Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 17:11
Behavioral task
behavioral1
Sample
Good_Hits_Parser.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Good_Hits_Parser.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
clipper.pyc
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
clipper.pyc
Resource
win10v2004-20240508-en
General
-
Target
Good_Hits_Parser.exe
-
Size
37.3MB
-
MD5
9fb44d65c246d1ab437097a93a3f60d4
-
SHA1
60b85de037daa52d84a78f9b0efb9333cab97a88
-
SHA256
8e27c0148a54e406f3078db8fb26e427f466b1dd3443000fc8f81b756a1550c0
-
SHA512
b3276bfdcb852a0b268c0d53ea467561da3e9dcb4768510f28e57ee3dbbb1156e29dfc2b601d33d8f4f070c8ca4299fcde70ca9986addf37d7c710a786197c70
-
SSDEEP
786432:3NmctRUVyf+gX4BMdhwzTQXRGFbPp8+OTKhFcSS5U/LT2Ko2mrWcGaW:3H0yhXGMK4XRsbq+kSCU/+D2pcGP
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Good_Hits_Parser.exe cmd.exe -
Loads dropped DLL 13 IoCs
pid Process 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe 4148 Good_Hits_Parser.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4148 Good_Hits_Parser.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x000700000002349d-1392.dat pyinstaller -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5504 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5504 taskmgr.exe Token: SeSystemProfilePrivilege 5504 taskmgr.exe Token: SeCreateGlobalPrivilege 5504 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe 5504 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2296 wrote to memory of 4148 2296 Good_Hits_Parser.exe 86 PID 2296 wrote to memory of 4148 2296 Good_Hits_Parser.exe 86 PID 4148 wrote to memory of 784 4148 Good_Hits_Parser.exe 87 PID 4148 wrote to memory of 784 4148 Good_Hits_Parser.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Good_Hits_Parser.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"3⤵
- Drops startup file
PID:784
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
82KB
MD570a3a9e6d086a965bd164eb171f3f537
SHA1a85dea115761d8a85ea08004fa65d975bbf37fdc
SHA2565294b29c8130bad79b0a4ba9007f076843ebd35df6317b90ec9822f0ba3d8b57
SHA512447937793cbbe64025db3f3a51cc2124fc73a418aa690db1ff5290edd4deac6a34d894653a33356e1d7ea3fdfcde801c9daa00873c0409d2223217d403c954a0
-
Filesize
121KB
MD59082abcff2c89a406e7eddc1a1d4afd9
SHA1b114950c87dd1c544cf02704f5164a315993a716
SHA256591392e5c488defdcfb179bc0db96504577e2122370ae480e840a90d53ce3f44
SHA5123176d9898c77bb766679242c9667516868b25eadf59d7b92fe751d3bb81a9f4b68472df0d6234b159f27ca1503de29f574bd09b072cd38f503c8d5348d9dd4f5
-
Filesize
246KB
MD524919c42c43d9ef08d4e372c339d9e47
SHA14ed83cdab8830605a7bb75cb03a5764b8ee5c886
SHA256d8e4150517435b30913f4016df052dc7409d0e2b69b5f24333c274d504c4633f
SHA512d2b8a9eed20e27390b47b23140feac340cf448c5c4b5deefe3e42f91e1b3482be1cffa5499b0c062e36ecea8990bea2523dbbef58acc816d3a0f89eddbab5ff1
-
Filesize
1.1MB
MD595c20648ce0e148bd37f50f17a644b85
SHA1eeab8f64d983cc868660a7a249257ab9839d3d1e
SHA2561c1bf407c0bc7270f7bee57ae3c7f5a37a837f940ba7aca9561ab88e5678d7b5
SHA51232f8e2c77cc7015bd4f5b79a52dd540e1e1cbb40824857e95e1e9575979a225aff6bbcd69fa2fdd515c42256f5d241c04c89e8b8debb84aa8995c8404d918ad5
-
Filesize
77KB
MD5458f0f0ed8d16019d7c2d157bddea94b
SHA1d21848e4ebafac0b9e9ca8d71e4f8cd2b5aaca57
SHA256e6bdbe5d5d66c9790e490f6dbb695ca87a9acffa51c4a37d2948b7f1ba2c8b42
SHA51200eb3c535a0074765f146523b0bb6f16360609a13a38579b19a2635590c2d947c5eaa7e78e7a9324b3670c505d6310e75e78f7e6fdadc23aa12ad165bdfccc69
-
Filesize
1004KB
MD5bbce7d385200a3ffb1f829b97c6cb954
SHA1e5f93ab3c9738ade92b2a5df7d15e4476cd567d8
SHA256e9b2832e35d7d58f9bdd30fd5540ac2a167aa5f10938aa1d15c57e2810dc5ce9
SHA5126fadf644c93504ba7647c986e61c76badec777db0b987d6653221b7b56f06b6855c671c78ac5edff518960e277f2f0e674de9751e7177b3898085ed0a4709ecd
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
4.0MB
MD59e3ded73b6263b671a1d6c98256b721a
SHA1814045f7a2be0ab7a8d34dc8156ba9ca06253ab9
SHA256215e4f42658a1ba952197a3973ebafd2cd1d40a41c335ae376feacbcf5b04e87
SHA5128323ffb40bbaee89b1a3f1a160a24776394591ed21dc63ccb82bece7b9a1fdc2c10404eb9f3f94bae730c57bdfd99210f67a532f789f5e5c5ea14fe76b3ad05b
-
Filesize
699KB
MD5eaafa2b6768a7d23494b95e897a56ca4
SHA1c4dc648ead5ae0c45abd1a22db76a3aef4469337
SHA256c238f7991cc7a0e2a707d2dd59b800951ea92ec15c3e6c2b1e0229adb8cec1a1
SHA512aa4edb0d8194ae0069d3938cdfef14e91adaee0a746713a7f39d5169fa298727014c7995a00ef2bc0cd77e6a25ed5fb415cac3f0add2dd04ac90be29059a0e31
-
Filesize
146KB
MD54bfa43585ad0f9b7ac5858cf2c0b4963
SHA1f3e34e2d5748bdc1f49cc665342ee66662919873
SHA256455682c2212474ae895bfb931ffd7d1d15993451bdbe65ace820c9e747ca3490
SHA512d2346b871f06adfcb115a97e2b04be3d49f16bf2e92eab303e9eabd562e50f95307c8ea7a2f0541579224648fb3938a58d1c31e2248a5c6fcbc5d359d6864cc8
-
Filesize
26KB
MD5ac8caceeaa28137a14784563d126ed7e
SHA14dcbe48eaa53d5c7d91c420df823dbff54f4da5f
SHA2568e6d1a33b16dcc3922f7159a30ff596194a59b4a8fb5f9864517f03fd19f2c78
SHA512b67bff989af102f5087d95993e9bd57c6808e401979707bc2d33b386326b964abb71f497d82747725fb040a1d337ee453a1d57c37b72fdc06f7ea7687dda8f12
-
Filesize
137KB
MD564fec318efd64fa98ea427a70c02c808
SHA1f6e9ba6a4ce4d300f63004aee6ca967363cc68a1
SHA256e000f1d7dd22a0a6e87160c633fdd5e35ce8e1e367d612a870f4428ab84af10a
SHA5126f6daff5f9be46ba1bd312d8be2bb9a5be1fda9f4d1603f528286290b907c5ff6e21939e62e3f101b30bb173519e39d0e00c5157c89093c52ab036d95ee9a758
-
Filesize
157KB
MD5251b0d5fa4148895cbbc1228b4af81f8
SHA11de857df0012898449ed96d49660d36843512b9a
SHA2560178f47c605bdc97d77b7ebee70231a2520a085203b6a6e30aa2a11853eb2f07
SHA512c2d6dcdc67771cc6d102537b3e246e8c6e5f401a473e843279425f7af5bb8be425197ec0568acb5bff0b6ea9671bb0584af88da1f1a9ae72df10db1c40e94cd4
-
Filesize
37.3MB
MD59fb44d65c246d1ab437097a93a3f60d4
SHA160b85de037daa52d84a78f9b0efb9333cab97a88
SHA2568e27c0148a54e406f3078db8fb26e427f466b1dd3443000fc8f81b756a1550c0
SHA512b3276bfdcb852a0b268c0d53ea467561da3e9dcb4768510f28e57ee3dbbb1156e29dfc2b601d33d8f4f070c8ca4299fcde70ca9986addf37d7c710a786197c70