e5ba880ee68d3dd4ec9dd98a72fc368e14dc0f31a0c05e06acde6f4a6f148d57

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

senex_wooferv2.exe
Size

547KB
MD5

2c34ffccadf1e85664f1d6db4f382ec9
SHA1

650a97552b8a88910974202348041611e5f597ab
SHA256

e5ba880ee68d3dd4ec9dd98a72fc368e14dc0f31a0c05e06acde6f4a6f148d57
SHA512

66f9c57d1b377178713b415f728c8df3da22886978f2c7fd037c953dd83ec8caef91b2376e4341ab3080412ec8826fe063dd1b560062531f70826d2021021290
SSDEEP

6144:A2M5jRQas4PR8cXTvBOoTWly3csKcW6JUBQE3Ko3MHOVnWuOBD4LXA:A2M7PR8Iak3cPsiQCSp

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\shell	senex_wooferv2.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\shell\open	senex_wooferv2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\senex_wooferv2.exe"	senex_wooferv2.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862	senex_wooferv2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\URL Protocol	senex_wooferv2.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\DefaultIcon	senex_wooferv2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\ = "URL:Run game 1084115737125322862 protocol"	senex_wooferv2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\senex_wooferv2.exe"	senex_wooferv2.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\discord-1084115737125322862\shell\open\command	senex_wooferv2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe
4972	senex_wooferv2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4972	senex_wooferv2.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2268	4972	senex_wooferv2.exe	86
PID 4972 wrote to memory of 2268	4972	senex_wooferv2.exe	86

C:\Users\Admin\AppData\Local\Temp\senex_wooferv2.exe
"C:\Users\Admin\AppData\Local\Temp\senex_wooferv2.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 1
  2⤵
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4972-0-0x00007FFCE4310000-0x00007FFCE4311000-memory.dmp

Filesize
4KB

Download
memory/4972-8-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-9-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-10-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-11-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-12-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-13-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-14-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-15-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-16-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-17-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-18-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-19-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-20-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-21-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-22-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-23-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-24-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-25-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-26-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-27-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-28-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-29-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-30-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-31-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-32-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-33-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-34-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-35-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download
memory/4972-36-0x00007FFCE4270000-0x00007FFCE4465000-memory.dmp

Filesize
2.0MB

Download