Analysis

  • max time kernel
    65s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 21:45

General

  • Target

    tool.exe

  • Size

    20.8MB

  • MD5

    78e81ec71651ac0911dc8bf1ba1cd841

  • SHA1

    9555a1a83b720adbb3d8921f04f219412a9dd5d2

  • SHA256

    70d6359805318ec5b875a7924f0e433e479da8b1cdd757f4211616dcdb417221

  • SHA512

    e3be8d8986364aed9b3ef00bd8f2967bb68228ff7013eb66f6ac00e35777f25eb66254f9e7b6da7a63a21a586e03c7e0ae0122603553e57844caba4b0f4fa60e

  • SSDEEP

    393216:MSvk3TPDq3o0pEV7qmVFfFhbXjU1PDKgDO4CqYM6jfG15D7dhSlctZjmOd:MSETPDq3o087rVFfFJTU17lgJjC5DRPR

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tool.exe
    "C:\Users\Admin\AppData\Local\Temp\tool.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\onefile_2320_133661583464818000\tool.exe
      "C:\Users\Admin\AppData\Local\Temp\tool.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2384
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2744
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
      1⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
        2⤵
          PID:2784
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4c39758,0x7fef4c39768,0x7fef4c39778
          2⤵
            PID:2644
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:2
            2⤵
              PID:2032
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:8
              2⤵
                PID:956
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:8
                2⤵
                  PID:2496
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:1
                  2⤵
                    PID:2444
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:1
                    2⤵
                      PID:2068
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1488 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:2
                      2⤵
                        PID:2800
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3292 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:1
                        2⤵
                          PID:1980
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3984 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:1
                          2⤵
                            PID:2268
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1336,i,4101702987328722978,3612237524039415525,131072 /prefetch:8
                            2⤵
                              PID:1896
                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                            1⤵
                              PID:1060

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                              Filesize

                              211KB

                              MD5

                              151fb811968eaf8efb840908b89dc9d4

                              SHA1

                              7ec811009fd9b0e6d92d12d78b002275f2f1bee1

                              SHA256

                              043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

                              SHA512

                              83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                              Filesize

                              264KB

                              MD5

                              f50f89a0a91564d0b8a211f8921aa7de

                              SHA1

                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                              SHA256

                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                              SHA512

                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              12ab53f28a15c380bb3d51dbcc8dc57e

                              SHA1

                              c388701445a7d4fffa59f907337a990f02bbbafc

                              SHA256

                              17f1423e499c6a105782be3223993a08b2efae7fcae7b2fc7baa35a0f2a84c72

                              SHA512

                              4139e807a1d310b7179c1df1980feb3512e0dea4bcf29319f93b0476f45aede3b71689f6a5be46c247140ced3afc3ae621d3897335df2d9e7d8bb6a768de7ca7

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

                              Filesize

                              16B

                              MD5

                              18e723571b00fb1694a3bad6c78e4054

                              SHA1

                              afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                              SHA256

                              8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                              SHA512

                              43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{B329F201-216C-4F72-A9FC-4EBBD6FDA876}.jpg

                              Filesize

                              22KB

                              MD5

                              35e787587cd3fa8ed360036c9fca3df2

                              SHA1

                              84c76a25c6fe336f6559c033917a4c327279886d

                              SHA256

                              98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

                              SHA512

                              aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

                            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{D8BB3ADC-763A-4186-8C59-274EB369B3D6}.jpg

                              Filesize

                              23KB

                              MD5

                              fd5fd28e41676618aac733b243ad54db

                              SHA1

                              b2d69ad6a2e22c30ef1806ac4f990790c3b44763

                              SHA256

                              a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

                              SHA512

                              4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

                            • C:\Users\Admin\AppData\Local\Temp\onefile_2320_133661583464818000\python310.dll

                              Filesize

                              4.3MB

                              MD5

                              63a1fa9259a35eaeac04174cecb90048

                              SHA1

                              0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

                              SHA256

                              14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

                              SHA512

                              896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

                            • \Users\Admin\AppData\Local\Temp\onefile_2320_133661583464818000\tool.exe

                              Filesize

                              18.9MB

                              MD5

                              4f965eda4f89095e489c8e52afe7f0f8

                              SHA1

                              4b217f0cb39f59b19a14ffd83fb99a6ce5c17130

                              SHA256

                              c5d961d2fcc8f68cdbcfd2b6bed09aabdd858b2d2e0ad845fbf1937670d79c3d

                              SHA512

                              927c901caa6ea2379feda63a70fc76f2eceb9529a9f19719a5b9cc6c475ef679d2c7072d757875f03448ebb195ad43f21cdb6bbc7e84f01d96abd29919aebe89

                            • memory/2320-63-0x000000013F340000-0x000000014082F000-memory.dmp

                              Filesize

                              20.9MB

                            • memory/2384-34-0x000000013F240000-0x0000000140597000-memory.dmp

                              Filesize

                              19.3MB