Analysis
-
max time kernel
4s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-11-2024 00:46
Behavioral task
behavioral1
Sample
background_changer.exe
Resource
win11-20241007-en
General
-
Target
background_changer.exe
-
Size
195.8MB
-
MD5
258e75f17caa6e56b792366be1b582dc
-
SHA1
7ae7d09b7b6347a823f499ece6e301f7ea58fe61
-
SHA256
98320a470369b1240f0c0d673e555b64d4835bddbf0bad1c20a8c479996b1d8d
-
SHA512
9e07cf1a356e1321df1387adf6f289d51c4b10415763a22378db181210e71443870196b6ec374f52df5f57fffb5ef0e5b4c8e33fd4b41a8469d4e660c6693171
-
SSDEEP
6291456:9QenffjWiFKquee6fuqQexscYyODBGOWuOvm79Cgi0:fHJKie6Gq8cYyeBJpWm7ggi0
Malware Config
Signatures
-
Loads dropped DLL 17 IoCs
Processes:
background_changer.exepid Process 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe 2644 background_changer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
background_changer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\BackgroundChanger = "C:\\Users\\Admin\\.background_changer\\background_changer.exe" background_changer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
background_changer.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI29282\\temp_background.bmp" background_changer.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
background_changer.exedescription pid Process procid_target PID 2928 wrote to memory of 2644 2928 background_changer.exe 80 PID 2928 wrote to memory of 2644 2928 background_changer.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\background_changer.exe"C:\Users\Admin\AppData\Local\Temp\background_changer.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\background_changer.exe"C:\Users\Admin\AppData\Local\Temp\background_changer.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD50376776f076cd4f4ac15ec4d813c5470
SHA1381f84735a11ace4673d8be53138e652d4415413
SHA256a7ddf4d7cab08676bb88a42059353c5374600901b3ab880e17ee1a0d0150c380
SHA51206d68b9e5daf90d05855bf2c57b6110bfc2f20f4731b023b5aaa39145fd3ab66525d39988b8516731045ad16a89eb0457487dd080aeb347ba24a2e47ece98bbd
-
Filesize
24KB
MD58f67156ce61c7de23e19f9445c8ba504
SHA1b9e344fe41b3fc77ce0012930b7ed9af47eb500c
SHA2568287a2a551bd99b5d55e18e461fedb3704b74b0fb60f1e0881c792f90a18ce46
SHA512f70f24cef7475547f5b29d1ae6db7bd1de6d1aa906e21705e40ed5c18f4f059ce9bb14dfd353776efc08b985881a102dea1948632edccacf76cc72d126651eb0
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
69KB
MD570fb0b118ac9fd3292dde530e1d789b8
SHA14adc8d81e74fc04bce64baf4f6147078eefbab33
SHA256f8305023f6ad81ddc7124b311e500a58914b05a9b072bf9a6d079ea0f6257793
SHA5121ab72ea9f96c6153b9b5d82b01354381b04b93b7d58c0b54a441b6a748c81cccd2fc27bb3b10350ab376ff5ada9d83af67cce17e21ccbf25722baf1f2aef3c98
-
Filesize
82KB
MD590f58f625a6655f80c35532a087a0319
SHA1d4a7834201bd796dc786b0eb923f8ec5d60f719b
SHA256bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946
SHA512b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8
-
Filesize
122KB
MD5452305c8c5fda12f082834c3120db10a
SHA19bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7
SHA256543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e
SHA5123d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c
-
Filesize
247KB
MD5f78f9855d2a7ca940b6be51d68b80bf2
SHA1fd8af3dbd7b0ea3de2274517c74186cb7cd81a05
SHA256d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12
SHA5126b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18
-
Filesize
64KB
MD58baeb2bd6e52ba38f445ef71ef43a6b8
SHA14132f9cd06343ef8b5b60dc8a62be049aa3270c2
SHA2566c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087
SHA512804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65
-
Filesize
155KB
MD5cf8de1137f36141afd9ff7c52a3264ee
SHA1afde95a1d7a545d913387624ef48c60f23cf4a3f
SHA25622d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16
SHA512821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f
-
Filesize
34KB
MD5c0a06aebbd57d2420037162fa5a3142b
SHA11d82ba750128eb51070cdeb0c69ac75117e53b43
SHA2565673b594e70d1fdaad3895fc8c3676252b7b675656fb88ef3410bc93bb0e7687
SHA512ddf2c4d22b2371a8602601a05418ef712e03def66e2d8e8814853cdd989ed457efbd6032f4a4a3e9ecca9915d99c249dfd672670046461a9fe510a94da085fbf
