Analysis
-
max time kernel
446s -
max time network
449s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 06:28
General
-
Target
Dork Searcher v3.exe
-
Size
63.7MB
-
MD5
a324c0d0f457a5cd86de81514605c0d2
-
SHA1
6137b3183d9dfcdd3f647a9f579079ebd88b5e5e
-
SHA256
952d7df4797bd5ecc451fe57c4e160242a111391d183e4713d3b3a9ac737be25
-
SHA512
1b93b37795d54f0b17407661bbdba357bad28ba22a885e9ba589976c455e6ab0f3c46cec27b18839a2693c80bca49bb2254b6e1757f771e2bdda9deafd50f495
-
SSDEEP
1572864:5zUKleXzeH+IwMvNG83xXcRKzLADd4jyyp287t71FeuIEGMTQtYkVs:5Z+itxsRKzKd4jq8tpsuIMTQtpVs
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3.exe"C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3 .exe"C:\Users\Admin\AppData\Local\Temp\Dork Searcher v3 .exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.logFilesize
408B
MD570f08e6585ed9994d97a4c71472fccd8
SHA13f44494d4747c87fb8b94bb153c3a3d717f9fd63
SHA25687fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa
SHA512d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.logFilesize
588B
MD52f142977932b7837fa1cc70278e53361
SHA10a3212d221079671bfdeee176ad841e6f15904fc
SHA256961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820
SHA512a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
C:\Users\Admin\AppData\Local\Temp\a42e6cb8-6f40-425a-a17c-89ddc5754217\AgileDotNetRT64.dllFilesize
141KB
MD5e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
339KB
MD5301e8d9a2445dd999ce816c17d8dbbb3
SHA1b91163babeb738bd4d0f577ac764cee17fffe564
SHA2562ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
SHA5124941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zipFilesize
140KB
MD5bbf128484e7ea29053c6db91849067ea
SHA1c46ec37265740c349fb265099e47ebbef9369ba1
SHA2565e6f03b5ae15131c2ad374c563273389b3340168ff647433a6b5e7acce468b05
SHA512aeb756d2b2238eaa16a82673b6a86b609320abd6eafc4b742d0f5a9fe88fbbf34a1fd7e6ad9d2f30a832e288a3d7b725a73f83616df1d3edee92c8fd06984e7e
-
memory/1752-3-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/1752-4-0x000000001FE40000-0x000000002030E000-memory.dmpFilesize
4.8MB
-
memory/1752-5-0x0000000020310000-0x00000000203AC000-memory.dmpFilesize
624KB
-
memory/1752-2-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/1752-1-0x000000001F8C0000-0x000000001F966000-memory.dmpFilesize
664KB
-
memory/1752-47-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/1752-0-0x00007FFB55275000-0x00007FFB55276000-memory.dmpFilesize
4KB
-
memory/2692-48-0x000000001BE20000-0x000000001BE28000-memory.dmpFilesize
32KB
-
memory/2924-27-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/2924-25-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/2924-24-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/2924-51-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/3012-53-0x00000000009D0000-0x0000000004912000-memory.dmpFilesize
63.3MB
-
memory/3012-60-0x00007FFB50A40000-0x00007FFB50B8E000-memory.dmpFilesize
1.3MB
-
memory/3012-61-0x00007FFB646E0000-0x00007FFB64708000-memory.dmpFilesize
160KB
-
memory/3012-62-0x0000000032820000-0x0000000036666000-memory.dmpFilesize
62.3MB
-
memory/3012-69-0x00007FFB646E0000-0x00007FFB64708000-memory.dmpFilesize
160KB
-
memory/3672-20-0x0000000000840000-0x000000000086C000-memory.dmpFilesize
176KB
-
memory/3672-52-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/3672-19-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB
-
memory/3672-18-0x00007FFB54FC0000-0x00007FFB55961000-memory.dmpFilesize
9.6MB