1296fdf7b2d6d4fa60cd18069093012ffb34e7caace3da3f841d19801b9f2d30

Analysis

max time kernel
1558s
max time network
1559s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScoobyExecutor.exe
Size

170KB
MD5

c5c80fe6de9dadf3f5e7a5bb88009923
SHA1

6a848d9626199d589a50ffd4ddf131a2ef9a79d2
SHA256

2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758
SHA512

f30fb62cd116d45f8fa29bbee962fa021a8a5f4977750344f15e51b320c8fdc7bfeb70a4f30b16c1f079212e0be397cd698e5b83cebb1a7dcd6c91ec7cd501c4
SSDEEP

3072:E6A9gn36+v3pJ1hZudQln+ETgyzi/xsbzpGBisagmlDDDybbMli32bf1G5tpL/Sa:E6Pn36G5J1hEdQln+2gDs/piisagmlDB

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
3068	powershell.exe
2120	powershell.exe
2916	powershell.exe

Deletes itself 1 IoCs

pid	Process
2080	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	ScoobyExecutor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	ScoobyExecutor.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\dllhost.exe"	ScoobyExecutor.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
440	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2916	powershell.exe
2724	powershell.exe
3068	powershell.exe
2120	powershell.exe
2912	ScoobyExecutor.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	ScoobyExecutor.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2912	ScoobyExecutor.exe
Token: SeDebugPrivilege	2032	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	ScoobyExecutor.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2916	2912	ScoobyExecutor.exe	31
PID 2912 wrote to memory of 2916	2912	ScoobyExecutor.exe	31
PID 2912 wrote to memory of 2916	2912	ScoobyExecutor.exe	31
PID 2912 wrote to memory of 2724	2912	ScoobyExecutor.exe	33
PID 2912 wrote to memory of 2724	2912	ScoobyExecutor.exe	33
PID 2912 wrote to memory of 2724	2912	ScoobyExecutor.exe	33
PID 2912 wrote to memory of 3068	2912	ScoobyExecutor.exe	35
PID 2912 wrote to memory of 3068	2912	ScoobyExecutor.exe	35
PID 2912 wrote to memory of 3068	2912	ScoobyExecutor.exe	35
PID 2912 wrote to memory of 2120	2912	ScoobyExecutor.exe	37
PID 2912 wrote to memory of 2120	2912	ScoobyExecutor.exe	37
PID 2912 wrote to memory of 2120	2912	ScoobyExecutor.exe	37
PID 2912 wrote to memory of 1256	2912	ScoobyExecutor.exe	39
PID 2912 wrote to memory of 1256	2912	ScoobyExecutor.exe	39
PID 2912 wrote to memory of 1256	2912	ScoobyExecutor.exe	39
PID 2700 wrote to memory of 2032	2700	taskeng.exe	43
PID 2700 wrote to memory of 2032	2700	taskeng.exe	43
PID 2700 wrote to memory of 2032	2700	taskeng.exe	43
PID 2912 wrote to memory of 1860	2912	ScoobyExecutor.exe	44
PID 2912 wrote to memory of 1860	2912	ScoobyExecutor.exe	44
PID 2912 wrote to memory of 1860	2912	ScoobyExecutor.exe	44
PID 2912 wrote to memory of 2080	2912	ScoobyExecutor.exe	46
PID 2912 wrote to memory of 2080	2912	ScoobyExecutor.exe	46
PID 2912 wrote to memory of 2080	2912	ScoobyExecutor.exe	46
PID 2080 wrote to memory of 440	2080	cmd.exe	48
PID 2080 wrote to memory of 440	2080	cmd.exe	48
PID 2080 wrote to memory of 440	2080	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ScoobyExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\ScoobyExecutor.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ScoobyExecutor.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ScoobyExecutor.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1256
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "dllhost"
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D07.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:440

C:\Windows\system32\taskeng.exe
taskeng.exe {CBE66DF3-9FF2-40BE-B1D6-200A5357E9C9} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\dllhost.exe
  C:\Users\Admin\AppData\Local\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D07.tmp.bat

Filesize
166B

MD5
0ddf0cfa43ca5a27c80de826634312d6

SHA1
af241c7a1d0b9270e39d885f192300301f51be79

SHA256
350675f021fb41e8c5bebdb0a873aed501626a4b498c490da94aa5205f65e94f

SHA512
b0288f9d893431cf8ad8bd55496b64edce76c89535603b0da6a9934b24f765563a5df3b9f7b95c6dd12732e9b44472201750ff738dcc3b0ed45ae7126bf5ac19

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
170KB

MD5
c5c80fe6de9dadf3f5e7a5bb88009923

SHA1
6a848d9626199d589a50ffd4ddf131a2ef9a79d2

SHA256
2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758

SHA512
f30fb62cd116d45f8fa29bbee962fa021a8a5f4977750344f15e51b320c8fdc7bfeb70a4f30b16c1f079212e0be397cd698e5b83cebb1a7dcd6c91ec7cd501c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
028d62df1af566c96cc39e05e828d435

SHA1
fc893eb9f44accc51b2e759303c2001adcc0c8aa

SHA256
ef2c8aa61bf048b4888b682bdac8724658a0fd3fab322814c04747353083c76e

SHA512
ddb09e65cb54ea4df93b9b1d397e3202ec450579e3f8b032e90d310d126cc294375be38f6ac7c6f9b2671c3283e973d9c67abba1a183a8417b2add6f1ec6db68

Download Submit
memory/2032-35-0x0000000001120000-0x0000000001152000-memory.dmp

Filesize
200KB

Download
memory/2724-15-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2724-14-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2912-31-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/2912-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/2912-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-36-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-1-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2912-47-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-8-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2916-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download