Overview

overview

10

Static

static

10

7_zip_installer.exe

windows7-x64

8

CHOCORAT.exe

windows7-x64

10

ChrisMessage.exe

windows7-x64

1

Free Porn.exe

windows7-x64

1

Gay Porn Mailer.exe

windows7-x64

1

GottaWork.exe

windows7-x64

PleaseWork.exe

windows7-x64

THING.exe

windows7-x64

7

Technoturn...AT.exe

windows7-x64

1

Verified by Visa.exe

windows7-x64

10

abwsx1.exe

windows7-x64

7

eee.exe

windows7-x64

1

hypno.exe

windows7-x64

8

mbam-setup...00.exe

windows7-x64

8

molesto.exe

windows7-x64

1

runme.exe

windows7-x64

7

setup.exe

windows7-x64

3

sevgi.exe

windows7-x64

6

shrek.exe

windows7-x64

8

upnp.exe

windows7-x64

7

virus.exe

windows7-x64

10

vmdestroyer.exe

windows7-x64

7

Analysis

  • max time kernel
    300s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abwsx1.exe

  • Size

    2.1MB

  • MD5

    ee2a9d044a6a108da64db29a4056c4fb

  • SHA1

    1da144f56f10697cf258fb1a52cea29e5ccf7c8e

  • SHA256

    349fb7ff31d01e246881dd9b269b54c07ade4fa288b8c29965c5186311a49684

  • SHA512

    f67d973de3224b6319f485db9fe53d2552b9a56b47643dd1d8816fbe2973974f3132210a6c09f880fa444eec28308d8bd0c04c10cbec8d2438438669270165a1

  • SSDEEP

    49152:7PiViEE2f7RtawbEfpzYqCfzfNKoFUP8lDrD3GDUgS5:G8D237SM9eElCDjS5

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 28 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abwsx1.exe
    "C:\Users\Admin\AppData\Local\Temp\abwsx1.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Abyss Web Server\adn\adnregister.exe
      "C:\Abyss Web Server\adn\adnregister.exe" -i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Abyss Web Server\adn\FCGIDotNet_2_0.exe
        ".\FCGIDotNet_2_0.exe" -q -u
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3056
      • C:\Abyss Web Server\adn\FCGIDotNet_2_0_x64.exe
        ".\FCGIDotNet_2_0_x64.exe" -q -u
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Abyss Web Server\adn\FCGIDotNet_4_0.exe
        ".\FCGIDotNet_4_0.exe" -q -u
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Abyss Web Server\adn\FCGIDotNet_4_0_x64.exe
        ".\FCGIDotNet_4_0_x64.exe" -q -u
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Abyss Web Server\adn\FCGIDotNet_2_0.exe
        ".\FCGIDotNet_2_0.exe" -i
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Abyss Web Server\adn\FCGIDotNet_2_0_x64.exe
        ".\FCGIDotNet_2_0_x64.exe" -i
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Abyss Web Server\adn\FCGIDotNet_4_0.exe
        ".\FCGIDotNet_4_0.exe" -i
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:112
      • C:\Abyss Web Server\adn\FCGIDotNet_4_0_x64.exe
        ".\FCGIDotNet_4_0_x64.exe" -i
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
    • C:\Abyss Web Server\abyssws.exe
      "C:\Abyss Web Server\abyssws.exe" --startup-config-internal
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      PID:2564
    • C:\Abyss Web Server\abyssws.exe
      "C:\Abyss Web Server\abyssws.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Abyss Web Server\abyssws.exe
        "C:\Abyss Web Server\abyssws.exe" --slave --interactive
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Abyss Web Server\adn\FCGIDotNet_2_0.exe
    Filesize

    44KB

    MD5

    c1447b9e1ebaa1ac7460a788f908e11b

    SHA1

    99d890826f6fc6f6a97ea8afb2a01fe13f7fabd6

    SHA256

    4249bd01427fc502dfbc42a9f638429735ba664579642994a6e124a6aa68bd53

    SHA512

    ce7d7f03051d7e38e6e56b2cdb83e44ec5a4a2a55cc06c400973b9f87a596b95850d945f21cd40af8edf54cdd156dbeed6dd61d97bfd0c7d597bf42ce977bd3d

    Download Submit
  • C:\Abyss Web Server\adn\FCGIDotNet_4_0.exe
    Filesize

    35KB

    MD5

    666ce005706c68ea9a104a98a21b6433

    SHA1

    8d91174b41e23ce295e122e02cdabbeddfa807d0

    SHA256

    27bd312717b12f214f193b9328a94833a433d741645ef1dd375f5cf0b76f0882

    SHA512

    d096c2a003cb394e2f3231703b2e5bcfd1cbe942341028f68f672aeb67d805797197867747eab01b4eb220680744c19ada29a0f5724cfdbebe919856ef59041a