-
Filesize
54KB
MD554c021e10f9901bf782c24d648a82b96
SHA1cf173cc0a17308d7d87b62c1169b7b99655458bc
SHA2562e53cc1bfa6e10a4de7e1f4081c5b952746e2d4fa7f8b9929ad818ce20b2cc9f
SHA512e451226ece8c34c73e5b31e06fdc1d99e073e6e0651a0c5e04b0cf011e79d0747da7a5b6c5e94aca44cfceb9e85ce3d85afff081a574d1f53f115e39e9d4ff6c
-
Filesize
31KB
MD55aa4b057ba2331eed6b4b30f4b3e0d52
SHA16b9db113c2882743984c3d8b70ec49fc4a136c23
SHA256d43dca0e00c3c11329b68177e967cf5240495c4786f5afa76ac4f267c3a5cdb9
SHA512aa5aa3285ea5c177eca055949c5f550dbd2d2699202a29efe2077213cbc95fff2a36d99eecce249ac04d95baf149b3d8c557a67fc39ead3229f0b329e83447b7
-
Filesize
81KB
MD5439b3ad279befa65bb40ecebddd6228b
SHA1d3ea91ae7cad9e1ebec11c5d0517132bbc14491e
SHA25624017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d
SHA512a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd
-
Filesize
173KB
MD56774d6fb8b9e7025254148dc32c49f47
SHA1212e232da95ec8473eb0304cf89a5baf29020137
SHA2562b6f1b1ac47cb7878b62e8d6bb587052f86ca8145b05a261e855305b9ca3d36c
SHA5125d9247dce96599160045962af86fc9e5439f66a7e8d15d1d00726ec1b3b49d9dd172d667380d644d05cb18e45a5419c2594b4bcf5a16ea01542ae4d7d9a05c6e
-
Filesize
35KB
MD5cb0564bc74258cb1320c606917ce5a71
SHA15b2bfc0d997cc5b7d985bfadddbfc180cb01f7cf
SHA2560342916a60a7b39bbd5753d85e1c12a4d6f990499753d467018b21cefa49cf32
SHA51243f3afa9801fcf5574a30f4d3e7ae6aff65c7716462f9aba5bc8055887a44bf38fba121639d8b31427e738752fe3b085d1d924de2633f4c042433e1960023f38
-
Filesize
1.3MB
MD5ccee0ea5ba04aa4fcb1d5a19e976b54f
SHA1f7a31b2223f1579da1418f8bfe679ad5cb8a58f5
SHA256eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29
SHA5124f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166
-
Filesize
8KB
MD552568f892724c6ffd7039c9c556c5d8e
SHA15da11febb9ac0b7384a8a0f0570fbbfd00d99f53
SHA256096a84d8e9d6867ff081c332c778834f2f33cbf62ff911d7664ebee96ee12bae
SHA51275fb9b7e23d87866d4c0746c6b97c87ece9ec8f4e55064f3a4a729f6bfc5d1681b77dcf64cb683e03dbd1b8cac03325f23be5e254838b46dc3e99b83fd1291b3
-
Filesize
4.9MB
MD551e8a5281c2092e45d8c97fbdbf39560
SHA1c499c810ed83aaadce3b267807e593ec6b121211
SHA2562a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a
SHA51298b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
771KB
MD5bfc834bb2310ddf01be9ad9cff7c2a41
SHA1fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA25641ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA5126af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3
-
Filesize
194KB
MD5e2d1c738d6d24a6dd86247d105318576
SHA1384198f20724e4ede9e7b68e2d50883c664eee49
SHA256cdc09fbae2f103196215facd50d108be3eff60c8ee5795dcc80bf57a0f120cdf
SHA5123f9cb64b4456438dea82a0638e977f233faf0a08433f01ca87ba65c7e80b0680b0ec3009fa146f02ae1fdcc56271a66d99855d222e77b59a1713caf952a807da
-
Filesize
6.7MB
MD548ebfefa21b480a9b0dbfc3364e1d066
SHA1b44a3a9b8c585b30897ddc2e4249dfcfd07b700a
SHA2560cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2
SHA5124e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce
-
Filesize
29KB
MD5e1604afe8244e1ce4c316c64ea3aa173
SHA199704d2c0fa2687997381b65ff3b1b7194220a73
SHA25674cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5
SHA5127bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
C:\Users\Admin\AppData\Local\Temp\_MEI29282\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE
Filesize1023B
MD5141643e11c48898150daa83802dbc65f
SHA10445ed0f69910eeaee036f09a39a13c6e1f37e12
SHA25686da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741
SHA512ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f
-
Filesize
92B
MD543136dde7dd276932f6197bb6d676ef4
SHA16b13c105452c519ea0b65ac1a975bd5e19c50122
SHA256189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714
SHA512e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1
-
Filesize
1KB
MD54ce7501f6608f6ce4011d627979e1ae4
SHA178363672264d9cd3f72d5c1d3665e1657b1a5071
SHA25637fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24
-
Filesize
1.1MB
MD5fc47b9e23ddf2c128e3569a622868dbe
SHA12814643b70847b496cbda990f6442d8ff4f0cb09
SHA2562a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309
SHA5127c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53