Analysis
-
max time kernel
41s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 02:45
General
-
Target
loremipsum.exe
-
Size
1.7MB
-
MD5
f55d52d5d690a8e1b2df9217bc3ddfdf
-
SHA1
0e45d3a28cc096dc7edc1208f7428d66335df11a
-
SHA256
59f57803fa5235075c3e470e1006905a61236e491bb75a599d862cafcfbb529f
-
SHA512
4101015760dd2b1d9cbf9586802e610bbe6f74b73bc5dbb4391417afe8fa20762a84b04cd15019b54107d8ad0e4fc523f25403482431dd53aec3d07a4b217941
-
SSDEEP
49152:p4JJILzCkp/SzrIXKgltQlZ9mwm/PU5KLOR0qkM8+Ou1:p4IuzrIXltEDjm/PtLORlm01
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 7 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\loremipsum.exe"C:\Users\Admin\AppData\Local\Temp\loremipsum.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsg3CDC.tmp\Everything\Everything.exe"C:\Users\Admin\AppData\Local\Temp\nsg3CDC.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 0"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -uninstall-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1033 -save-install-options 03⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 10332⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe"2⤵
- Enumerates connected drives
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe" -svc1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5b2b308d8c164f75bc11bccf7baf3df67
SHA16f1e5561268b2db5b46bb6f738c0f7a637fd6b6d
SHA256f0969f438d2869641d8f76d5b9fd2b82c7232134a90972e96abb3783d1e2fbe5
SHA5125cb56d715d35a33e5bbc7e7deb43e4f143e4193ae59282892fe72b82c66a21a62cec85222a9879d5126479a59b9a5e715568f4bb62040a4c03b706f1ebde9659
-
Filesize
18KB
MD51ebb92ac516db5077a0c851565b7a2cf
SHA19adabfbb11b070169429fd43a250285ee8881213
SHA256e64b60048b375f0c7d4c1fb4329957a297f2e60c306ef9c380175ea7a42223d6
SHA5123fba14d13a602937b8600c7d5cc8011f7369857be288510b142573e411b2296cdb3ce58beafdf268d04aa1c5130503a63ba38f87239fc7b0be2e0170bdfc86de
-
Filesize
1.7MB
MD5a7067594451cab167a4f463be9d0209c
SHA11c2b1e5a0826ca07cc0aa8b3d24bad0a41845df5
SHA256d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581
SHA5128fb6e9a82213cc1c371eddc12833b8cad037b800a58a3a3520eb7b14c9e41e61a8bf5db27bd6a79dd8013c51649396feff22436cb7bacf64989552a5a11abbd4
-
Filesize
912KB
MD5ba118bdf7118802beea188727b155d5f
SHA120fe923ec91d13f03bdb171df2fe54772f86ebba
SHA256270c2dbd55642543479c7e7e62f99ec11bbc65496010b1354a2be9482269d471
SHA51201d8dd2bf9aa251512b6b9b47e9d966b7eda5f76302e6441c5e7110ff37b4be325a4f8096df26a140c67bd740dcd720bc4e9356ccb95703ad63fe9fdbbb0c41f
-
Filesize
2KB
MD52d8c6b891bea32e7fa64b381cf3064c2
SHA1495396d86c96fb1cfdf56cae7658149138056aa9
SHA2562e017a9c091cf5293e978e796c81025dab6973af96cb8acd56a04ef29703550b
SHA51203a520f4423da5ef158fb81c32cfff0def361cc4d2caa9cfa4d306136da047a80a6931249a6b9c42f9f2656a27391b7921a64e10baa7468c255bc48bd488a860
-
Filesize
136KB
MD5fc3732ef603b36055209652f749c1080
SHA1bd8b0806abecf983c89814ab4dcbd3300a78fe88
SHA2560deee0d9d6e140226de19047c0ab160ec957a6e4bf63bb1c058bac9f09c47874
SHA51298ee82dfe67fa3d5fe2ae3977b959b0fb1277e5bdb320e7eca347771cd4ef8d8b99c6b3cefc0466347e8f49644386cc2d0f5f7a63eb5404a8371182bd880286f
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
1KB
MD581bf276407d099e8e72da695d1bb1087
SHA1cec27de8c8fcfa1b33b0d36c14cd6c7f53137c0d
SHA2563b2ac818383d1bbd1cfd82e7d0b5ea34f74f400a6355f8345b9df7036bfb4399
SHA5129d612d1f19588ed91ea47cd7f14bbe0081e79a52862b789565086c1b13c639b8ada660b547c78b3970908ee6e137e8225f3b5e638d015ee03338330a73b44d2b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD5e2808f4be298a32ae279ee9ebacd0a0c
SHA1b7929c346ba7a7aa690a766e4f70bc1d44f75460
SHA25699b98f333848dacc5df866402181a6e2441fff0f9cdbb2a26f5f2c5d5dd12c52
SHA512a305986b1eb907caa77616bcf3b9929fcbef8156b9162a942b1720ae32b34e1ba0537c553b54e750a22c3106fdb33870c346dd1f9d72db7d0baa6d318c3752a2
-
Filesize
2KB
MD5e91f41985232afd6fd056b8480c5a170
SHA1b01e2d7892be3eb762fba192a003c57b5c76db2d
SHA256f29ae64570f798c34b452a978647cb30f09377f7bac8a19bcbce753bc3b1d874
SHA5123d4fca200d4e4dadc1d9d22a31f937c5985f583cd65d2644b600acdcadff6711104dbac215adc8e506afc8d9f380190024bc434ffd31deb7b839de5897bd0118
-
Filesize
2KB
MD53d19470f48de08c5b53fe1c4130e3f74
SHA171bf6b2bea07b6f20d59e420f726ac6001b4a445
SHA256c51c095880efd7a31aa3fd5403ed5e77a15616fbda2f069bde3966668e72b593
SHA5124887b25c21443f0c7faa0335388f530e2fe55f281f30d891f95fa1cb95f4e02c592efa987f0bf1a3bf2f1a4a7c216231c66e375e81dd5c71c5efa7dfd2367179
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
1KB
MD58afeb76891cf9e3049f629c8db3a881a
SHA1f36319fe39b50aa50dbc01625d9de7e9524a2082
SHA2565362975006830444011f41b4c999dbd8f5a7f7c80cf04f4e769aa5540359f912
SHA512dda0364ef5ccc703971a1eb9fbdb333fd60146328e6b762f51c5d12540702f5e83aa6d14b905537c03cb790435402fa3b29a856eaa7ce6665fc0743d5b09fecd
-
Filesize
1KB
MD5488e400f1c7261a897bb8aa7d61360ae
SHA1bb9ee6570b2c050570ce03c2647d3bc9917d9e8e
SHA2562d3343cf5e3234e6f5f7eb8043aef1f0f0480997da16b9b7e332502c675657f8
SHA51264cf4f456f6acf186d0ef405eec6bc2db88787cba1cdcf5314db131e40686e74197b20e33d257e11bc19830275c0ee8634d9e7f8357c767176c40ecf265c461a
-
Filesize
20KB
MD549b6ff446eddaf88ea08a7c16792952e
SHA1c0dc334f467d867f0e1d3fabd555ebcac395fc8b
SHA2562fb724dd202047575842ab8b47f7c395b06c84879af5a1cd5978b3a0111e3580
SHA51277caea2889ef3c8396cf333e6f99656cf087ba69e20f86279cf415e9b3ef598a98a0a2bada407443910ef24b8d51602ef3d1504f3826f0f9837d07db488bab2b