    Download Submit
  • C:\Abyss Web Server\adn\adnregister.exe
    Filesize

    11KB

    MD5

    2b77c27ef41f4c8c783feaaed125225f

    SHA1

    375e5ab1820587afa549176dc58fa0efba90f5a9

    SHA256

    e99ce4a7cc5bf86760495861a7a396cbdb300acb6a6e44224f3b42ccdecee2ff

    SHA512

    b2635cf1f1dab777597ecb7792f5135b8413207d4e8d506b7b97ed0b986defec97762d4d088aba0a76362b45321d7a08712316fb686335e9e08e6282f1740b1d

    Download Submit
  • C:\Abyss Web Server\lang\ar.lng
    Filesize

    32KB

    MD5

    1b78c537d5c4151584756b351a1da7a4

    SHA1

    b646220ed2663d08b5d4172e1003a75dc2f6e5d2

    SHA256

    e1e001b307731986f04b18adb5bba1294614d65bfad5ba420ed2c040f36e5ccc

    SHA512

    986a9f3c19f3354c8f9719a254bc4aead45179c7beae45bf6dd7635e7c3e8b9a01704482c476b8cd270653a96ba8bed2d2dad839a92cfc73e89cf382c5eca7ab

    Download Submit
  • C:\Abyss Web Server\lang\fr.lng
    Filesize

    29KB

    MD5

    047c9ac975ea0ec5f8c9c053d698eda4

    SHA1

    e14fb88262a2ef50477ece2df9e4fae0bb775690

    SHA256

    89d14ed01033ed7c0bb082126b3bad27eaf1ae6ebd8eeab6ab846059aa982a10

    SHA512

    fff099d3af08b3af6856d8c6309a78c3c8ce2335473648f89e6c0bcd71a05080a6d3461ee2a4a9fd036a501e352a0d34b05fc5b6726728161cf553c501ea9300

    Download Submit
  • C:\Abyss Web Server\zlib1.dll
    Filesize

    76KB

    MD5

    e7a3fcc96850d10fda05b911d4de7be3

    SHA1

    0aaef39edcbe0cb52ea10654344827ebff4e2c6c

    SHA256

    1157e8cadb76932da3938fd386aa6ecd1705fa3acf3743816c85a243273f012f

    SHA512

    59e05d0b21de7dd271cf30159c645a3822fb89e93cc6ad0373d97e61806bc86ef318279c13f1e6c61a87d057d8ce5daeede5f85828f1eb21128c5ba9dfff0db8

    Download Submit
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
    Filesize

    108KB

    MD5

    047fdbdff45ae4c6593ea54e41b78692

    SHA1

    99104432a3edfde83351b779793514e0d7e8183a

    SHA256

    a9097314c4ea84ca7066091d1be4722c26e648b38bed8091f82bda9e579d9c12

    SHA512

    f07196cb65253e084b74fcc318e3fa5e9ed2f4c04f16efcbf4e8264339afa8be3c41598b3118072267b27b25deca6e9e23912fc8b7aab1f72e12bbcdc7865276

    Download Submit
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log
    Filesize

    117KB

    MD5

    26a2b570c86f305111fee4109a347ffc

    SHA1

    39c3d8588500bca422e5e2587a58778bc7ef8209

    SHA256

    76d0d1fd47f2eef10c2410ac5ca481eefc4db5261658b3755a5f7fa93671c65d

    SHA512

    78ff09457d383e0d2399de0b0523a8bd6bf802fd43a1be73ef10e125dfb8bb7621a4d02f01d30bb4c9b7a019a2a703ba5598b0f5d42ad5fb75a972b185aa657d

    Download Submit
  • \Abyss Web Server\abysssc.exe
    Filesize

    8KB

    MD5

    e2c1eefa451254da3efe4744f091a65d

    SHA1

    1f2d596ede2942117489175f0a444e3ac65c8ec4

    SHA256

    cb76c688fa615e8b01f8128093106aea0ac42e0f02459f4cbf30444eaae9acce

    SHA512

    417364fdb56336aeea99404844bb90b5a9cec57df7eb345ebbf844427788f11a55e6526740dc090a84a42183ec4ecdc177064571b0e32e42848b38fc1aafcedd

    Download Submit
  • \Abyss Web Server\abyssws.exe
    Filesize

    1022KB

    MD5

    89fac5110d2e57a9311e60a80f53ca4c

    SHA1

    5901f6c5a35eaea0bd8dd2d524924c2b419961aa

    SHA256

    ad3c263b83f9e146e6cd7e58adc04277c8798dda5af4b9da8ce56da37d686586

    SHA512

    359d8c6e19703bbbf2700491bbdaca64d2c413241bb2928326716013e4a0ccc123449ff08ed41d5fd638fcd562355c5de217f0b24bf71b43108f3f46865d7721

    Download Submit
  • \Abyss Web Server\adn\FCGIDotNet_2_0_x64.exe
    Filesize

    40KB

    MD5

    1fa5d10717a6afc849811ccbd86d53b9

    SHA1

    95dd719831c9e7864ed37ff008bd004109ac85f0

    SHA256

    157a02928d6bce91d655698eee13f07136d9193566b9dcc445e9e0bfc1984118

    SHA512

    fe7a1a16e7507e9591aeddc2a1e31675d165dc76634338ade51cbbb5d7753a740f3b0e87063d832670149346debe6d6e695ba3b645e2b3a377c82bd6b9163fab

