Analysis
-
max time kernel
79s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 03:31
General
-
Target
file (1).exe
-
Size
136KB
-
MD5
0b37809ae839d24f5a54c3a16f5b4f35
-
SHA1
d3091cee95575a53ce93b886469924f2603efbdc
-
SHA256
2902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
-
SHA512
0a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
-
SSDEEP
3072:4PTKQFRiVdubWibOQNi3MWL4FksNYFfPK:4PFRwAbpi3MDEK
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (1).exe"C:\Users\Admin\AppData\Local\Temp\file (1).exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c start http://youporn.ru2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://youporn.ru/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
-
-
C:\ProgramData\Media\plugin.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Media\watcher.exeC:\ProgramData\Media\watcher.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD50b37809ae839d24f5a54c3a16f5b4f35
SHA1d3091cee95575a53ce93b886469924f2603efbdc
SHA2562902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
SHA5120a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
-
Filesize
13B
MD538de427224a5082a04fe82e2bd4ea9ec
SHA17e4a53de1f83762dd2febd39b818e2258bc83bc1
SHA25612f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028
SHA512ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf
-
Filesize
97B
MD55303b5018a6cd19200b98d31ab04f25d
SHA18285eb92f131111e40d2dc864d3b386dad6b9129
SHA256464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524
SHA512654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD54c2551baf8626ce006106a22303b9ed5
SHA1e88ab852e08dafb64ab4611d82e95640aeb79740
SHA25682cb4b59e0f1a33fdecdf58151751506288c67a283db8039d92ee8e1ac44c41c
SHA51245071d842bf1c703f1345be0d08bd5629ba80a19b560933efb4f89637f44adda9dc00a1c4011a2ae6a15fc0c6d23b0648a6ebf23580230715757f5a2d273cf9b
-
Filesize
342B
MD5fdfa79099caac905bee63459ef630dd0
SHA100cd0106c10064a04d348ddbd2f53e9e57480cf5
SHA25601b83032561f83575da64feb952390577efffc23e6785d30e2ea6f85d3834c38
SHA5122e4d0511b9e09d98d50a3f2ee4eadbc9a67a7cf64f4de4995938889325a9bf92588f8a6d3a0b070c1826c38e670cb0b443fd90a610ede00d395939b2ce31be96
-
Filesize
342B
MD590df7da439b0b9f90293b92bbfaa53dc
SHA12aca10d0dffc273c5985bbe22ebd1d1756259ec0
SHA2567009ea0bf4160aea551935cdfca068461b8471d9c90d0f2ac5978df886f14d67
SHA5121831af683ba02808cf5a85b08496d358518499851f906462d60cb4145b6fcede30d8f6c353150e5da0ea518ae186f36f845c88d79068ecc97f6a949819b80898
-
Filesize
342B
MD5135dc18579a551414b9f53d651941738
SHA115506f2ba753b6fc48ab6c8679bda712c1e88f1b
SHA256145befe1a4e2df4ca79dbbdf36e7d481f86f6e0d00deb628b71cc258adace281
SHA512d91132c5491db5b5654507189494e4d65158588dbefb99c6ca5dfc06634888cf03d7b1edd9f3b17a1dbd5d9ba6a48abee39a8f0e6a901f89ffd3087977e4d866
-
Filesize
342B
MD547f6c1813a6cc0c1488e52e6c2661b34
SHA127c6de53a78abcea6af5fa86a3be8d2452f0d680
SHA2562c634dc0499042fb18b1eaa5bb78b91effb4b61f3ed5f7aa04b916098047f6fc
SHA5120271d3301276ee728433cbf0b9ef8b7aa6eaa97aa0de1d8602a6739ac5c2869be36c4ff43fb2b53ea8134ab35b2bf5f6e2b99bd615593dbbeec8cb2d9512c32d
-
Filesize
342B
MD5cd69f1f4c18aef42bc7294ce53e3d318
SHA1e0376d24a86dae978f060e25a94c71ad5f4a78e7
SHA25622685b324e8ec831a2a1491b55d0070174c25f7a013dd223e8237b5173b0af22
SHA5121ed7fd878c7ba90b00f3cd8bff416f12887645f24f4246ae3dda2c6d906ccacb5af3f13cf502c35fc8d2f30b22367e03afb5861e166e2bb3ea3c7ef135b6559f
-
Filesize
342B
MD575ff0ad2f87b9a73e598c6e2f8a55093
SHA19142f31d68c2728255cd65b46887f507e6287660
SHA25676210ac030594a964a199466c97d04641c6c2dde5fbe6de6f939129448358888
SHA51271aec8542c768bf7b47ddd7246867b2c5167814f9fd0f3b51751362dd20baa9f3334cac016d6555f790bdd521863b5dac26ab16d2586b4892da97dd10ce74447
-
Filesize
342B
MD527b415fb887d024a0b879d04a3629b82
SHA1d4cfc3afb7c97a546735d314bdad4be95a422617
SHA2569a22e6ad448127e322ac2152a7fb407339c617f61652833573d698a635562143
SHA51285bae83f7b781d46acdab93247d7fe886b2399f31c5303fe3ac3c5a47ea254475d3ed99bf2f0efefd7113598f09c5e93280898a6f036fe3240cdf1cbde60500f
-
Filesize
342B
MD5b1cc1ac3dd6770fe0597f935758a43f5
SHA149ffdca312f2ec02e86a5fc5cc9cc90f897ae74e
SHA2564ef2c3e463ed44faa84b5c4cbe2e72350806c8df4680d3a14d66ea0a6de31feb
SHA512825fad7b220939c3efbb6a52456b0e2ae1fee2936a62a88072b6001332f8b614d22ddc81d4a600f664afc7df3c29cf72037d320db773e0b9d445c28fd6791b5f
-
Filesize
342B
MD5ce4ce9b21d9ae73243a384123003841e
SHA1bb586b19c6574051096f869919acc3fd98adf319
SHA2561f36fcd1ad38cbc525b554a7f0f6bee738d49debf22477d81dd60970a86b0f8d
SHA5129fca5810c39228f5ea58f0ce21bdd2ad45e61d3a84b7e27a106872c370ef3fed1b0f0c1e61b81b59f1f8238df3e99175ff5b042f161230bddfcc10f5f5c84797
-
Filesize
342B
MD5546383828fe1adde822d97c4d8be3961
SHA15f0141bfb569aee3c10c89f9361253030be3ef99
SHA2568a2ffba9fa803f19c97eea2910ea3baba15820c417bebfbe1b4f062e7a0b8109
SHA5124a3a85be8385dc9c94f9e45ca51d73be89846e3f2330690629d9f497c8de51316f0ccb5496e331a6eb7d7bd3b3c733b0a5ce049296bdf15f0af968cf8678d7fc
-
Filesize
342B
MD5d454cdff8970ab3671db351e535fedd7
SHA1542ecabc264400062272e7cca8ba38baf897b26b
SHA2565c92cb540db78ee70b8659a8621530caa8a5d2017e84092695587896cd74f767
SHA51210a9019a0b8101ef5ea0bd0ce90fb4020e9bef45e435f96145fded6591f652380e8d1385e5e2a469dce80ad8b283fc563c34c2b615aedf8b8baae1c52401795b
-
Filesize
342B
MD573043cb55ce43722081b574098a3aa24
SHA1908ae5b3a43bb68eb0af9cdf2fc11c8b4ecc4ad5
SHA25611bff4e98449cf94e939f7e801f96705f19b45190377d27062d9baabf592a64d
SHA51230bac89529753c3508acf8e417572930d50d601dd17c75b0fab8776c982aad8f565bb800cc0928610b0462ba943f36bf8feb05ab032dabd6313a599083d07207
-
Filesize
342B
MD5babc9f5a5a9e4fd5ebff0bccc097c1cc
SHA188c71587a5cbba5754e8e82e905468014350d128
SHA256cd21e7b456bc3d32b658a7fe204ec7a0d91cfd24eea04eaea99ce7a23680fbe4
SHA5129da8c601aa88330ca079af0f4c0eb954d6c1945e3b205b3e018bb458fc92423e203e8489fad375100ece7446a2032566e0b53c0d141fc942507b9660ca1364fb
-
Filesize
342B
MD581d45f432b638a29b105a6d5ffb1c846
SHA1d3d31f7bf24c05da4887dcdf1449674dc93c63a8
SHA256f0896b92d5fe2b83f67f35915236b771d37a7ee4f59180386e8cdfc9e70a86b1
SHA5129d1ce1994b3173e0fd9837b26284898cd37baed1fe66e9659b7a017df1e4dc346726a8d3f96f5323d9682bd64255f381f45024610fb41f7d98238a9bcb4921cb
-
Filesize
342B
MD5f44f30e11ef5bdf36206769641764d26
SHA18a4b5a54842efda2a935f4c660b1b767b8cd7c94
SHA2560f5d414951c50a5c2268ecb412ca727e1b13da2ae076c395ea16c79f28f0e610
SHA5122532106c68797de8c7a8abe2b0ccc6212c764c3fb6205dd7b20063bf639ed7d8c79995eb6d4576022329f0d50b4179511f6e03fc3e430cfd0c75b107ad87e6c4
-
Filesize
342B
MD58c3a6b04b574555566cf5adfd6c3328b
SHA125566fcd2ba929a3cf9bf402345f8372b8c16a14
SHA2565c148571b62cb2987c9d86ec08799a0fc59a024b813ec02899d9443f8101159d
SHA51262cf1e3a4189c50355f22528c639dccac4cfdf0b7ef6df78e33bf2acb8b5f9aae39f52013654e20c0514a81e8e9570ff4d8607a2f4444f22047581804c89ea38
-
Filesize
342B
MD529dc6666e13d69622011fe6088e97cc6
SHA16ea4807ef2eaa28d2e6b08f67faffcf353cbda99
SHA2563a524b0d19d4f7892a2a81ea1b18c04296580ad8786155085e95c9f4da23518b
SHA512bd834e2c69e681d329944277f0621351b68d423dff3e339cea5b5aff02148e50a019800fe6fdc5500a3fcce7657221d3648b7a117f164e30528c93e9ddeb61b1
-
Filesize
342B
MD5d9b12cb6e5b318ca1f549bca126c0f7f
SHA1ad0c622da29e57a9deb4283bc5f6640437901e67
SHA256718fce173f773a3cb8374f38636c2142ffa194b4b5d9ec1382acd6c5515e0d1c
SHA51215f7d5d19b48080016fdb892538ff2c966613e89a13efc76bb1bb1d57c734a8485ebdd2746b2fb94d876581e2cd61149a57f47e9a75dc2f43e4a789963ad2739
-
Filesize
342B
MD5b452a307e33073864b63e4aa54d98e87
SHA13b8b1883e398df4c05751a2ebaceff80d98fa17b
SHA256e33e5d5c255c630655aad04c4405a433c0a781227314a45fc0fb3cffb369f30a
SHA5121f9dfdb5d458b9204bee7ddf78b0f0adb8b917d5a9a295282f03c7c2bf9e79f45c23aa54abf3242499e1d2d71289aed9597ef1dca9b1c0ff25d35347e54343f0
-
Filesize
342B
MD5bc65b0e96a7bc063ff0025284dc8e01a
SHA1d727a5f4d6f01b2d5371e9245b46412041d29a01
SHA2563c83e03b0fc174c43f31af76b29a1f479d453e1a7a67eac39cbd361aba8e8a1f
SHA512cf6c2ccff44fe0e6fd931f7183d111ceae292d2ce2ef64a68cdc2ead2f86889e7d101043e57c14fd2d4909bfb28295a975adb8572ade4b74b94d4ebca0896453
-
Filesize
342B
MD5b6cb402ab2fd95763b77b74fed844df8
SHA1963387afba3dac561f30e2de81422c15fda8beaf
SHA256cf291fec01a1e5d4fe1c4c95258e5eb004e5ebc659b735d69c51173b43ee7bee
SHA512dc6f611a265c1158b64206fb6fc90a6936811de11c5bd499ef0232f9c2646f7043bb85789846263d848bb5c531eadaffb9f5a3f8792f9028d4c638c3efeb9c24
-
Filesize
242B
MD5a7a4d10fde7bbb2ceb9e0d4daffe3ce5
SHA1d28f4953916690cec11d34f15ab310cfa9b06326
SHA2568225e32a44128389743508e93d2a043a29b89a1b8de490f64f83f556321e83c9
SHA512e43edf830938a9d957f35be83acb3383840a6cccee488c46b0042d38f9317f6b4c910d4c773731cff825cdaf0c9220b2eaf1c99c1ec2cd3cda7bd3ee9f8ca597
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b