Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 09:01
Behavioral task
behavioral1
Sample
dora.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
dora.exe
Resource
win10v2004-20240508-en
General
-
Target
dora.exe
-
Size
49KB
-
MD5
17356ef8f161730156c221300ea3cf5b
-
SHA1
25a05bd0a9a4167b7fd08feb44de269910701c82
-
SHA256
18ba97ec9c00b85d27d9d20c62ef7bd9484ad68a33e2a2121a1bcbed19f2eacd
-
SHA512
df964b7aac2dbbaf7a04e935dbb566e1207b0d11971f28bba9c0c136adeff475bec31c92e54be7d4da786f70d9cb339ff37e6a8f9196ceb16ab185cc956912cf
-
SSDEEP
768:daQRff0B31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADQT4J74:daD318HxZATvnsblYOJ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8278) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 2188 rundll32.exe 7 2188 rundll32.exe 12 2636 rundll32.exe 13 2636 rundll32.exe -
pid Process 2512 wbadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 iplogger.com 16 iplogger.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2416.tmp.bmp" dora.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01749_.GIF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html dora.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn dora.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml dora.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css dora.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\+README-WARNING+.txt dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF dora.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Berlin dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml dora.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195534.WMF dora.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar dora.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107150.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02373_.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt dora.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo dora.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo dora.exe File opened for modification C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui dora.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171685.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0279644.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianResume.Dotx dora.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01842_.GIF dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra dora.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\+README-WARNING+.txt dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar dora.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js dora.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif.[59CAA577].[[email protected]].DORRA dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanReport.Dotx dora.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png dora.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\localedata.jar dora.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Hermosillo dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174635.WMF dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html dora.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\+README-WARNING+.txt dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PAPERS.INI dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML dora.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS dora.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\+README-WARNING+.txt dora.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png dora.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan dora.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo dora.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\micaut.dll.mui dora.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02439_.WMF dora.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2676 vssadmin.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation rundll32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 dora.