    Download Submit
  • \Abyss Web Server\adn\FCGIDotNet_4_0_x64.exe
    Filesize

    35KB

    MD5

    821338382168b03d37dee61345172719

    SHA1

    3a8efb79dace715af7205f74e8003c994543529d

    SHA256

    05db3ed3f03bad59bed92530bb494e21b911bce0f010aa11c61e57ba53e01cb2

    SHA512

    8b9aa0d301ee7c60ef0bfb8faa061572930678a2176533da153649d89bbe194c385f3492c3d2b3b501523bb79aa478eb156f6f1dc739178495152731e3a1b87f

    Download Submit
  • \Abyss Web Server\libeay32.dll
    Filesize

    1.7MB

    MD5

    2e57d43dac64858451ee15b678ef66cc

    SHA1

    73c719f98c5dd4cb3177e4b6072d4f4d144710d8

    SHA256

    6987c4c253533a9041d0e5a6b2043286b8bd99d555835b31f2111b012ffbdaaf

    SHA512

    bbc58fc8613fb693824cfde80d03f3e5c6253b3a6bfa3527352695ee604d5c634780d4d11a48bdd6c055cd6737436b1a17d28bb0d3ce80242ceaac0bb3e67df1

    Download Submit
  • \Abyss Web Server\ssleay32.dll
    Filesize

    362KB

    MD5

    03a7db1a064ea318d0ee477908f96197

    SHA1

    c9a2b795f8714c6b1db9a9efd574ed4d60f066b2

    SHA256

    b4f9ece1f88f3e0e1a3e608aeb47d165f14a22c4a21a61753f29ad5818c8c4e3

    SHA512

    6ba74cc04e97590d6baee49282ae597c0ba9f7441b89a8060a770b38e5f8c416295cb066e5615bb1672bdfc5a276a24ef86db3c2a771484eb05aab8e985b7f67

    Download Submit
  • \Abyss Web Server\uninstall.exe
    Filesize

    56KB

    MD5

    3a781be521486115da0dce9fd85b7b22

    SHA1

    40ac729968179581b810dddaf68ec743394a3dd4

    SHA256

    3f3988e186a7e344e1b3faad7b82d1934bd454da82460a2b7bcd9f586ab6e79f

    SHA512

    09419ee3bc790899069f840b8e21428da85e7962c462cc9c9ee4010779cd350408e320c460904dab56a62d08ee3dcb426c1b163ab19ef3c7916fc51445924cf9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso3F44.tmp\System.dll
    Filesize

    11KB

    MD5

    a78507ea1078cadaa8b2ec1a2e1d874f

    SHA1

    77fe20488444ebbaafc5b2c0743251a94edc3b8e

    SHA256

    93d1e681daebfd24ff9fab3952e8ae94eddbdfb3650937988c1fd8085991610e

    SHA512

    0399452c7305f23576d4175ec198ad8da8a530215e9304632b20bcb41a38fa0ba2c1c0b0b734b9f887851c92c7f2cf4cdfad403ace84e63318c0694402e1f270

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso3F44.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    d212f35e09d323d31b3e53c99e34855f

    SHA1

    af0769bd28110da9108dae89c271e3df86ee8629

    SHA256

    33e1b7930aa19878b1dd0184a5184a8f3f9043ed827aba3e54e34cd5888dfbd5

    SHA512

    684a3c70c87e3145a9ce10c585baaa681d5f3967056caf0f8d4ef2450791330637410b4d6ea6d2b9e576f5c28c8571c573900d0595d20658760f5155ee89e134

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso3F44.tmp\service.dll
    Filesize

    4KB

    MD5

    9fa60fa871a328d5169767832b5c460b

    SHA1

    cfa29d328c1b9c496d5cfba39f57347b879f9340

    SHA256

    1b1f4eee4b447735857b4e8aa8546632ec32e8faf5ba451860366872df56aa34

    SHA512

    0cd51c4a68f7cfaa35cbb3ec15f4228654d8d0ebc6ecb0e350927f296cb48127db4e97a1fda8c9269d7452884a6f31fbff2fe4f894bf0ecf8cb614886effe70d

    Download Submit
  • memory/112-127-0x0000000000FD0000-0x0000000000FDE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/656-107-0x0000000000240000-0x000000000024E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/656-104-0x0000000000900000-0x000000000090E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2568-243-0x00000000001F0000-0x000000000024E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/2568-240-0x0000000002270000-0x0000000002430000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2900-134-0x00000000011C0000-0x00000000011CC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2980-114-0x0000000000DD0000-0x0000000000DDC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3056-97-0x0000000074A80000-0x000000007502B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3056-96-0x0000000074A80000-0x000000007502B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3056-95-0x0000000074A80000-0x000000007502B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3056-94-0x0000000074A81000-0x0000000074A82000-memory.dmp
    Filesize

    4KB

    Download