Analysis
-
max time kernel
96s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 16:15
Behavioral task
behavioral1
Sample
SploitXE Release/SploitXE.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
SploitXE Release/SploitXE.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
SploitXE Release/setup.exe
Resource
win7-20240220-en
General
-
Target
SploitXE Release/setup.exe
-
Size
2.4MB
-
MD5
d1be561690e1d91e515faf9581cf81a6
-
SHA1
9fed9a02c3845ca78bd72319bbfcf5140e64a36a
-
SHA256
7213f30970c9764e1e0f85f15125f9241cf2619fb4724d322b5fe6f8ee3d9da0
-
SHA512
919e7bd14b65bf4fc778ce3409a92fdb5a59516cdb43d5dd3626ff2d18be9389951a289afe7453aeb6f8b9e314007c007a6f3bb7137f4fd167ce5688cebf28f5
-
SSDEEP
49152:Ytavs+rX1wXzrf7XC4yY86lG8mFMRkoma4ftd0B8K4QH9SsmHFDTWU:Yn+j1wHzyb38mORkdtdCzdSsmHRTn
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
fraps.exefraps.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fraps.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fraps.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fraps.exefraps.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fraps.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fraps.exefraps.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine fraps.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine fraps.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Windows\SysWOW64\frapsvid.dll setup.exe File created C:\Windows\system32\frapsv64.dll setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 3 IoCs
Processes:
fraps.exefraps.exefraps64.datpid process 2084 fraps.exe 3264 fraps.exe 1016 fraps64.dat -
Loads dropped DLL 10 IoCs
Processes:
setup.exefraps.exefraps64.datpid process 1180 setup.exe 1180 setup.exe 1180 setup.exe 1180 setup.exe 3264 fraps.exe 3264 fraps.exe 1016 fraps64.dat 3436 2080 4420 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Modifies registry class 5 IoCs
Processes:
fraps.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.avi fraps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} fraps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi fraps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} fraps.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{C71814BA-7287-45A7-84E2-64E1664CAB3D} svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
setup.exepid process 1180 setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fraps.exedescription pid process Token: SeManageVolumePrivilege 3264 fraps.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
fraps.exepid process 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
fraps.exepid process 3264 fraps.exe 3264 fraps.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
fraps.exefraps64.datpid process 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 1016 fraps64.dat 1016 fraps64.dat 1016 fraps64.dat 1016 fraps64.dat 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe 3264 fraps.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
setup.exefraps.exedescription pid process target process PID 1180 wrote to memory of 2084 1180 setup.exe fraps.exe PID 1180 wrote to memory of 2084 1180 setup.exe fraps.exe PID 1180 wrote to memory of 2084 1180 setup.exe fraps.exe PID 3264 wrote to memory of 1016 3264 fraps.exe fraps64.dat PID 3264 wrote to memory of 1016 3264 fraps.exe fraps64.dat
Processes
-
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"1⤵
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Fraps\fraps.exe"C:\Fraps\fraps.exe" /exit2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Executes dropped EXE
PID:2084
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1396
-
C:\Fraps\fraps.exe"C:\Fraps\fraps.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Fraps\fraps64.dat"C:\Fraps\fraps64.dat"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD50ff5b5161a78bf5721811779376db71d
SHA135308429117b514237d34bd8015bfe4efa8e7d55
SHA256da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80
SHA512d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204
-
Filesize
263KB
MD56328007efe11f2ad0a50f122367ce743
SHA13f48580a32d0c5cd2551dcbcbce885c9337ce044
SHA256e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f
SHA51267d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec
-
Filesize
112KB
MD579856998086dec03fa34a614708ae1e2
SHA1f858dd68780063527953aeccdcbfc955b3ea2cb9
SHA256a62a9241f3bf39176956d6fa45cec7a9aae12908c7156e4b533b81d35e902a9e
SHA512ca63ea0f8f269b957efa65faf4c836133c93cbe38b76f5c0117bdb3e9a1719ef1b1943a9a3f2f7e51e31e08fdc0a02b24233baaa12aa6087112db9b4b7bb7f48
-
Filesize
224KB
MD55fd7bee98d14dacdf2f206dad278a621
SHA103181ad2c9ff23f679f4276ed6c34bdcc7a7282c
SHA2566acebecb8934508832a44fdd92823e8026ea4878c81e6eb18ae03eaa7b5b5c6f
SHA51212886a63450ed203dad5f4e485ae8cb0bad97e2d4ab76e136c37e4679f2fd83918786dd5c2c3b593766835447c9d4e320f8d82161281c097c5b852b741c13f56
-
Filesize
170KB
MD5895c32a4eefd648d62e92201e4954cd2
SHA15d7753f95ab95176da45473eaa0d7de29ca02973
SHA2561376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74
SHA51276823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35
-
Filesize
6KB
MD513cc92f90a299f5b2b2f795d0d2e47dc
SHA1aa69ead8520876d232c6ed96021a4825e79f542f
SHA256eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3
-
Filesize
7KB
MD5a4173b381625f9f12aadb4e1cdaefdb8
SHA1cf1680c2bc970d5675adbf5e89292a97e6724713
SHA2567755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c