Analysis
-
max time kernel
1695s -
max time network
1145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
DiscordRPC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
INIFileParser.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
Pirate.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Pirate.exe
Resource
win10v2004-20240709-en
General
-
Target
Pirate.exe
-
Size
346KB
-
MD5
23cc0a98e512c55df5eac635d32d8608
-
SHA1
4908059249d4dee75bd89cb4a9e5442084863d41
-
SHA256
c518a89e165e559744142be1f4feb6e25d4cbd8259b6b5aa28b29471e9880ff3
-
SHA512
5e52953807e8019d43c1c6165d9c128033368bb6f968f5c6aa005b6495c4680f263d6b6332500325248554d6b6f0c2b15c745e2ebafeb63167b4ebfa001e9de3
-
SSDEEP
3072:Eczkitvo4BpYN/6mBPry8TXROLdW5m4mURh9OOGl0k/Lyk+10n:EA4NCmBPry/N2VOOAF+
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{BF35033F-8C9C-4B00-BBE7-C8FC433ED366} svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Pirate.exepid process 3600 Pirate.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Pirate.exepid process 3600 Pirate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 3428 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pirate.exe"C:\Users\Admin\AppData\Local\Temp\Pirate.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c