Analysis
-
max time kernel
64s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 03:43
General
-
Target
file (1).exe
-
Size
136KB
-
MD5
0b37809ae839d24f5a54c3a16f5b4f35
-
SHA1
d3091cee95575a53ce93b886469924f2603efbdc
-
SHA256
2902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
-
SHA512
0a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
-
SSDEEP
3072:4PTKQFRiVdubWibOQNi3MWL4FksNYFfPK:4PFRwAbpi3MDEK
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (1).exe"C:\Users\Admin\AppData\Local\Temp\file (1).exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c start http://youporn.ru2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://youporn.ru/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
-
-
C:\ProgramData\Media\plugin.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Media\watcher.exeC:\ProgramData\Media\watcher.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD50b37809ae839d24f5a54c3a16f5b4f35
SHA1d3091cee95575a53ce93b886469924f2603efbdc
SHA2562902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
SHA5120a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
-
Filesize
13B
MD538de427224a5082a04fe82e2bd4ea9ec
SHA17e4a53de1f83762dd2febd39b818e2258bc83bc1
SHA25612f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028
SHA512ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf
-
Filesize
97B
MD55303b5018a6cd19200b98d31ab04f25d
SHA18285eb92f131111e40d2dc864d3b386dad6b9129
SHA256464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524
SHA512654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5daa6c84383b12af4c6677324c21243b0
SHA1b2bbd0d169d13de34df5ff7159772530d3c694b1
SHA256f66addf55c592c2ac2f0c6c6bf1763397b50543731572ca60137f125b2141cfe
SHA512d2739ceff854256d1050d16f820642c932c933ddd5e3a39ca1aa77875a2b3e4af8aa3be47a72ae3b278a30591c4abdcde8a3303ed5b6106083ee4b0eb736a95c
-
Filesize
342B
MD53d64b0c35b958350787004f919bb8461
SHA182e366296137795c1e0e70ba50b9298692f24849
SHA2560659bf14e65ea8799f66cec523abcba1649bf50697429a709ecd0e4ec4eb548a
SHA512daa10ab947316f3ad2d8d357dcd2640cf4be1fac39161257a763ca97a5ff9e613d3b816d60a2235b0eb0832f685422b8a98e1231432618979854fad32cb4f7ff
-
Filesize
342B
MD554fc8ba4c5850ad9fdfff7019aceecfa
SHA188868365656ae004d5c571cfbda60ce6f4650965
SHA256bb4744bf989c0858c3690901ab29f4079e11471dbcf8249415c3b98a86353635
SHA512a8d0bc2347147b3a14f74a0c1911e15d40234b1252ed623e2812120757217acd2a5a94c1a88f21852704a10dfc806084c28d7ef7266f561040a6a74d8f2f6e22
-
Filesize
342B
MD580a496c220fc0563a7fb15fa49ce4c9f
SHA1b4b462710272e21d4837050f2202bbb075a5ff13
SHA256bf81c76fd69ff6d556ab0fe79e606631e51f95e488d74a7fe3bacc69d3915314
SHA51256b077f6931fa402e301a444d4bb4025e7ebb48d32f37553757868dc99c5b8861f653a121aef325cd9df89a3a551c56218a7230e707c35ac737dae08f801f15b
-
Filesize
342B
MD56dccdfb9310ff9d923f5ed02e3ef8b7c
SHA137a83052310bd8c3b4e8bdea1f1fa8489d832aa2
SHA25657531bcd47cbdcdfa463c9a4a9888745c7b07bebca3f4fae1fc2fc58d97c424f
SHA512cafe542f57eb08864634577e7c5e5a96efa5ceea74900ac7159fe7b15f554eed1122213799e9d92e8a1aa31e68a3dea93aa66688eec783048e739dec6038955e
-
Filesize
342B
MD538a8d62fcc133412609f606a9ee53c02
SHA104069b0bcc0a327f2c169143e18812f6cbcd9e02
SHA256c5c03f97d31802db3ce4e21b36c947c334066ac58a81d75779dbbcacf0c9211e
SHA51263f2d542fdeb80eb157c14b2f5ad4b0d8bc292d06d31ce291a94f4ae2fe3b7b33197de9ae98f7a89de0f73914f439f7750b989de9cab913a0654c7fa95b4bc6d
-
Filesize
342B
MD5fb694e9c35d3c6edccbd4783318cfdff
SHA17f110503d3d0b93bcdadbe33a5a1a91165560f74
SHA256683a25c6537f5cb2ce4ae7abdd4712b3482fdf02b2b35d8461305671099b0879
SHA5122d968f69180595b8f1e95bfcc26af2f9e51b619263c959d2b6b298061070ef4d04dc0ac3c26bcfcbdaacf6c85e843c600c48747c71d927dd86be812fb30af429
-
Filesize
342B
MD55d13885ce699f551f4dc88bfbd1505df
SHA10117fea11f84d52d268758ab9c1130587a20b65c
SHA2566d947e2df2533302ae398c24b39111c6c4ad28b5f2a5060c89cbec43098c7324
SHA51236d678e593870ee6f9bbad0ac397a531b2d704018e3692f157198702d8753a277ec84ee10e73aafe4f2db9f8babb1174ffdd25efce6dc89a38854618be7ed6e9
-
Filesize
342B
MD545ef66d116fb8989407e434206561328
SHA1ae998df79a8335d051aefbfc7cf41eb3982951ec
SHA2563b15c4419e9300b87b6913ce7d4a0076750b67625f917607c6e54f30e42e67fd
SHA512c3d2c74e7c999cfb0095cc8ca43c34b187a79f06d2737161017780911261b7dd732a0585f490a7f1de6b795d38293d653b24bed85eb98eb84e7d54137e69a5e7
-
Filesize
342B
MD5eaf76ced5e2929710c46c4e0300b3846
SHA1cb9d4658c6177fac35ed443c29c0e0e61d905989
SHA2562d97670a251717797ecfe5f0ea788a9b0ce2f5773e41feeea8af580071de27f3
SHA512150084897fcb9aa5842adb6f76fba8fb86de7fd9256c0fd80f0f1681486e6d50de6542389ff1d411b0b6782415e8502eeb9b481bdc5348bf017afa7e9d0ff12f
-
Filesize
342B
MD5072afa3c13ce46194c2ce30b0fd489de
SHA16b8c3f9db38eb29cf40bc56f7478104da884c4bb
SHA2566f95195383e0263eeaa655d35d33226957524c97b750a1d4d966dd87a24a543f
SHA5122fd79b7810fc6841461258af3dd18342a160b5c1c877d94a4263f526cf9fa69c36a0cf291df07495b45e14e1360fbe4e3b7c8a53862ed3e7b0e0c61aa909e2fa
-
Filesize
342B
MD5c7ef7a7c6a95c51b7899a3be616ae02a
SHA15cee62902b0fadb0c800588ca648b05079c5790d
SHA2563eef50f2afd896bf1d5c0d100b25a4e5e80bb9dc30613648c1338017c50234ac
SHA51242ea4226a6d7c4500b912cdafc89e392c67bcc369be4446993b52dcbdb2aed3b578088dedc1e82e1c749a2d3cadb33736fca65700336bd4937359c0b57318f94
-
Filesize
342B
MD5b632753cd3a4bf6ae60bd086d42db631
SHA12e9ecd7964bdc008c518af90811aff1e9062fcdd
SHA2562cb5fde8c19b30573c93fcd299618616495f61ae8a422f21ffd6f5649091c1d2
SHA5127f306f699e0933b18dce7c7259d17b45d43f8909525ad84a654e1b93649b29a584b19548a8fd5822980d3c4760856272f4cd87a4899898130c7d5be975edeb44
-
Filesize
342B
MD5ab67b7f8d10fa2777772ccd612cffa77
SHA1f5f296ed3adf948835dfacd2cc175e5a64ffa2d4
SHA25695027d3a80c3b810bb22b8b7c8119f970502fe5026f9c6e4f5b4d164e17c4cfe
SHA5122e45e682670270e283335847735d746080f82a6c4045b70f7b9580f260e64a1456d8b0b47b15be3360c6df5793fd861e258ba75fc3622e856bd9c549ff173d78
-
Filesize
342B
MD5c1a63e32ec399f6bb4f282f490150bd9
SHA16bc49c10d9d023cfdfc3e5d4c438a55d99d7cf0e
SHA256944a8bc86397db9dbef1571e51754b13cec855703023cd5bd24a776dcfaff82f
SHA5123bc25d6caa07fcb8e02b4934809ba1ea2908e2d7ed8f5388740f7a72173327d5d4c8554188a300ae88b159a3b791995987c475c4dc05d403897fd956394de9a7
-
Filesize
342B
MD5ab0078c0d473a7c457a5b09463cc0dbc
SHA1709c4621635245242407a5cdb432c1e88ef678e1
SHA25626c47ecc9ba208f7e4d7c7dbaff1a835f432cf4aab3d019b0a5e2e653cdcdcad
SHA51226d4a0f033a7a060f143753cc10b647097ef7107f1cffe2f99216dda620868b728f925a8d4125b7a08cec12398d922edde858f2e47f8ac2754124bc47081e8bb
-
Filesize
342B
MD56fe8b94987c719dd7b6ffb8479d854a6
SHA108f8b504857a65040f1d12285819c0112c8bcd03
SHA256f6d255b96a59e40f0f8cd1ca63be3aa7d59fecb468e508fbee7a63e8f0049428
SHA5126e9c834f0cc2b78b81f17ffd66ea3cb2ecaec66b931d877461964c87f0e048137600e8afc267807f05757c1ca5306a7e09599b5031d3a4f5895cdaa3e3f6fee3
-
Filesize
342B
MD50fbfda11c0a8fdcb3c2111aa20eeb8fc
SHA111b919571e79c111af0b2c0006995598ebe21750
SHA25684cbdd8036093f54130a018ab311e8a8bb4ae917062099749108e67663404f8f
SHA512bc92a2655550abca29eb9d388f1c17a1afe6cddfefcef7a4975bc28db51139e11dccfb87b3ed7fe5353454a7fdf984c39725a445057a013710468b44a95cc118
-
Filesize
342B
MD500ca7a38c9cffa13813aacaf3454b584
SHA19fd462126bffe90609959d786c1ef9726d87b4ed
SHA2568c4a702813beb1660156cbfb4aa669fb2342dc7ff10a29b9823269ab4565df25
SHA5124a954f2ef8288e1b0ff65e6f5f5df472be949d95aba41895720e24d4c0c93c46c4e1d389d9aad2cc73adf883260bac8f0d8011c5d4a9ad33f937cd8539b630a6
-
Filesize
342B
MD518c0802a9bbb35a8964feeec7393b1eb
SHA12ebe13f41e19aee184edf43cb597a1c9671b79f9
SHA256b8bc6c6e100321c1029bda55ad433338f576bdea4f0ece071939491574558683
SHA512a030cb68ee25d4fb35c15627f7dd8654300cc2e6109e98397997c2c624b91fe38b6f3ae6f871e7a19f0db1b7bf83981ee415706e4c2a4477d3fadde679d17dea
-
Filesize
342B
MD5b6b07d766b13d9bfcb3a5b7247b8ebae
SHA1759d77128577250ff1399a422c0e5ba383b5d3ac
SHA2569dedbe39aea19249de4c97a6adec68d60b63a66b5778151d0e17e374e52eba08
SHA512900a22ef973fda9a6b134966053ea852e541279c80da74728e9b958ad01f777c4d9ed02e88086f234c832861a0f784b22486ced452c3967a4ac03aa29dc53fbf
-
Filesize
342B
MD5c493965253e90f58bdde90e4510127c3
SHA180d844100b6c7ab134d5acd75d08cd0130910c10
SHA2562efa067405fe5192ce493b6284a02deb2b97f4ed81d78b5f0b3111479ada3693
SHA512943132203b87db07902cb49f7cdf2f1396d41a552839afec7ff00968e57731bf594a473e973ee50437d34498d4bbd525e9c10906ce9ef35590005da90fae9d1e
-
Filesize
242B
MD56384e5bb5333e97026e407879a5b14e8
SHA1759afd67cbaab7c4a870804f12e4a86cda3ab8cc
SHA2560ad9e0e2622f2fba3c49558a3e17811e2126a0f28afaa7d616f975d6c2920cc5
SHA51281125738c12008d8cd2db70ad41bebbc5c6ca140a4d748cc428b80e45f8f9e560354d56eeb137e188850d83efd87ac3a0f725195a20290046aef78d68b596bfd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b