Resubmissions

21-11-2024 16:39

241121-t5z9qsxrhj 10

20-11-2024 17:39

241120-v79rma1ckp 10

08-11-2024 04:15

241108-evbfasvhlm 7

08-11-2024 02:54

241108-dd3b1ssqbw 7

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 02:54

General

  • Target

    Animalia_Setup.exe

  • Size

    683.8MB

  • MD5

    d652c61668315117399986777c68c09b

  • SHA1

    ffdbec785a4ad9b9ce41618ad233fc04b8e8ccc8

  • SHA256

    e259f8e69085151805395fad4970f4e2b3920363b32a692bfd4eab6680c8d8e9

  • SHA512

    3745ec26d5acac91d62638392b167ccbb124080593dcb1ffdabef68460726397d200a3b439a8e63a2989a15e6b75f397ddc5366730958ecc213c6b84b622ad43

  • SSDEEP

    98304:6wRECL/6tcnGp2ml3Q51nALymL0wmLHhfKxButG2jqlWedjOfXlHJ0zCYJqvJj:mCecGp283y1YyS0JLHIJnnQXlH+zsB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\is-O78H6.tmp\Animalia_Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-O78H6.tmp\Animalia_Setup.tmp" /SL5="$40108,4776157,814080,C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe" /VERYSILENT
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Users\Admin\AppData\Local\Temp\is-17A6O.tmp\Animalia_Setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-17A6O.tmp\Animalia_Setup.tmp" /SL5="$50108,4776157,814080,C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1068
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2168
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:2716
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:528
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1156
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:1520
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3060
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1268
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:640
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2504
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1016
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:968
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                      PID:1716
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2856
                      • C:\Windows\system32\find.exe
                        find /I "nswscsvc.exe"
                        6⤵
                          PID:1744
                      • C:\Windows\system32\cmd.exe
                        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                        5⤵
                          PID:2032
                          • C:\Windows\system32\tasklist.exe
                            tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                            6⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1416
                          • C:\Windows\system32\find.exe
                            find /I "sophoshealth.exe"
                            6⤵
                              PID:676
                          • C:\Users\Admin\AppData\Roaming\Dokany Project\AutoIt3.exe
                            "C:\Users\Admin\AppData\Roaming\Dokany Project\\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Dokany Project\\Time.eml"
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            PID:572
                            • C:\temp\Animalia.exe
                              "C:\temp\Animalia.exe"
                              6⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              PID:1988
                              • C:\Users\Admin\AppData\Local\Temp\is-8DL8A.tmp\Animalia.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-8DL8A.tmp\Animalia.tmp" /SL5="$B0166,843430,814080,C:\temp\Animalia.exe"
                                7⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of FindShellTrayWindow
                                PID:2748
                                • C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe
                                  "C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  PID:1464
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:2492
                  • C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe
                    "C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"
                    1⤵
                    • Executes dropped EXE
                    PID:1716

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\CabA6FB.tmp

                    Filesize

                    70KB

                    MD5

                    49aebf8cbd62d92ac215b2923fb1b9f5

                    SHA1

                    1723be06719828dda65ad804298d0431f6aff976

                    SHA256

                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                    SHA512

                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  • C:\Users\Admin\AppData\Local\Temp\TarA817.tmp

                    Filesize

                    181KB

                    MD5

                    4ea6026cf93ec6338144661bf1202cd1

                    SHA1

                    a1dec9044f750ad887935a01430bf49322fbdcb7

                    SHA256

                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                    SHA512

                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  • C:\Users\Admin\AppData\Local\Temp\is-4SGAD.tmp\is-LFC8D.tmp

                    Filesize

                    432B

                    MD5

                    8f6eb9e75e6a6f0c0d58fb697c10cedf

                    SHA1

                    6944935dfdc33e0c6db26869bf25eda85a2622d8

                    SHA256

                    e2b8677434501735fb0233ed0cc2ffee5bf6fb4387c51dbcb2585a70e42e4f08

                    SHA512

                    a946252b2e3705eae751a2672d4ade1499eceb28c48b4be6150c4201ee20a7b9a4450c75e06b07f5daa3528041a566931d988fbd0c2ea90240d61008895ba44a

                  • C:\Users\Admin\AppData\Local\Temp\is-8DL8A.tmp\Animalia.tmp

                    Filesize

                    3.2MB

                    MD5

                    2e23446366c0aa53b79ae08278e68a5b

                    SHA1

                    2172d6d23b447e6725c0e81343b18112c3634428

                    SHA256

                    a6b497ef42cf0f2506a83eef8f18de1e31ffd5dbf888d6d3c3bfbdded54f1d84

                    SHA512

                    2bdccaa4d4068c62e4318ecc045da23946ff088f826083d0a16051d8128457c13a9ee880cdea7425f83516a265f990d095df2681a3f26e2b4b9c62144a8151f0

                  • C:\Users\Admin\AppData\Roaming\Dokany Project\Time.eml

                    Filesize

                    2.8MB

                    MD5

                    0b77be61749cf678934f47e441a20c81

                    SHA1

                    5119b665f8e5260bccd9d6638a3aa376630a23a3

                    SHA256

                    d2309d5c6c13af7c376821875d11f515653663cccb49589f35d585a4d3b136e4

                    SHA512

                    29282b2e7a801d2bc6de2fddd61e442fab55dcfc30242af0f80d8204adf1a916d95d5a6b560819efda92b60bcfd4a97269080ce45dbf4d823ee70866a3102ecd

                  • \Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe

                    Filesize

                    83KB

                    MD5

                    5e228e133980d70be45102bdebb200ce

                    SHA1

                    59556ba5fc259c84dbcb57f182b722c7b31f6257

                    SHA256

                    39da6b9d4f23e879e31d698d14c21e0644c9256505c22a68577cd513f6afcab9

                    SHA512

                    c9348b22b6f96c2104e1c440df99c7d3340661064b58934f21e0e8e8307c34d301a3f05f3189c5f3e80bfcd8352003dd6fa4d9db1847884939b3a098693fac87

                  • \Users\Admin\AppData\Local\Temp\is-2KF1D.tmp\_isetup\_isdecmp.dll

                    Filesize

                    28KB

                    MD5

                    077cb4461a2767383b317eb0c50f5f13

                    SHA1

                    584e64f1d162398b7f377ce55a6b5740379c4282

                    SHA256

                    8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

                    SHA512

                    b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

                  • \Users\Admin\AppData\Local\Temp\is-O78H6.tmp\Animalia_Setup.tmp

                    Filesize

                    3.2MB

                    MD5

                    d558678a30299a8af9f0af3079bd29ba

                    SHA1

                    343c5a46ecd97d3ffe33a4148e79c67032c5208a

                    SHA256

                    f862c70a303b1335df33f7494a39bd1419004c2906e168084ce05bc738dd7cc8

                    SHA512

                    1d7b3643415847bba3001c6e7bd62283cced828e37b68ebc8ec79df4e0e079569cf27fbd3356c8478fcc9a85d86da84b71b52a0b136da65f0a8e9254f3c6d39e

                  • \Users\Admin\AppData\Roaming\Dokany Project\AutoIt3.exe

                    Filesize

                    921KB

                    MD5

                    3f58a517f1f4796225137e7659ad2adb

                    SHA1

                    e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                    SHA256

                    1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                    SHA512

                    acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                  • \temp\Animalia.exe

                    Filesize

                    1.7MB

                    MD5

                    924083300365f62e344776b9bd60ff45

                    SHA1

                    f46928b202675de33e52d44a983070d576f70109

                    SHA256

                    dcb210636a39d1226b713ff492e6f23903b658f59a32dd17f6c324549e7fac78

                    SHA512

                    1b2a3b7d2bd2531975e989495d5becb007a1ac3d9d0853ba69be36f8f7c50cef8c11c276a007909564debb942ae8aea9c4fa76c0b69f6c5cbc1161a46b085931

                  • memory/1988-246-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/1988-257-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/1988-312-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/2000-8-0x0000000000100000-0x0000000000101000-memory.dmp

                    Filesize

                    4KB

                  • memory/2000-17-0x0000000000B70000-0x0000000000EA4000-memory.dmp

                    Filesize

                    3.2MB

                  • memory/2188-19-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/2188-0-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/2188-2-0x00000000002A1000-0x0000000000349000-memory.dmp

                    Filesize

                    672KB

                  • memory/2432-239-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/2432-163-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/2432-15-0x00000000002A0000-0x0000000000375000-memory.dmp

                    Filesize

                    852KB

                  • memory/2492-255-0x0000000000400000-0x0000000000459000-memory.dmp

                    Filesize

                    356KB

                  • memory/2492-252-0x0000000000400000-0x0000000000459000-memory.dmp

                    Filesize

                    356KB

                  • memory/2748-258-0x0000000000FA0000-0x00000000012D4000-memory.dmp

                    Filesize

                    3.2MB

                  • memory/2748-303-0x0000000000FA0000-0x00000000012D4000-memory.dmp

                    Filesize

                    3.2MB

                  • memory/2748-311-0x0000000000FA0000-0x00000000012D4000-memory.dmp

                    Filesize

                    3.2MB

                  • memory/2888-237-0x0000000000B60000-0x0000000000E94000-memory.dmp

                    Filesize

                    3.2MB

                  • memory/2888-164-0x0000000000B60000-0x0000000000E94000-memory.dmp

                    Filesize

                    3.2MB