Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 00:01
Behavioral task
behavioral1
Sample
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
EMAIL ACCESS BY WORTYLESS/SkinSoft.VisualStyler.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
EMAIL ACCESS BY WORTYLESS/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
EMAIL ACCESS BY WORTYLESS/xNet.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
EMAIL ACCESS BY WORTYLESS/xNet.dll
Resource
win10v2004-20240508-en
General
-
Target
EMAIL ACCESS BY WORTYLESS/EMAIL ACCESS BY WORTYLESS.exe
-
Size
203KB
-
MD5
bba733ae6622aab730f4833f85f2b7df
-
SHA1
136ba13c922525e139b79ce1397eacd5bff1101c
-
SHA256
2e935cf07542a29f48be90925fc43b77da788b17b15e3917b90183a59cd2576d
-
SHA512
6ed95ccf4eadd32a3d88941b77d3835894ca0a4b46b76e363be5f80cef1f0456f10c31bdd62b38aaef1a1b55eb96127da77e29aee9bbb0bb42e02125c153affc
-
SSDEEP
3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI3aQYusdrK6ymbcYmRriGNny:sLV6Bta6dtJmakIM5tax0cYgrimy
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" EMAIL ACCESS BY WORTYLESS.exe -
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EMAIL ACCESS BY WORTYLESS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription ioc process File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe EMAIL ACCESS BY WORTYLESS.exe File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe EMAIL ACCESS BY WORTYLESS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3436 schtasks.exe 2088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exepid process 4804 EMAIL ACCESS BY WORTYLESS.exe 4804 EMAIL ACCESS BY WORTYLESS.exe 4804 EMAIL ACCESS BY WORTYLESS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exepid process 4804 EMAIL ACCESS BY WORTYLESS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription pid process Token: SeDebugPrivilege 4804 EMAIL ACCESS BY WORTYLESS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
EMAIL ACCESS BY WORTYLESS.exedescription pid process target process PID 4804 wrote to memory of 3436 4804 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 4804 wrote to memory of 3436 4804 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 4804 wrote to memory of 3436 4804 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 4804 wrote to memory of 2088 4804 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 4804 wrote to memory of 2088 4804 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe PID 4804 wrote to memory of 2088 4804 EMAIL ACCESS BY WORTYLESS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"C:\Users\Admin\AppData\Local\Temp\EMAIL ACCESS BY WORTYLESS\EMAIL ACCESS BY WORTYLESS.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D26.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E02.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4D26.tmpFilesize
1KB
MD5896a323db8a4e1466dee95088bcad9e5
SHA1ade5e880c93357e0ff664d74746cdf4ec93fdbba
SHA256dd51236bd347d8c57ce5f5eb9e455607d627cf6a725b8a998bd6a236e7598d21
SHA512c9b45b31c1f054cb9cfd442402b455b97c50177ca37e2f6f01d77ff6a16e61c319157c8a42cd6b8c74b188e6b295fce19d228b1775e8349f33b0ac42a6047096
-
C:\Users\Admin\AppData\Local\Temp\tmp4E02.tmpFilesize
1KB
MD55fea24e883e06e4df6d240dc72abf2c5
SHA1d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA51215afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924
-
memory/4804-0-0x00000000755A2000-0x00000000755A3000-memory.dmpFilesize
4KB
-
memory/4804-1-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-2-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-5-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-11-0x00000000755A2000-0x00000000755A3000-memory.dmpFilesize
4KB
-
memory/4804-12-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB
-
memory/4804-13-0x00000000755A0000-0x0000000075B51000-memory.dmpFilesize
5.7MB