Analysis

  • max time kernel
    142s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 04:09

General

  • Target

    atube-catcher-10.8.5-installer_GQ-DpU1.exe

  • Size

    1.7MB

  • MD5

    b2e6bac3baed5fd235b90c30ba9bdec8

  • SHA1

    9dd517743452918ce4e4583ce327ef907e6da97b

  • SHA256

    c7da9264a674a297c34b9ea7a34e5314140883e0914576563ca8bee1b4ea8b15

  • SHA512

    90ade8a9252f637b8fd9374f1edd4b7926e98604debed66d737e16db99540724a3915bf36f579ec3e00d523864cc75ebd98cf0162f7b1c9c9280039fea9082ef

  • SSDEEP

    24576:T7FUDowAyrTVE3U5F/A5bOyUuMitUR/BuztNwgqYReZhb/5hnl:TBuZrEUbPuMUHNwRY4ZB/t

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks for any installed AV software in registry 1 TTPs 9 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 10 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\atube-catcher-10.8.5-installer_GQ-DpU1.exe
    "C:\Users\Admin\AppData\Local\Temp\atube-catcher-10.8.5-installer_GQ-DpU1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\is-6RRL6.tmp\atube-catcher-10.8.5-installer_GQ-DpU1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6RRL6.tmp\atube-catcher-10.8.5-installer_GQ-DpU1.tmp" /SL5="$8001C,837551,832512,C:\Users\Admin\AppData\Local\Temp\atube-catcher-10.8.5-installer_GQ-DpU1.exe"
      2⤵
      • Executes dropped EXE
      • Checks for any installed AV software in registry
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ff3ebf973e85018a431788a8a7d0cf95

    SHA1

    00df97bb8564aac6315db96a858ecb1ad3055a2e

    SHA256

    36e015045eed76f866ba0145e10c50e2b30581efc8bbdd38754be6e47b0de523

    SHA512

    573c3fe8a4c444eee2e23e36a792e0302c55ea0aef8ce890e91fd6e2a00f8701385431cb6b29c2616cbc76a89f8298dc0e31d025eb8bbc71920c574198770e55

  • C:\Users\Admin\AppData\Local\Temp\Cab8A76.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar8AC7.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\is-MTAFM.tmp\mainlogo.jpg

    Filesize

    3KB

    MD5

    34f051f00de89fd9eafc2a5fb651b457

    SHA1

    5b38f6da51c87d6be9b64f42157a68d0cff27c93

    SHA256

    72f621bbb8e9b0c33060204ab7a39cd1ef500b05638fca43d2316138258b70fc

    SHA512

    0152f99b1c95c39c7370e8bc5e140ed52e9ae15e6d9f8416f25bd06b8a20a45a2f309f30ff9d71f5ab958705ecc2e76464b99df190058e93b71202a096502e26

  • \Users\Admin\AppData\Local\Temp\is-6RRL6.tmp\atube-catcher-10.8.5-installer_GQ-DpU1.tmp

    Filesize

    3.1MB

    MD5

    9b3a9a19f545f32bc0d061b202f6ba5e

    SHA1

    ac41d0939dc69685e3dded3f7687a4b4d6e11189

    SHA256

    c200f9b96997a67b25c9ed9df8e17b647319313b18d83b6bbc9ab96c0b3d602a

    SHA512

    786c697c51a050ee5cdd802bc0db1f63c4a93197c66ba0c7195a23a44e262364f9546da426bbfde1f8244a571f908adf32f303ba24eef484aa5e2c153a78e6eb

  • memory/2076-8-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

  • memory/2076-132-0x0000000003390000-0x00000000034D0000-memory.dmp

    Filesize

    1.2MB

  • memory/2076-133-0x0000000000400000-0x000000000071C000-memory.dmp

    Filesize

    3.1MB

  • memory/2176-0-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/2176-1-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

  • memory/2176-120-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB