Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 00:01
Behavioral task
behavioral1
Sample
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
EMAIL ACCESS BY WORTYLESS/SkinSoft.VisualStyler.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
EMAIL ACCESS BY WORTYLESS/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
EMAIL ACCESS BY WORTYLESS/xNet.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
EMAIL ACCESS BY WORTYLESS/xNet.dll
Resource
win10v2004-20240508-en
General
-
Target
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
-
Size
203KB
-
MD5
bba733ae6622aab730f4833f85f2b7df
-
SHA1
136ba13c922525e139b79ce1397eacd5bff1101c
-
SHA256
2e935cf07542a29f48be90925fc43b77da788b17b15e3917b90183a59cd2576d
-
SHA512
6ed95ccf4eadd32a3d88941b77d3835894ca0a4b46b76e363be5f80cef1f0456f10c31bdd62b38aaef1a1b55eb96127da77e29aee9bbb0bb42e02125c153affc
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI3aQYusdrK6ymbcYmRriGNny:sLV6Bta6dtJmakIM5tax0cYgrimy
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe" EMAIL ACCESS BY WORTYLESS.exe -
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EMAIL ACCESS BY WORTYLESS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription ioc process File created C:\Program Files (x86)\ARP Host\arphost.exe EMAIL ACCESS BY WORTYLESS.exe File opened for modification C:\Program Files (x86)\ARP Host\arphost.exe EMAIL ACCESS BY WORTYLESS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2584 schtasks.exe 2704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exepid process 2400 EMAIL ACCESS BY WORTYLESS.exe 2400 EMAIL ACCESS BY WORTYLESS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exepid process 2400 EMAIL ACCESS BY WORTYLESS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription pid process Token: SeDebugPrivilege 2400 EMAIL ACCESS BY WORTYLESS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription pid process target process PID 2400 wrote to memory of 2584 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2584 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2584 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2584 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2704 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2704 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2704 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 2400 wrote to memory of 2704 2400 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp29EE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2A7B.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp29EE.tmpFilesize
1KB
MD5896a323db8a4e1466dee95088bcad9e5
SHA1ade5e880c93357e0ff664d74746cdf4ec93fdbba
SHA256dd51236bd347d8c57ce5f5eb9e455607d627cf6a725b8a998bd6a236e7598d21
SHA512c9b45b31c1f054cb9cfd442402b455b97c50177ca37e2f6f01d77ff6a16e61c319157c8a42cd6b8c74b188e6b295fce19d228b1775e8349f33b0ac42a6047096
-
C:\Users\Admin\AppData\Local\Temp\tmp2A7B.tmpFilesize
1KB
MD5447ab194ab36cb1d20078d80e502b1b2
SHA1a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0
SHA2568d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5
SHA51249ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327
-
memory/2400-0-0x0000000074831000-0x0000000074832000-memory.dmpFilesize
4KB
-
memory/2400-1-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2400-2-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2400-10-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/2400-11-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB