Overview

overview

7

Static

static

7

Email-Worms.zip

windows10-1703-x64

1

Gruel.exe

windows10-1703-x64

7

Happy99.exe

windows10-1703-x64

5

MeltingScreen.exe

windows10-1703-x64

1

MsWorld.exe

windows10-1703-x64

1

MyDoom.exe

windows10-1703-x64

7

NetSky.exe

windows10-1703-x64

7

Parrot.exe

windows10-1703-x64

6

Analysis

  • max time kernel
    590s
  • max time network
    405s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-05-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Parrot.exe

  • Size

    51KB

  • MD5

    73d35451dbfbba5ac051d36f095a629f

  • SHA1

    0a1c087e6f91506f96e284b89d99a283d650de07

  • SHA256

    af983d2bf8f90fe563159983521b110e8560a409391254cb8ba7662df88fa3c3

  • SHA512

    9d74bb098aafa7cf3a9dee0f9a0638015d4be8ea26631082db810560748d2da85607d3bc67c9d75cfa2642e93dca3e0b0c6d214b38176a3b6ac2ba44cbe27836

  • SSDEEP

    768:oN2SaAr2oCgNHt9WoxayWIHZuvxulndbdb+UWEkrRNK+rR8NeJf9XR6idH6A3s:oASnrpNHt9bUYoWdbdb+VEkr+WXdHvc

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Parrot.exe
    "C:\Users\Admin\AppData\Local\Temp\Parrot.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
      2⤵
        PID:4588
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Windows\parrot.mp3"
        2⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:700
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x254
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1296

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\parrot.mp3
      Filesize

      8KB

      MD5

      ab4ee6036a4bd4db7808838411c44ac9

      SHA1

      7fcad4012fe4976e0d14828a58814acfa33136f5

      SHA256

      b5f09e2de74cbcc29b92612ded3ed2e24fdf5c6704d3ccb888a663dcb8c75da4

      SHA512

      b1ddcf096161e67ccdad111a1d2cae34b955abf6aa8cae9c4bc9c0fc65491a5b6f6537b16fca28e8034f1db3cc55ddccb963c51c9133f3b79d5d2baa06043354

      Download Submit
    • C:\mail.vbs
      Filesize

      671B

      MD5

      0fb2174f62406bf056bb79fc7a11d855

      SHA1

      356e41229d24c51f6ee723d2db936e13db770508

      SHA256

      2e4986c2fa63e89e96492fdf7aaed9f82edf54039ee9d6f073e39f1290da4e8e

      SHA512

      b939ee5ea959212d2b777868a5bb843981e9873885bf4eb2900c0fc638bcd3d6e24fbe495ec68839512578e9246f89052f17e1d2a101a1b5e737b63f565bf6fa

      Download Submit
    • memory/700-44-0x00007FFBE5750000-0x00007FFBE595B000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/700-88-0x00007FFBE46A0000-0x00007FFBE5750000-memory.dmp
      Filesize

      16.7MB

      Download
    • memory/700-40-0x00007FFBF7C90000-0x00007FFBF7CA7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/700-34-0x00007FF725420000-0x00007FF725518000-memory.dmp
      Filesize

      992KB

      Download
    • memory/700-41-0x00007FFBF56B0000-0x00007FFBF56C1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/700-43-0x00007FFBF55C0000-0x00007FFBF55D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/700-42-0x00007FFBF55E0000-0x00007FFBF55FD000-memory.dmp
      Filesize

      116KB

      Download
    • memory/700-46-0x00007FFBF5400000-0x00007FFBF5421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/700-47-0x00007FFBF55A0000-0x00007FFBF55B8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/700-39-0x00007FFBF7CB0000-0x00007FFBF7CC1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/700-35-0x00007FFBF7E30000-0x00007FFBF7E64000-memory.dmp
      Filesize

      208KB

      Download
    • memory/700-48-0x00007FFBE46A0000-0x00007FFBE5750000-memory.dmp
      Filesize

      16.7MB

      Download
    • memory/700-45-0x00007FFBF5430000-0x00007FFBF5471000-memory.dmp
      Filesize

      260KB

      Download
    • memory/700-36-0x00007FFBF4400000-0x00007FFBF46B6000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/700-38-0x00007FFBF7E10000-0x00007FFBF7E27000-memory.dmp
      Filesize

      92KB

      Download
    • memory/700-37-0x00007FFBF8460000-0x00007FFBF8478000-memory.dmp
      Filesize

      96KB

      Download
    • memory/700-53-0x00007FFBF2D20000-0x00007FFBF2D32000-memory.dmp
      Filesize

      72KB

      Download
    • memory/700-52-0x00007FFBF52A0000-0x00007FFBF52BB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/700-51-0x00007FFBF53A0000-0x00007FFBF53B1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/700-50-0x00007FFBF53C0000-0x00007FFBF53D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/700-49-0x00007FFBF53E0000-0x00007FFBF53F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2280-25-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download
    • memory/2280-0-0x0000000000400000-0x0000000000416000-memory.dmp
      Filesize

      88KB

      Download