Analysis
-
max time kernel
1142s -
max time network
841s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 02:43
General
-
Target
9943256.exe
-
Size
134KB
-
MD5
25e54dfbce20546da0e8cd8152ee2b8e
-
SHA1
3f0b80ef090c0b14821309b6110839cbd2312afe
-
SHA256
4725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386
-
SHA512
215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2
-
SSDEEP
3072:r+qf9FUiVdubWibOQNi3MWL4FksNYFfPK:r+iLUwAbpi3MDEK
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9943256.exe"C:\Users\Admin\AppData\Local\Temp\9943256.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c start http://youporn.ru2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://youporn.ru/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
-
-
C:\ProgramData\Media\plugin.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Media\watcher.exeC:\ProgramData\Media\watcher.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD538de427224a5082a04fe82e2bd4ea9ec
SHA17e4a53de1f83762dd2febd39b818e2258bc83bc1
SHA25612f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028
SHA512ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf
-
Filesize
97B
MD55303b5018a6cd19200b98d31ab04f25d
SHA18285eb92f131111e40d2dc864d3b386dad6b9129
SHA256464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524
SHA512654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5727dd8b3adae8f02c0ee259cbc17b737
SHA1eb64033cd15d08fcab8d07c0eb2b0bb5daaea9d7
SHA256730236dce47259b29439e9a9e82b0f5d0d169019ebdb6767a68d60cd13591e09
SHA512e196e3dd702e1118fed7442b9e15e8057b2fb3dfd9fe0775e443da971bfe8a66d3f55cbea10a6260500838db405fd6ad4f158c80a16583899b1694ec7d1a230b
-
Filesize
342B
MD5a00d2443e86a053fb4d1f23e68e78184
SHA1c6060fbaa6d395b7063fc2a54404dc4415639b30
SHA256d7f7ef1294804e1fedc3d5dad89a2545b5f4ca83d5eccb47b8f06777ac0b8344
SHA512c99dac3f0bf80e477ea733907706b96b3a9b9e898087457bd562f6d514f49b59bbd6168d9aad47a401f7d31a85392b4ea8734ecc93c6ad0394244152aa5e0ce2
-
Filesize
342B
MD533ad51daf562c08f410a67b332cb0fe5
SHA13727ae5ea9e3247b49129c25fe8b764623875f7a
SHA256969714c393d7d8cf8d3c8d41034d7499d4446c20d9b75c23d7fc22a4273de607
SHA5127e7487391a4b42e374c3ebb811e057b8f3b58268cf82285bd7641c65dbbf00cf0b0de4c44c69e54ed72e610ea999cc086da81527f7ddc62d194574196a4d9ee5
-
Filesize
342B
MD5630500ecaa2358a53d72f034dab05b0e
SHA147808d8cd962ef004ed363a51ac6f25374a5ca07
SHA2569a47e4f2b0832b15ecb394c06569481ce822c0dfe25092662f444b123ba9b764
SHA51217f7ae47fa3c6a1525e9f93ac20650b65b5783e3dceaee86e067eb7f5eef73e5745a7da73d55f993d91d15308c1ee4c41698c53b3b82a07242d5a62ce6c9b6fe
-
Filesize
342B
MD57a32fe8ed682dc866387ebc2262e2bf6
SHA1f399372ac0fffc8ab0698671e34bc48fe2b88e18
SHA2569fd846121a933b88e6a3e9d1bf062947776b9960afc4d99b2dd4cd4f6ba8975f
SHA5129d880379ddb9f0f360a1a827338af1b7341349fd1770ce81f87f7fb249c7033ce74f20a8379d2a3103f7034bf150f2b71ad3c27369556ba721eb71ed0c581866
-
Filesize
342B
MD588b4de5bc95ffd99b1aacb964dbe0b63
SHA1ed2357bf23134584213eb5fe5e9e8fc197e0d81b
SHA2564ffa25cf30ea20157b2ffb46dee343610c84a70c1aa4d77ec89bfc14d22bef4a
SHA512154efcc0b54dc251d9eba3574b8a5630d7efa757477a2101b02292dfa58ebe839567b6a68e4f10f7fc4f5892ee809f14e7a3b25dc8e578187d8d815cdab992c4
-
Filesize
342B
MD56b009e0e87dd8f46c5b020663a5b3818
SHA1bcf6c8181f9e2821b3293d7fd097587471357d24
SHA25689fedb0bcb49e6961417675387dcc1687983837a5195949d9b374ee6f8640bf6
SHA512a63a39d95f436e1a5b240b8afd8be5e052b751eee3c8bd225caea0cdd7de3823fa459bf3ef54b4ca6d7626af274cf98e57185d9bfbdee220f4ce06d4105737e8
-
Filesize
342B
MD5af65a1dc33356278dd827e50c2e8d223
SHA1e112dc19a7bd0136f3570cc8c9fc2df683abf7c4
SHA25637398818ea1f459f115ff8af3c661a76dd4cab992a67a81f28dce6e6d6a92867
SHA512c301b2f4c00072aae74d1dec33b6c47a89de7e12778a3f76ba5b04799d68903c983d2ca5038b1e798d320d01626e0d488e416af1c0844e96cd79a537f026732c
-
Filesize
342B
MD5f7010e16324f2fe3c50cf54906181a6f
SHA1f03a1da6a5e3e9981bb7bc432557d6b0b63df416
SHA256dad5b6fe80e60c08add30594359c8682850e70cfcbad191c10ed3fbb1bf7bf53
SHA512502604216763b190c60758919a03768b0668e014f5cf6b6980e38415b43db0df03b4e1135af9bfa320cc3452f93d9afcce766ccfbd847c6ff32d5e64eff6583d
-
Filesize
342B
MD5308d6d1709e0c04dfea492b60a3cf175
SHA121484c91c5b3b066cb5f717e40a2caf32d9b5146
SHA256a9f559dc03af5b06be87d5d9ff634337d28cbda083da5383c6e62c77a5298805
SHA51273e2792fa716bf01b6b915dbac7276ef1369248da68652c022c326f1ed4d885839e1fc5f328d35e926e2235cd73b53d611810ef6118cb77922e45102d65be1ec
-
Filesize
342B
MD5fa88ba9e16574b91b9eae63e3ce2d351
SHA1dd406d7c7cca0fabc0c7dc532c784fc5281968c8
SHA25609d6b7585a14f25bbf7852ea11959d9fa569a2e648e5ee45965e549d69785743
SHA512fb8f1ba009d6931a071a378e8a1461c6b62655f9dc6a2bf4ea11e1d03547d30068b841c977f63f26fb1ce80c001ff9db0af31d87c331b04dca2dbd025048b400
-
Filesize
342B
MD54418ce5c8cfc3217fb7e70ed020dc474
SHA1a5770848467fc0ce45398a14e37f3d07086f8998
SHA256ffc741dc72b742d156228fd93255e87dd122335c26d3776bba1ab3ccb2d7bc89
SHA5126c3e4665acb6fe6681503c86408f080c92ef77207c77557480d2f66b960a3710761823da8895310d2b0a00f92a51dcd902eb07952906e5ded43f5818c2a4582a
-
Filesize
342B
MD5294e2b0e72bf61b3df51654a2962b9b3
SHA1ee8c9dd18e46939c4c3ae9fbc6fae36a11262202
SHA256fc54ae6f3c05a54acd553d6dda0bdc6aa81c78dd5033c9dd330e6f43d41562f4
SHA512cfaabbced5b9150f747a9eea1613654c6df1317528678eef8828c1e62bc0d71133fd778f1ebb3f50e75953381c48337a037acad4fc37696814943360f249e21d
-
Filesize
342B
