Overview
overview
10Static
static
3SecuriteIn...11.exe
windows10-2004-x64
10CachemanCo...el.exe
windows10-2004-x64
10Qt5Concurrentd.dll
windows10-2004-x64
1libblkmaker-0.1-6.dll
windows10-2004-x64
1libgcc_s_seh-1.dll
windows10-2004-x64
1libgraph31.dll
windows10-2004-x64
7libgstcont...-0.dll
windows10-2004-x64
1libogg-0.dll
windows10-2004-x64
1libxml3.dll
windows10-2004-x64
3vcruntime140.dll
windows10-2004-x64
3zlib.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware1.14311.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
CachemanControlPanel.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Qt5Concurrentd.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
libblkmaker-0.1-6.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
libgcc_s_seh-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
libgraph31.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
libgstcontroller-1.0-0.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
libogg-0.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
libxml3.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
vcruntime140.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
zlib.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
SecuriteInfo.com.W32.AIDetect.malware1.14311.exe
-
Size
2.5MB
-
MD5
ae8f9d9b8344d52f0872dfdc852e1dd4
-
SHA1
7e9f4259cc193465317ee48b8428b36e74028390
-
SHA256
95b5d0e36464afc8391a9d056926e5859506ead18937669554bde42f7a6d135b
-
SHA512
27928930215dbb9217247d846c570a756b46866b17b0832c9de7c8a800e3d0457f64c28ddfb4a66372f3837695e8f1a5645804f222ac7344284facb68bc79b21
-
SSDEEP
49152:qFUy7w/OQkyXuS18WPu8vE2uajZ3/qUlppUAr/n7oi/dyXUETzBJi3:qFnekR+08s2uaX9tdyZTzBJi3
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023433-17.dat family_babadeda -
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
resource yara_rule behavioral1/memory/244-47-0x0000000000400000-0x000000000073E000-memory.dmp diamondfox -
Executes dropped EXE 1 IoCs
pid Process 244 CachemanControlPanel.exe -
Loads dropped DLL 1 IoCs
pid Process 244 CachemanControlPanel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5056 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 5056 taskmgr.exe Token: SeSystemProfilePrivilege 5056 taskmgr.exe Token: SeCreateGlobalPrivilege 5056 taskmgr.exe Token: SeSecurityPrivilege 5056 taskmgr.exe Token: SeTakeOwnershipPrivilege 5056 taskmgr.exe Token: SeBackupPrivilege 1160 svchost.exe Token: SeRestorePrivilege 1160 svchost.exe Token: SeSecurityPrivilege 1160 svchost.exe Token: SeTakeOwnershipPrivilege 1160 svchost.exe Token: 35 1160 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe 5056 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3200 wrote to memory of 244 3200 SecuriteInfo.com.W32.AIDetect.malware1.14311.exe 82 PID 3200 wrote to memory of 244 3200 SecuriteInfo.com.W32.AIDetect.malware1.14311.exe 82 PID 3200 wrote to memory of 244 3200 SecuriteInfo.com.W32.AIDetect.malware1.14311.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.14311.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.14311.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exeC:\Users\Admin\AppData\Roaming\CachemanControlPanel\CachemanControlPanel.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:244
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD55d3bf7a18887582b8a2cea327f2e7ba6
SHA183843851b7b7beb2b1853b813e7f0b1666b1bd62
SHA256014d644eccc232cd6906c5abf8afd3e53f94004057d4a1bb2771dfea00f0ae4b
SHA5123d4ffc844b211fae199f3da8b557cec2f6e882b8be42f3d99882eaa3e9d73018f8c06971cb783d223f3423d0c55788b7520bd57fd33d8d2dfe6c4be9455e62d7
-
Filesize
532KB
MD55ae30e4cdabb5b269b7eb358aae2d5e2
SHA158aae25bf64bd0b15be33ceb47ddb6ef3802433a
SHA2560b2cabaf0b2aef51c3396b11e604c46b65eabc0cbde3e257bc9c9fd1c2446c6f
SHA5122d4a2aad072bebbc707af9dca22c54f6d9607e6f7bc8826bcb61b0321f4e0464884f4577dc51dcfb7a40a9b143cf9e26225694ef4668f629f632870d11afa198
-
Filesize
490KB
MD5fa4b4f1f9869da4a0209bba251859efc
SHA1fe7a4ee923d6eeb93e8a52778735120705d927a5
SHA25605af99365637a46d18b5bc60d20e7cbd8943f250a15976c672b3d29ee1472d2f
SHA512f82eb33679935cb69baaf3ad5eaa71df3d750771b21b964597543d901483aab89602f8603e474758ae6162157c06d37b36db669086dcf31cea7ce8d560094456