Overview
overview
10Static
static
10[DemonArch...f3.exe
windows7-x64
10[DemonArch...5e.exe
windows7-x64
10[DemonArch...a8.exe
windows7-x64
10[DemonArch...55.exe
windows7-x64
[DemonArch...9c.exe
windows7-x64
8[DemonArch...ac.exe
windows7-x64
10[DemonArch...0f.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
8[DemonArch...5a.exe
windows7-x64
1[DemonArch...c4.exe
windows7-x64
[DemonArch...f3.exe
windows7-x64
10[DemonArch...8f.exe
windows7-x64
10[DemonArch...85.exe
windows7-x64
10[DemonArch...92.exe
windows7-x64
9[DemonArch...5b.exe
windows7-x64
10[DemonArch...59.exe
windows7-x64
7[DemonArch...0f.exe
windows7-x64
10[DemonArch...61.exe
windows7-x64
10[DemonArch...16.exe
windows7-x64
10[DemonArch...23.exe
windows7-x64
[DemonArch...6d.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...5c.exe
windows7-x64
10[DemonArch...52.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...fa.exe
windows7-x64
10[DemonArch...f1.exe
windows7-x64
7[DemonArch...7b.exe
windows7-x64
10[DemonArch...02.exe
windows7-x64
10[DemonArch...80.exe
windows7-x64
[DemonArch...c8.exe
windows7-x64
8Analysis
-
max time kernel
299s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:22
Behavioral task
behavioral1
Sample
[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
[DemonArchives]02352cbf001e9c8176a5b7d381ef9b5e.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral3
Sample
[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
[DemonArchives]04a8e202d70a574213680cdb7c82fb55.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral5
Sample
[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
[DemonArchives]07fe5f7c673e5faa200611f9cb716aac.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral7
Sample
[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral9
Sample
[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
[DemonArchives]0d061414e840b27ea6109e573bd2165a.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral11
Sample
[DemonArchives]1192a915b81f1f7878472391f42cb6c4.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
[DemonArchives]14049d0a3afad0faa21ab1fff2e417f3.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral13
Sample
[DemonArchives]149dd5469233f52aa4287362ce85b88f.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
[DemonArchives]1df7772347bfd34ecb1685a1ba69c285.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral15
Sample
[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
[DemonArchives]1ee7f65b0c08c4ff7e1047c14851575b.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral19
Sample
[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
[DemonArchives]26add802e0e75416385317658b116216.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral21
Sample
[DemonArchives]2bf9e607accd325cfb734cd594b00723.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
[DemonArchives]3825817f6028f26ff0b5cd748559286d.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral23
Sample
[DemonArchives]3e70eabf850c2134ac1acd815a2a90af.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral24
Sample
[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral25
Sample
[DemonArchives]42971155e95ad8ace7b6fc53d70fb952.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
[DemonArchives]47522f57257b441811cf5f87c9118faf.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral27
Sample
[DemonArchives]4782545d269557614be88caef0383cfa.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
[DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral31
Sample
[DemonArchives]550ad0e50316dfca7c0bfd14f9060880.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe
-
Size
1.9MB
-
MD5
55a0c8c7e6c8b2be4ebd164d43e746c8
-
SHA1
151a6ebb2706eef6cef9fbc51a5d959bb7b14cb0
-
SHA256
d3bbd8f6427e98b303c5a447acc3a98d6229369d096fbb77609de87cdff88d63
-
SHA512
db6f6beb20eb74b8da5e36e1758d8dde900eb1ce839ad4769691ef08f2e14b7f678530d306e14e123fa203eef6b373426445162b5c4ccb901dcd1e229ce2f098
-
SSDEEP
49152:hE13D8c4GG/jfKCfGgv58UunQ7M+lFVhSekhg:0Ho/OKG2un9gFrSeL
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
resource yara_rule behavioral32/memory/2160-0-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-1-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-2-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-3-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-4-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-5-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-6-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-10-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-11-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-12-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-13-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-14-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-15-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-16-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-18-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-19-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-20-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-21-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-22-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-23-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-24-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-25-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-26-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-27-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-28-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-29-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-30-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-31-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-32-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx behavioral32/memory/2160-33-0x00000000008A0000-0x0000000000A4D000-memory.dmp upx -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2892 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe Token: SeShutdownPrivilege 2892 explorer.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe 2892 explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe"1⤵PID:2160
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892