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeBackupPrivilege 2604 vssvc.exe Token: SeRestorePrivilege 2604 vssvc.exe Token: SeAuditPrivilege 2604 vssvc.exe Token: SeBackupPrivilege 2968 wbengine.exe Token: SeRestorePrivilege 2968 wbengine.exe Token: SeSecurityPrivilege 2968 wbengine.exe Token: SeIncreaseQuotaPrivilege 2352 WMIC.exe Token: SeSecurityPrivilege 2352 WMIC.exe Token: SeTakeOwnershipPrivilege 2352 WMIC.exe Token: SeLoadDriverPrivilege 2352 WMIC.exe Token: SeSystemProfilePrivilege 2352 WMIC.exe Token: SeSystemtimePrivilege 2352 WMIC.exe Token: SeProfSingleProcessPrivilege 2352 WMIC.exe Token: SeIncBasePriorityPrivilege 2352 WMIC.exe Token: SeCreatePagefilePrivilege 2352 WMIC.exe Token: SeBackupPrivilege 2352 WMIC.exe Token: SeRestorePrivilege 2352 WMIC.exe Token: SeShutdownPrivilege 2352 WMIC.exe Token: SeDebugPrivilege 2352 WMIC.exe Token: SeSystemEnvironmentPrivilege 2352 WMIC.exe Token: SeRemoteShutdownPrivilege 2352 WMIC.exe Token: SeUndockPrivilege 2352 WMIC.exe Token: SeManageVolumePrivilege 2352 WMIC.exe Token: 33 2352 WMIC.exe Token: 34 2352 WMIC.exe Token: 35 2352 WMIC.exe Token: SeIncreaseQuotaPrivilege 2352 WMIC.exe Token: SeSecurityPrivilege 2352 WMIC.exe Token: SeTakeOwnershipPrivilege 2352 WMIC.exe Token: SeLoadDriverPrivilege 2352 WMIC.exe Token: SeSystemProfilePrivilege 2352 WMIC.exe Token: SeSystemtimePrivilege 2352 WMIC.exe Token: SeProfSingleProcessPrivilege 2352 WMIC.exe Token: SeIncBasePriorityPrivilege 2352 WMIC.exe Token: SeCreatePagefilePrivilege 2352 WMIC.exe Token: SeBackupPrivilege 2352 WMIC.exe Token: SeRestorePrivilege 2352 WMIC.exe Token: SeShutdownPrivilege 2352 WMIC.exe Token: SeDebugPrivilege 2352 WMIC.exe Token: SeSystemEnvironmentPrivilege 2352 WMIC.exe Token: SeRemoteShutdownPrivilege 2352 WMIC.exe Token: SeUndockPrivilege 2352 WMIC.exe Token: SeManageVolumePrivilege 2352 WMIC.exe Token: 33 2352 WMIC.exe Token: 34 2352 WMIC.exe Token: 35 2352 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2796 dora.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2188 2796 dora.exe 28 PID 2796 wrote to memory of 2984 2796 dora.exe 30 PID 2796 wrote to memory of 2984 2796 dora.exe 30 PID 2796 wrote to memory of 2984 2796 dora.exe 30 PID 2796 wrote to memory of 2984 2796 dora.exe 30 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2956 wrote to memory of 2636 2956 dora.exe 32 PID 2984 wrote to memory of 2676 2984 cmd.exe 33 PID 2984 wrote to memory of 2676 2984 cmd.exe 33 PID 2984 wrote to memory of 2676 2984 cmd.exe 33 PID 2984 wrote to memory of 2512 2984 cmd.exe 36 PID 2984 wrote to memory of 2512 2984 cmd.exe 36 PID 2984 wrote to memory of 2512 2984 cmd.exe 36 PID 2984 wrote to memory of 2352 2984 cmd.exe 40 PID 2984 wrote to memory of 2352 2984 cmd.exe 40 PID 2984 wrote to memory of 2352 2984 cmd.exe 40 PID 2796 wrote to memory of 5356 2796 dora.exe 46 PID 2796 wrote to memory of 5356 2796 dora.exe 46 PID 2796 wrote to memory of 5356 2796 dora.exe 46 PID 2796 wrote to memory of 5356 2796 dora.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dora.exe"C:\Users\Admin\AppData\Local\Temp\dora.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {0f4e74a9-a0ef-4d45-a648-227991eae33d};C:\Users\Admin\AppData\Local\Temp\dora.exe;27962⤵
- Blocklisted process makes network request
- Modifies registry class
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\dora.exe"C:\Users\Admin\AppData\Local\Temp\dora.exe" n27962⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {0f4e74a9-a0ef-4d45-a648-227991eae33d};C:\Users\Admin\AppData\Local\Temp\dora.exe;29563⤵
- Blocklisted process makes network request
- Modifies registry class
PID:2636
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2676
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt2⤵PID:5356
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2124
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2768
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\{3146AA60-6BF6-4755-8526-1AA38554A1D0}\PlayTasks\0\Play.lnk
Filesize1KB
MD50958b267664a4439bcf8812ca9c1b464
SHA108ee674251155c45059dd615ab7c31cce360911d
SHA256822a98c905447c08728ffba1e1c71086029d8857897e9a74a4b69b89031e7f5c
SHA51287f6dbc8bd3cb0f731663449c18c6fd02bfc3e74eb26b8fd82c7a6810703be906462f035e24393a3da2d595aff1af738d8440191229685f58032302fe21216c6
-
Filesize
1KB
MD57e1d4905ff11f9dc3df19f14836427c9
SHA1d361d63cf04c03aae86a9f83fe80d2e0400870a8
SHA256046d2b796dacb9452b2a25aa12eefb31e79e8776c313e979b9b06d72b33b7278
SHA512efcf9392e4213afe2804f2738a5a1067575d394163265987700ca6c981d59492b6dc7fb78ea0860514adb8f0cbf9428b3c0c1da6d4d82893873d6fea5463a3d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Dora the Explorer Fairytale Adventureā¢.lnk
Filesize548B
MD546d3890e9a2495c7bb9c7fbfe678e5a2
SHA185124af16ac564ef73c06a5a7d864eb2a616b6e8
SHA256099c21a1581d9485facc73a1db977827b21a033630075bc1d5be2a93bbd74b02
SHA5126d9822ed7346985f84c1f5e781c9f8522d517297e3a67d8a5ff338e65ec47307bb8ff9cacfb69ae4fd4c2985f00f478521666c9c86a7138c4f389cd78d92b6dc