MD5cc2292a3426de8f3e066456aee80f363
SHA15578212aaa24af865a464f44bdffe0a1fd7d6d44
SHA2565c817f47a9baeda06373c53f100c8eb3636c402e9997970592606d0841b98fbe
SHA5120c76fb3bc26e755b68826f9ced5c59f587dab373054ad2aa76fe0da249d36931600d62d227fd382c872e793aba69ed97e420dd36ff7cf82de0fc2cae89e7e8fb
-
Filesize
342B
MD5f8706ba31558528dde4c1b1b5efca820
SHA125eb466b200d96931aa5b458767cbfcfc696be58
SHA2565aecdccd1c3848fcf195d09d3904f8ae7fefa991284c73b25b345a4dfcfb1e83
SHA512f333d578405bc2dd5124a76474200167adc762eaddb223cc7f54d17e296dc76f530f24c4d790dccb67736be50f47ea994d1134c2646f82e198f2cf20271bb929
-
Filesize
342B
MD5a33d8728e3012baa361902d13769890c
SHA10148a152abb734d9b5538b897247aab5e6de53b1
SHA25657fb3c237fbbc705c3651d9dcded20966615d3a34f34830968835e82b3c74789
SHA5126572bd0f26afd1750bedacfe18476a36c696c763f1828bf1f616e41252711ad8a58d1465e0fe81ac78c54ce342ff833425bbaca6c5152618fb52907f7183106a
-
Filesize
342B
MD5fe07e31bdf1d09e02f7523d08b6c14a7
SHA1e4050d3cef0f38c1250eb9b82f685e80c162a3d0
SHA256e71ad65078ee29d23be5020d5ec118f168b36636b9df208b5bcebd2e9fc70b7d
SHA512d23cb395c7f8c816bfd3c9378aa5f252b1753a55adea74bbb7b3fb89667ef5bba7f34045ae7819fc28cdb0a99701ba8991fc9e51bee494c07f71cee2cb4b8d1f
-
Filesize
342B
MD59987878dc2d96341e467960098df5bc2
SHA19194bc37ffeb806b87000a932ed7b1e633d84a21
SHA256c46ee8a91a3e690ca71c9515a0f9e9abe1805924e0b19ec27e53e42f0f401767
SHA512d7b43c2d7299b431949e5fac8edec08dbd24196a9a2bbfaa8305c5d4a012d7c0c008ff8df198d640545a8f3f1368134096d168e1a1e797f09813534109218f09
-
Filesize
342B
MD51b0bdabbca63df72a81e5d6150373df8
SHA18528788770e7c5a311251208ea44e55eec00eeae
SHA256ac251efb8a48b46a45728b4df09366908c445ba39d0ea819a5fd3f2385d1c5cb
SHA512138548e7ad130a7c765baec1d31eb4b1e47f870da9b4d7efd5ce74b7fc9c716cb287772031dca028ed2ab83eb1ea75187eb18238d045cd5928c628c4d29f663a
-
Filesize
342B
MD5d9b1ea8da961f71b2a878925eb6dd6f4
SHA1461e4c46a31b45bf36455269b7b963e524cafc14
SHA256cfd8048079d68e1190923170c052ff7302e642d5bdb3f135a6fcb6845ddc62e1
SHA51293c3bd58f1ed81d314aef764c1f494ffb661d7f2ad372aa5e05f2be25d0845dfdee20ebb1127f20e9f4fa40c3ef42ddb7c6e7a00c6318502d8e32fe5b2dbd887
-
Filesize
242B
MD59c4f01e7f5c5b9aa5a0e932adf1078b4
SHA1f2c8dbe054ec05cc3217016e9ad03530108f3f75
SHA256871c5d53e6f21e1c2789c878f595cc348cf97621c15aab53ad76e0726fdf6294
SHA512aef031c10abab0c2914f029d4b2772b00dd3141fcabf93c728a135892248816bc3752c9a952f9aae9df59c7042ddc84aa36cbc99c4ca553164dcf8abbd6f2b87
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
134KB
MD525e54dfbce20546da0e8cd8152ee2b8e
SHA13f0b80ef090c0b14821309b6110839cbd2312afe
SHA2564725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386
SHA512215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2