Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 00:26

General

  • Target

    Towers (Paid).exe

  • Size

    20.1MB

  • MD5

    78f2167ffc65737f93605ed6004e5f38

  • SHA1

    d6ec25ee83c8e0e0aa1a97fd7949ad60e24b2e1b

  • SHA256

    34d8469a325db034742a082299caef8a82f2e0e18e6988fdaf15efea34f9ef6f

  • SHA512

    a1f345b9cd1ff6d2c0897a05d865935c7f0322b1704532c373d2a84982420021d2000679d66e47d364dfdfb8e6a4136093c9e42713886d0906857b3b5b4f45dc

  • SSDEEP

    393216:1zEYPh8EL2Vmd6mI/m3pyc/eEJ4mbYV4aR5heV2BUp/Io3c8m0HK:OIyVmdSKyuh4yY/eVAoMQHK

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe
    "C:\Users\Admin\AppData\Local\Temp\Towers (Paid).exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2052
    • \??\c:\users\admin\appdata\local\temp\towers (paid).exe 
      "c:\users\admin\appdata\local\temp\towers (paid).exe "
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:548
      • \??\c:\users\admin\appdata\local\temp\towers (paid).exe 
        "c:\users\admin\appdata\local\temp\towers (paid).exe "
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2404
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1796
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2648
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2544
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2524
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:29 /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1328
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:30 /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1560
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:31 /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2772
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2944
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2964

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-file-l1-2-0.dll

        Filesize

        11KB

        MD5

        cc44206c303277d7addb98d821c91914

        SHA1

        9c50d5fac0f640d9b54cd73d70063667f0388221

        SHA256

        9b7895c39ee69f22a3adc24fe787cba664ad1213cea8bc3184ed937d5121e075

        SHA512

        e79df82d7b2281987d6f67780c1c2104e0135c9cfbcb825055f69835b125dedb58dcd1d5c08cd4e8666f598d49602b36289b077e3a528db88f02ee603a6e8819

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-file-l2-1-0.dll

        Filesize

        11KB

        MD5

        7816039fc35232c815b933c47d864c88

        SHA1

        e68fb109a6921f64ae05104ba1afc1952b868b9a

        SHA256

        9c8f443b3a42e9e1aaa110b12c85f99b3d42ce22849cc3072cf56e29ccdd8401

        SHA512

        943b5eae98337652b3ee8c0ad88172d5cc22bbee14e517a91c0d67b89cfbbc68cb854a3f53badcb49d355ec6e748de5579e8bf6a0f8ee28f85ba11808fb79e25

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-localization-l1-2-0.dll

        Filesize

        14KB

        MD5

        bceb3a4fd70578a2bb1e5138edeeeeb3

        SHA1

        9796afc837c53a83a8e77d4c2bc88c26b31ff525

        SHA256

        8a4b5a175d575d1037a046156630df4ca5389b4919a9746e1a2f5d456ca50bd8

        SHA512

        7fcc7c22032a22e79b6438f86e491a179f74a9a33ce64d8a6ebc3fb6f9ff1f2e2ece15cba19fe756a90b104c6beea8f892a98193770b478fecb9dedb1b66cd25

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-processthreads-l1-1-1.dll

        Filesize

        11KB

        MD5

        c58e2f3828248f84280f0719fda08fd2

        SHA1

        9679c51b4035da139a1cc9b689cb2ea1c2e7cdec

        SHA256

        a1b79943cdf8ded063cdaec144f8a170de8bbe97b696445885709573c5e0faeb

        SHA512

        57ccc658870e9d446f9c9d130adde6b96428999697b007e844b7714998d2a23eabed92460c1275a92f1ceca29be232d5d97e29f0d4d07cc749cde41bcb5f8729

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\api-ms-win-core-timezone-l1-1-0.dll

        Filesize

        12KB

        MD5

        842d23af3a6a12b10c9a4ee4d79ec1c1

        SHA1

        2cd46ebdd418b12444dc351c0073dafc5b9eabd5

        SHA256

        33adac3484118f56f3d8d8745431cef241d643b46956e08fbb62a63a6f2236da

        SHA512

        45a8238862b6ad157d261e5120d1bfd3925fa7e429025d7470ce82f64e51c209f4231f37b3445a4cd3f6649c4b0222bfbd845a16c0e5e022685b081b39cd9296

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\python310.dll

        Filesize

        4.3MB

        MD5

        c80b5cb43e5fe7948c3562c1fff1254e

        SHA1

        f73cb1fb9445c96ecd56b984a1822e502e71ab9d

        SHA256

        058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

        SHA512

        faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

      • C:\Users\Admin\AppData\Local\Temp\_MEI5482\ucrtbase.dll

        Filesize

        1011KB

        MD5

        bb0e3819e308a153c99fa6bccf2f4e77

        SHA1

        d96dc06cb9f441869c5088aaee4e55a81fa14387

        SHA256

        83e7252e6af0e63bd80bc996eed6cb687c36b94f20a55a16145d5e68076b1587

        SHA512

        7eb23a895bc4fac0cda16b1ab8cdcdacac7ade76519b5d9e14d2917025f3cdd7fc4bd16d22df59a8dfe7b110eb8a8ce98a50355aa32d8c49bcab3596bd0a01ed

      • C:\Windows\Resources\Themes\explorer.exe

        Filesize

        135KB

        MD5

        372711757ba220832d00d231b06fc9c5

        SHA1

        f08dcd7d79b4515ffbc5181a954cfb6e8bf7986d

        SHA256

        3d04452c098220399902c06c4fb47075df8528e0b75806cf1446cf2c98170c40

        SHA512

        194ea63358f8d365f867f8ce36d9c9d6cf7b95efb7060e6a4a4f4ea0f0449a007330d098d9e09bf7cbb385e0c4d5d35c5056685d4236a3fe753530388ced7496

      • C:\Windows\Resources\svchost.exe

        Filesize

        135KB

        MD5

        c5004257ac920db68562ae5678c6b844

        SHA1

        1e183f11824b335b5ee8de05260ae6e66eb7483f

        SHA256

        1c9d54b11444f6f2503001c75f5068bff82de9479b7201b9ebf3f731bdabf969

        SHA512

        1e4358aef5ed987a7acfd61d38145aa740bf4b6579e98a0b2242af3400562400d20feb716b06726422d934e9ff011a29d90d894d6f5b95e915da1ede6591d55c

      • \Users\Admin\AppData\Local\Temp\towers (paid).exe 

        Filesize

        20.0MB

        MD5

        4e2a9aa7d93e6cda6f3831f10c9ece80

        SHA1

        da1496dad066f80f571ff0994607830c5a70986d

        SHA256

        eb0977c478c7afe1086e14cf514706594d2501dcfcb1239cf0f5ff97ea589409

        SHA512

        ca1bc5266b067f4f49b30f84eceb1a0902c8605641ba4bfc6ffb31bbe23e29321e4892bd02129166a335cbdaea6d3d2c7f6daadce733c5f6294a68f658568eed

      • \Windows\Resources\Themes\icsys.icn.exe

        Filesize

        135KB

        MD5

        e63a011650ec624ee8e1ee2194b321e9

        SHA1

        616d14ed379a3141fa0fa74d3e5ac6861d191e2f

        SHA256

        6d10f4f1764022997a23b74dd149815f9afa3f884beca1d09636275d57022999

        SHA512

        ee4c4acee45595a250d5c6aa98ea1717f8e233baaa6fe253493878b47c3a6dc18332ddef8e55ac0e7676d1d446bbaebd681c62cd7c37443ee5f286446e5aa416

      • \Windows\Resources\spoolsv.exe

        Filesize

        135KB

        MD5

        f3f77b02c0077e4289e1f6a05ed72b85

        SHA1

        489b382282206e12add4fb3aa6f422817a01734b

        SHA256

        29ffa37a38125d02ddd6afd865beb9026412ee4acd9c8aad75879f7d4d31f4f8

        SHA512

        a05b183466530719d789782c2ce422c3f76099d820dbd850da4eb959a6d3c07c34c4a7ae1d762b41b3b12e6e7326ba0322d46d5ba9b907e62afe3cf67f6355e7

      • memory/1796-114-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/1796-115-0x00000000003C0000-0x00000000003DF000-memory.dmp

        Filesize

        124KB

      • memory/2052-121-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2052-0-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2052-14-0x0000000000290000-0x00000000002AF000-memory.dmp

        Filesize

        124KB

      • memory/2524-103-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2544-119-0x00000000003D0000-0x00000000003EF000-memory.dmp

        Filesize

        124KB

      • memory/2544-117-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2648-104-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/2780-120-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB