Analysis

  • max time kernel
    300s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:39

General

  • Target

    TeenTube_90767.exe

  • Size

    197KB

  • MD5

    1105c4df3562b7ac9aaa3bf6037397c9

  • SHA1

    5abd5e024b85078b9060e4eb75c9fc9c7549ad55

  • SHA256

    efd8f55e43b1ab6379cac9d2f037fe5260ffae11433fb076fad3b639f9f9d4df

  • SHA512

    98156f3f1707feaac20bc0250238aa3a4a8d0e531f77281e092c8b454a055bfbe97bc32b01538bbdc4f9b1ba76af6b626279bc8848484c79646aa5ea6bb8ad85

  • SSDEEP

    3072:Oz+92mhTMMJ/cPiq5bVioBih1PJ8RsaX/Bv3WxAyZBQ73Uen/+V:Oz+92mhAMJ/cPl3iogavsAMBLen/U

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe
    "C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe" -pass -s2
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f
            5⤵
            • Modifies WinLogon for persistence
            • System Location Discovery: System Language Discovery
            PID:1824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:64
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:64
            5⤵
            • Modifies WinLogon for persistence
            • System Location Discovery: System Language Discovery
            PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe

    Filesize

    46KB

    MD5

    f052a9fa8b537c241287b4dca3c11a37

    SHA1

    295eb1eeabb085e516ede2c625b5a08e9da62430

    SHA256

    881a394fab156cf1d585be408aa34c979e99a1d74f3a0729c54f982cb845cd82

    SHA512

    6120f0e194b2222e0a444e412b0f4d3543836f13ae0656f1a69ec61970467104e90348f836dbb6394e74b3351d00d87f3101688e011de842d71fb8ed305aee6a

  • \Users\Admin\AppData\Local\Temp\RarSFX0\s.exe

    Filesize

    132KB

    MD5

    a26b0b3948676b82c4796c169bd043eb

    SHA1

    2e464f6f61b42871c1bf42d84f30ff58d7eef784

    SHA256

    57d514bdcf2d47f04adf993b682bab6b9dfd150d47f3fef05541106096e6e4e5

    SHA512

    aa71dc61929eb477ac64153a658bad2ddc6c003989587c42abdb8d4219512a1aaa8793f66247b868b2d92722e4bd01895c084b4a219272c0f6745a55a6d0f162

  • memory/2860-34-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2860-37-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2992-32-0x0000000002430000-0x0000000002458000-memory.dmp

    Filesize

    160KB

  • memory/2992-31-0x0000000002430000-0x0000000002458000-memory.dmp

    Filesize

    160KB

  • memory/2992-30-0x0000000002430000-0x0000000002458000-memory.dmp

    Filesize

    160KB

  • memory/2992-29-0x0000000002430000-0x0000000002458000-memory.dmp

    Filesize

    160KB