a574a0be4bae61aac8b6224dfa5f9c2c8d50b55bfcbc0fb2130fba8f3533895fe7fbcbd2dd2d961608128b995c3ef7ff128bec5e1006f72c6b5f75d2c
-
\Program Files (x86)\2IPStartGuard\StartGuard.EXEFilesize
515KB
MD5f3c4fac2c4eb5bae1d1ac9e487a3219e
SHA181e8b4b8bfbdb4468bf6a3e47d4527513a4be267
SHA256f5ddc74e15adcf5c4201bb185713143cd5028c506f19c06796e180c091e9a40a
SHA512fefe8120c123504adc0465ccc928caef69748d7347bc5307e6f7cf3f5311070d3cc18db3ba1ca4736cae537afc74c91056cd467fd86cf96ee6ae79f7f7f9a520
-
\Program Files (x86)\2IPStartGuard\unins000.exeFilesize
667KB
MD5eda4fd45eafaa6d2d453011c34dcc197
SHA1183493618f1a4329a69e911d9dccdf0380192ce4
SHA25615da2d1655be240b0aee794fccb553440233dcd7495e1280c173dbd545021710
SHA5123d9f4353312ac36d79210f6248bc97c2d448174e306653f2cf0aec40da0770bbd2d182ce1efd88a8b786a1e1bdd1e28eab1e62f77be1c45ad647c2bfe23bbc52
-
\Users\Admin\AppData\Local\Temp\is-57LH9.tmp\is-LVNUH.tmpFilesize
657KB
MD53dafb498bb15d5260cb2c12b391a0d48
SHA1c775ae9fdf18ab0ce38a8adffabe378f461e79a1
SHA256c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a
SHA512a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31
-
\Users\Admin\AppData\Local\Temp\is-OR7E6.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/2052-44-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2052-45-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2052-49-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2184-3-0x0000000000401000-0x000000000040B000-memory.dmpFilesize
40KB
-
memory/2184-40-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2184-0-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2204-9-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2204-39-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2728-42-0x0000000000400000-0x0000000000489000-memory.dmpFilesize
548KB