Analysis
-
max time kernel
592s -
max time network
393s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2024 22:53
Behavioral task
behavioral1
Sample
Email-Worms.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Gruel.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Happy99.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
MeltingScreen.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
MsWorld.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
MyDoom.exe
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
NetSky.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Parrot.exe
Resource
win10-20240404-en
General
-
Target
NetSky.exe
-
Size
17KB
-
MD5
6f49434d7e4532520372a4721a7a9aec
-
SHA1
979e0112b24c1f490653e47e4a340b37f72d17cd
-
SHA256
15e48ef767e1b2d696d2f6beec08e12e6e6d8909c070347d2d10abe75c120495
-
SHA512
9c86461d65fa52dc0e2ab15f3b95b75fe572f7e46b20ada7fcae57b9fd5355bee6e31b47183d5465e97bc72a065fa96dc8330667fbd3e69b13ed561600e6672c
-
SSDEEP
384:7/q2Nfs60PUnfTSILFm4UY2t9L+a30Bpk+3NyqSTqOvSKz:XNNXnmwygkmNHSY
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 212.7.128.162 Destination IP 193.193.144.12 Destination IP 212.185.252.136 Destination IP 212.7.128.162 Destination IP 194.25.2.129 Destination IP 194.25.2.129 Destination IP 194.25.2.129 Destination IP 212.7.128.162 Destination IP 217.5.97.137 Destination IP 193.193.144.12 Destination IP 212.185.253.70 Destination IP 194.25.2.130 Destination IP 212.185.252.136 Destination IP 194.25.2.130 Destination IP 62.155.255.16 Destination IP 195.20.224.234 Destination IP 62.155.255.16 Destination IP 62.155.255.16 Destination IP 193.193.144.12 Destination IP 212.185.253.70 Destination IP 212.185.253.70 Destination IP 212.185.252.73 Destination IP 194.25.2.130 Destination IP 194.25.2.129 Destination IP 194.25.2.129 Destination IP 212.7.128.162 Destination IP 195.20.224.234 Destination IP 62.155.255.16 Destination IP 194.25.2.130 Destination IP 194.25.2.129 Destination IP 212.7.128.162 Destination IP 193.193.144.12 Destination IP 212.185.252.136 Destination IP 195.20.224.234 Destination IP 195.20.224.234 Destination IP 212.185.253.70 Destination IP 217.5.97.137 Destination IP 212.7.128.162 Destination IP 212.185.252.136 Destination IP 62.155.255.16 Destination IP 212.185.253.70 Destination IP 194.25.2.129 Destination IP 62.155.255.16 Destination IP 212.185.252.136 Destination IP 195.20.224.234 Destination IP 195.20.224.234 Destination IP 212.185.252.136 Destination IP 217.5.97.137 Destination IP 212.185.253.70 Destination IP 193.193.144.12 Destination IP 193.193.144.12 Destination IP 217.5.97.137 Destination IP 212.185.252.73 Destination IP 194.25.2.129 Destination IP 212.185.252.73 Destination IP 193.193.144.12 Destination IP 212.185.253.70 Destination IP 194.25.2.130 Destination IP 195.20.224.234 Destination IP 194.25.2.129 Destination IP 212.185.252.73 Destination IP 212.185.252.73 Destination IP 194.25.2.129 Destination IP 194.25.2.130 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NetSky.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICQ Net = "C:\\Windows\\winlogon.exe -stealth" NetSky.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NetSky.exedescription ioc process File opened (read-only) \??\x: NetSky.exe File opened (read-only) \??\m: NetSky.exe File opened (read-only) \??\n: NetSky.exe File opened (read-only) \??\p: NetSky.exe File opened (read-only) \??\q: NetSky.exe File opened (read-only) \??\y: NetSky.exe File opened (read-only) \??\z: NetSky.exe File opened (read-only) \??\g: NetSky.exe File opened (read-only) \??\l: NetSky.exe File opened (read-only) \??\o: NetSky.exe File opened (read-only) \??\s: NetSky.exe File opened (read-only) \??\w: NetSky.exe File opened (read-only) \??\h: NetSky.exe File opened (read-only) \??\j: NetSky.exe File opened (read-only) \??\k: NetSky.exe File opened (read-only) \??\r: NetSky.exe File opened (read-only) \??\v: NetSky.exe File opened (read-only) \??\e: NetSky.exe File opened (read-only) \??\i: NetSky.exe File opened (read-only) \??\t: NetSky.exe File opened (read-only) \??\u: NetSky.exe -
Drops file in Windows directory 2 IoCs
Processes:
NetSky.exedescription ioc process File created C:\Windows\winlogon.exe NetSky.exe File opened for modification C:\Windows\winlogon.exe NetSky.exe