Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30/06/2024, 14:53
General
-
Target
FIXAUDIOWIN10/KillShutup.exe
-
Size
154KB
-
MD5
aca60475fb5d1a070301d45786c999fe
-
SHA1
6b5c65c4d1ca940bbba1e31d98771b50647dbcb3
-
SHA256
5593eeac10527b135b7ecbbbedf6c2d9e5c8a36c9ff078b077ae0e3087f7b45e
-
SHA512
4859b3d7487cd72ededea2a9470fcb832c403193f7b207a24c2c506007981c58340eb05e4a128bab869a3d90bdf27206ef3e8932784bc28e411793c4b0ca6938
-
SSDEEP
3072:TahKyd2n31W5GWp1icKAArDZz4N9GhbkrNEk1YT:TahO+p0yN90QEr
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 20 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FIXAUDIOWIN10\KillShutup.exe"C:\Users\Admin\AppData\Local\Temp\FIXAUDIOWIN10\KillShutup.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LAUNCH~1.CMD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BOXKIL~1.CMD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\StopWrite.xla"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\EnableDisable.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.0.151792637\1727648735" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fbb8073-877e-4a48-8642-34df182477da} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 1836 20ce34acb58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.1.636510895\1511564876" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81f3d4e9-76a4-4a2b-be41-5fd1ee0e6969} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 2404 20cd6789c58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.2.1748795575\1817558260" -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ba6e69d-4a6b-4b44-954b-8c93e4c48a7c} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 2980 20ce2494458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.3.1942433168\274582314" -childID 2 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4500fe67-e966-4c4b-a018-c52560dda60f} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 4220 20ce861ba58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.4.2007277970\1383428370" -childID 3 -isForBrowser -prefsHandle 4972 -prefMapHandle 4960 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac808a29-747f-470f-96a5-7ad87310257d} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 4980 20cea242f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.5.1404317058\725673608" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5124 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4ddc8d4-6bbb-4d3d-ba3c-8db417657557} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 5000 20cea243b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.6.332616955\1785897201" -childID 5 -isForBrowser -prefsHandle 5320 -prefMapHandle 5328 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d37bda77-3914-4c7b-8701-9c9586710059} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 5312 20cea247558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4672.7.1452402801\642325514" -childID 6 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7834c2c2-35db-46af-8d30-bbe37bd082d7} 4672 "\\.\pipe\gecko-crash-server-pipe.4672" 5772 20ce872ff58 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5003473f5b1310023c548a6f38d1e2483
SHA1c5c8bcbf9acc2629039b95aa5f076b7dcee2dca5
SHA2567b5344691fa369a19fe21fad4755c11e09c8823f7deed6528f30597fecbc9b93
SHA512a47a7dbd4670c5ba88d875c74e8ef2050c7cf0580bcbf80ae91fbb69a109312088d4fb8b12a616d48eaa6bef3a50245bc59c4de16fa51373c4ef7d25665d9963
-
Filesize
27B
MD5deef6cba098340511727029356c2d5a0
SHA160dddf4bf198b0d75acd63c21905b89a80d67044
SHA256f68e4cc3fa1d7b7a691c2f2ad46a43c5fb8a3d335751429782c2112b12f1617a
SHA5120329e90d503ab140ce532236c4efe9aa6b85758bb4da619491db02d90b3ca9bd8b2502fddff36c3d89e78d11c510475c88640555c2176efafd0f0158a485d5d3
-
Filesize
23B
MD5ee18bd31559ff88e6ca9e0bceb63fd83
SHA1e2ac7247b524b6eb49bf3c80fe6022d7cdac8ff5
SHA256a80820cb7208ae69c13a907eb45525a96b9b76cf470adf15e3445b1e2235ab8c
SHA512916355380766ec1b28d61dc55c7b4d8124f25d1221048ce23f7670d86251572c34b5e05613e2d02e7ccaf98a107d5d587d57586183fb0f4e9071369fc993e981
-
Filesize
7KB
MD5b3214f72f258c92d9331ab724cc9d340
SHA15c4a5c1a7687996bc3fd2d6701466f814b55f25c
SHA2561e447ef69413111b9c97308aaf0330e3b9c27ae99dfde781626d2190edcbc8e3
SHA51240ce15b613102f00bb3be26ce1cc163655647042f75b2c0ac9f4706cacf9d10ca054a8795a4675e84b6a36b445a6d110a60f4447c666f29bdbd1280211607436
-
Filesize
6KB
MD54ff00cefaf27aa3ce35ddd1d58b79087
SHA1d641a13661de135fcfc4ce65fa22439f40d90be4
SHA256d0fa59ae15fa119504b8ea72738d1d616b232b85ab7fc7953a5b8f89d2d168b6
SHA51299fd73799597bf2521bc9f96ec0334a707d06f228ac94676c529a9e2f23382d57ca832fd3b39a3e0fe58425a035c3336b5fbae72417e6cf76a7e8aa5e56540a7
-
Filesize
1KB
MD5f7d4fcc64a43a94039842fcd19bd977e
SHA1a20be645ec3ebec38485a9bfa00ac3674ce00e18
SHA25672c5211a08e9cad0f518a30e3bb2e2d8966a1e4071a3e1385e4d49a81482cc5a
SHA5128b99ed17491ca1a311089d0e176bbc8920b5061c36744ac18b21dd1b7540bacbe9d26f6ea35a9514def8574f5c624eb85e3aea3dc7f5655abd82fdd154c971eb
-
Filesize
1KB
MD5e974869f7c523e3aa77af9f5ac854a22
SHA1f032f5f3a0f73d470fbbf4629a0880df5f78104a
SHA25669e975a5cfecbfb369a0f04bc3f3e93c960e546762c9e3fb03368000a541ada4
SHA512c9e2d74cd64971855771bd36a1ae4012ae52899c5facfedff32db769392a94307f6cdf02e3a999513eb84979f10bf5c375711e0f54f36de15ab899d6cc09c977
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
992KB
-
Filesize
16.7MB
-
Filesize
2.7MB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB