Resubmissions
21-11-2024 16:39
241121-t5z9qsxrhj 1020-11-2024 17:39
241120-v79rma1ckp 1008-11-2024 04:15
241108-evbfasvhlm 708-11-2024 02:54
241108-dd3b1ssqbw 7Analysis
-
max time kernel
87s -
max time network
76s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
-
submitted
08-11-2024 04:15
General
-
Target
Animalia_Setup.exe
-
Size
683.8MB
-
MD5
d652c61668315117399986777c68c09b
-
SHA1
ffdbec785a4ad9b9ce41618ad233fc04b8e8ccc8
-
SHA256
e259f8e69085151805395fad4970f4e2b3920363b32a692bfd4eab6680c8d8e9
-
SHA512
3745ec26d5acac91d62638392b167ccbb124080593dcb1ffdabef68460726397d200a3b439a8e63a2989a15e6b75f397ddc5366730958ecc213c6b84b622ad43
-
SSDEEP
98304:6wRECL/6tcnGp2ml3Q51nALymL0wmLHhfKxButG2jqlWedjOfXlHJ0zCYJqvJj:mCecGp283y1YyS0JLHIJnnQXlH+zsB
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-71V2J.tmp\Animalia_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-71V2J.tmp\Animalia_Setup.tmp" /SL5="$700D4,4776157,814080,C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe"C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe" /VERYSILENT3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FJPJP.tmp\Animalia_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-FJPJP.tmp\Animalia_Setup.tmp" /SL5="$800D4,4776157,814080,C:\Users\Admin\AppData\Local\Temp\Animalia_Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Dokany Project\AutoIt3.exe"C:\Users\Admin\AppData\Roaming\Dokany Project\\AutoIt3.exe" "C:\Users\Admin\AppData\Roaming\Dokany Project\\Time.eml"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\temp\Animalia.exe"C:\temp\Animalia.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-8MV95.tmp\Animalia.tmp"C:\Users\Admin\AppData\Local\Temp\is-8MV95.tmp\Animalia.tmp" /SL5="$90306,843430,814080,C:\temp\Animalia.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"8⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"C:\Users\Admin\AppData\Local\Programs\Animalia\MyProg-x64.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
83KB
MD55e228e133980d70be45102bdebb200ce
SHA159556ba5fc259c84dbcb57f182b722c7b31f6257
SHA25639da6b9d4f23e879e31d698d14c21e0644c9256505c22a68577cd513f6afcab9
SHA512c9348b22b6f96c2104e1c440df99c7d3340661064b58934f21e0e8e8307c34d301a3f05f3189c5f3e80bfcd8352003dd6fa4d9db1847884939b3a098693fac87
-
Filesize
3.2MB
MD5d558678a30299a8af9f0af3079bd29ba
SHA1343c5a46ecd97d3ffe33a4148e79c67032c5208a
SHA256f862c70a303b1335df33f7494a39bd1419004c2906e168084ce05bc738dd7cc8
SHA5121d7b3643415847bba3001c6e7bd62283cced828e37b68ebc8ec79df4e0e079569cf27fbd3356c8478fcc9a85d86da84b71b52a0b136da65f0a8e9254f3c6d39e
-
Filesize
3.2MB
MD52e23446366c0aa53b79ae08278e68a5b
SHA12172d6d23b447e6725c0e81343b18112c3634428
SHA256a6b497ef42cf0f2506a83eef8f18de1e31ffd5dbf888d6d3c3bfbdded54f1d84
SHA5122bdccaa4d4068c62e4318ecc045da23946ff088f826083d0a16051d8128457c13a9ee880cdea7425f83516a265f990d095df2681a3f26e2b4b9c62144a8151f0
-
Filesize
432B
MD58f6eb9e75e6a6f0c0d58fb697c10cedf
SHA16944935dfdc33e0c6db26869bf25eda85a2622d8
SHA256e2b8677434501735fb0233ed0cc2ffee5bf6fb4387c51dbcb2585a70e42e4f08
SHA512a946252b2e3705eae751a2672d4ade1499eceb28c48b4be6150c4201ee20a7b9a4450c75e06b07f5daa3528041a566931d988fbd0c2ea90240d61008895ba44a
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
2.8MB
MD50b77be61749cf678934f47e441a20c81
SHA15119b665f8e5260bccd9d6638a3aa376630a23a3
SHA256d2309d5c6c13af7c376821875d11f515653663cccb49589f35d585a4d3b136e4
SHA51229282b2e7a801d2bc6de2fddd61e442fab55dcfc30242af0f80d8204adf1a916d95d5a6b560819efda92b60bcfd4a97269080ce45dbf4d823ee70866a3102ecd
-
Filesize
1.7MB
MD5924083300365f62e344776b9bd60ff45
SHA1f46928b202675de33e52d44a983070d576f70109
SHA256dcb210636a39d1226b713ff492e6f23903b658f59a32dd17f6c324549e7fac78
SHA5121b2a3b7d2bd2531975e989495d5becb007a1ac3d9d0853ba69be36f8f7c50cef8c11c276a007909564debb942ae8aea9c4fa76c0b69f6c5cbc1161a46b085931
-
Filesize
852KB
-
Filesize
852KB
-
Filesize
852KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
672KB
-
Filesize
852KB
-
Filesize
852KB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
852KB
-
Filesize
852KB
-
Filesize
852KB
-
Filesize
3.2MB
-
Filesize
3.2MB