Analysis
-
max time kernel
65s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 21:45
Static task
static1
Behavioral task
behavioral1
Sample
tool.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
tool.exe
Resource
win10v2004-20240709-en
General
-
Target
tool.exe
-
Size
20.8MB
-
MD5
78e81ec71651ac0911dc8bf1ba1cd841
-
SHA1
9555a1a83b720adbb3d8921f04f219412a9dd5d2
-
SHA256
70d6359805318ec5b875a7924f0e433e479da8b1cdd757f4211616dcdb417221
-
SHA512
e3be8d8986364aed9b3ef00bd8f2967bb68228ff7013eb66f6ac00e35777f25eb66254f9e7b6da7a63a21a586e03c7e0ae0122603553e57844caba4b0f4fa60e
-
SSDEEP
393216:MSvk3TPDq3o0pEV7qmVFfFhbXjU1PDKgDO4CqYM6jfG15D7dhSlctZjmOd:MSETPDq3o087rVFfFJTU17lgJjC5DRPR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2384 tool.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 tool.exe 2384 tool.exe -
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2952 chrome.exe 2952 chrome.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe Token: SeShutdownPrivilege 2952 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 2040 wmplayer.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe 2952 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2384 2320 tool.exe 31 PID 2320 wrote to memory of 2384 2320 tool.exe 31 PID 2320 wrote to memory of 2384 2320 tool.exe 31 PID 2040 wrote to memory of 2784 2040 wmplayer.exe 36 PID 2040 wrote to memory of 2784 2040 wmplayer.exe 36 PID 2040 wrote to memory of 2784 2040 wmplayer.exe 36 PID 2040 wrote to memory of 2784 2040 wmplayer.exe 36 PID 2952 wrote to memory of 2644 2952 chrome.exe 38 PID 2952 wrote to memory of 2644 2952 chrome.exe 38 PID 2952 wrote to memory of 2644 2952 chrome.exe 38 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 2032 2952 chrome.exe 40 PID 2952 wrote to memory of 956 2952 chrome.exe 41 PID 2952 wrote to memory of 956 2952 chrome.exe 41 PID 2952 wrote to memory of 956 2952 chrome.exe 41 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42 PID 2952 wrote to memory of 2496 2952 chrome.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\tool.exe"C:\Users\Admin\AppData\Local\Temp\tool.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\onefile_2320_133661583464818000\tool.exe"C:\Users\Admin\AppData\Local\Temp\tool.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2744
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:11⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Program Files (x86)\Windows Media Player\wmpshare.exe"C:\Program Files (x86)\Windows Media Player\wmpshare.exe"2⤵PID:2784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4c39758,0x7fef4c39768,0x7fef4c397782⤵PID:2644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:22⤵PID:2032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:82⤵PID:956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:82⤵PID:2496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:12⤵PID:2444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:12⤵PID:2068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1488 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:22⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3292 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:12⤵PID:1980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3984 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:12⤵PID:2268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:82⤵PID:1896
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD512ab53f28a15c380bb3d51dbcc8dc57e
SHA1c388701445a7d4fffa59f907337a990f02bbbafc
SHA25617f1423e499c6a105782be3223993a08b2efae7fcae7b2fc7baa35a0f2a84c72
SHA5124139e807a1d310b7179c1df1980feb3512e0dea4bcf29319f93b0476f45aede3b71689f6a5be46c247140ced3afc3ae621d3897335df2d9e7d8bb6a768de7ca7
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{B329F201-216C-4F72-A9FC-4EBBD6FDA876}.jpg
Filesize22KB
MD535e787587cd3fa8ed360036c9fca3df2
SHA184c76a25c6fe336f6559c033917a4c327279886d
SHA25698c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2
SHA512aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{D8BB3ADC-763A-4186-8C59-274EB369B3D6}.jpg
Filesize23KB
MD5fd5fd28e41676618aac733b243ad54db
SHA1b2d69ad6a2e22c30ef1806ac4f990790c3b44763
SHA256a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431
SHA5124c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4
-
Filesize
4.3MB
MD563a1fa9259a35eaeac04174cecb90048
SHA10dc0c91bcd6f69b80dcdd7e4020365dd7853885a
SHA25614b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed
SHA512896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b
-
Filesize
18.9MB
MD54f965eda4f89095e489c8e52afe7f0f8
SHA14b217f0cb39f59b19a14ffd83fb99a6ce5c17130
SHA256c5d961d2fcc8f68cdbcfd2b6bed09aabdd858b2d2e0ad845fbf1937670d79c3d
SHA512927c901caa6ea2379feda63a70fc76f2eceb9529a9f19719a5b9cc6c475ef679d2c7072d757875f03448ebb195ad43f21cdb6bbc7e84f01d96abd29919aebe89