Analysis

  • max time kernel
    96s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 16:15

General

  • Target

    SploitXE Release/setup.exe

  • Size

    2.4MB

  • MD5

    d1be561690e1d91e515faf9581cf81a6

  • SHA1

    9fed9a02c3845ca78bd72319bbfcf5140e64a36a

  • SHA256

    7213f30970c9764e1e0f85f15125f9241cf2619fb4724d322b5fe6f8ee3d9da0

  • SHA512

    919e7bd14b65bf4fc778ce3409a92fdb5a59516cdb43d5dd3626ff2d18be9389951a289afe7453aeb6f8b9e314007c007a6f3bb7137f4fd167ce5688cebf28f5

  • SSDEEP

    49152:Ytavs+rX1wXzrf7XC4yY86lG8mFMRkoma4ftd0B8K4QH9SsmHFDTWU:Yn+j1wHzyb38mORkdtdCzdSsmHRTn

Score
9/10

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"
    1⤵
    • Drops file in System32 directory
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Fraps\fraps.exe
      "C:\Fraps\fraps.exe" /exit
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Executes dropped EXE
      PID:2084
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Modifies registry class
    PID:1396
  • C:\Fraps\fraps.exe
    "C:\Fraps\fraps.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Fraps\fraps64.dat
      "C:\Fraps\fraps64.dat"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Fraps\fraps.exe

    Filesize

    2.5MB

    MD5

    0ff5b5161a78bf5721811779376db71d

    SHA1

    35308429117b514237d34bd8015bfe4efa8e7d55

    SHA256

    da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80

    SHA512

    d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204

  • C:\Fraps\fraps32.dll

    Filesize

    263KB

    MD5

    6328007efe11f2ad0a50f122367ce743

    SHA1

    3f48580a32d0c5cd2551dcbcbce885c9337ce044

    SHA256

    e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f

    SHA512

    67d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec

  • C:\Fraps\fraps64.dat

    Filesize

    112KB

    MD5

    79856998086dec03fa34a614708ae1e2

    SHA1

    f858dd68780063527953aeccdcbfc955b3ea2cb9

    SHA256

    a62a9241f3bf39176956d6fa45cec7a9aae12908c7156e4b533b81d35e902a9e

    SHA512

    ca63ea0f8f269b957efa65faf4c836133c93cbe38b76f5c0117bdb3e9a1719ef1b1943a9a3f2f7e51e31e08fdc0a02b24233baaa12aa6087112db9b4b7bb7f48

  • C:\Fraps\fraps64.dll

    Filesize

    224KB

    MD5

    5fd7bee98d14dacdf2f206dad278a621

    SHA1

    03181ad2c9ff23f679f4276ed6c34bdcc7a7282c

    SHA256

    6acebecb8934508832a44fdd92823e8026ea4878c81e6eb18ae03eaa7b5b5c6f

    SHA512

    12886a63450ed203dad5f4e485ae8cb0bad97e2d4ab76e136c37e4679f2fd83918786dd5c2c3b593766835447c9d4e320f8d82161281c097c5b852b741c13f56

  • C:\Fraps\frapslcd.dll

    Filesize

    170KB

    MD5

    895c32a4eefd648d62e92201e4954cd2

    SHA1

    5d7753f95ab95176da45473eaa0d7de29ca02973

    SHA256

    1376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74

    SHA512

    76823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35

  • C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\AdvSplash.dll

    Filesize

    6KB

    MD5

    13cc92f90a299f5b2b2f795d0d2e47dc

    SHA1

    aa69ead8520876d232c6ed96021a4825e79f542f

    SHA256

    eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

    SHA512

    ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

  • C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\StartMenu.dll

    Filesize

    7KB

    MD5

    a4173b381625f9f12aadb4e1cdaefdb8

    SHA1

    cf1680c2bc970d5675adbf5e89292a97e6724713

    SHA256

    7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b

    SHA512

    fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

  • C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • C:\Users\Admin\Videos\Captures\desktop.ini

    Filesize

    190B

    MD5

    b0d27eaec71f1cd73b015f5ceeb15f9d

    SHA1

    62264f8b5c2f5034a1e4143df6e8c787165fbc2f

    SHA256

    86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

    SHA512

    7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

  • memory/2084-50-0x0000000004D50000-0x0000000004D51000-memory.dmp

    Filesize

    4KB

  • memory/2084-51-0x0000000004D70000-0x0000000004D71000-memory.dmp

    Filesize

    4KB

  • memory/2084-49-0x0000000004D40000-0x0000000004D41000-memory.dmp

    Filesize

    4KB

  • memory/2084-48-0x0000000004D60000-0x0000000004D61000-memory.dmp

    Filesize

    4KB

  • memory/2084-47-0x0000000004D30000-0x0000000004D31000-memory.dmp

    Filesize

    4KB

  • memory/2084-52-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

  • memory/2084-53-0x0000000004D20000-0x0000000004D21000-memory.dmp

    Filesize

    4KB

  • memory/2084-54-0x0000000000401000-0x0000000000419000-memory.dmp

    Filesize

    96KB

  • memory/2084-46-0x0000000000400000-0x0000000000C03000-memory.dmp

    Filesize

    8.0MB

  • memory/2084-45-0x0000000000400000-0x0000000000C03000-memory.dmp

    Filesize

    8.0MB

  • memory/3264-77-0x0000000000400000-0x0000000000C03000-memory.dmp

    Filesize

    8.0MB

  • memory/3264-90-0x0000000000400000-0x0000000000C03000-memory.dmp

    Filesize

    8.0MB

  • memory/3264-91-0x0000000000400000-0x0000000000C03000-memory.dmp

    Filesize

    8.0MB