Analysis
-
max time kernel
108s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 03:03
General
-
Target
9943256.exe
-
Size
134KB
-
MD5
25e54dfbce20546da0e8cd8152ee2b8e
-
SHA1
3f0b80ef090c0b14821309b6110839cbd2312afe
-
SHA256
4725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386
-
SHA512
215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2
-
SSDEEP
3072:r+qf9FUiVdubWibOQNi3MWL4FksNYFfPK:r+iLUwAbpi3MDEK
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9943256.exe"C:\Users\Admin\AppData\Local\Temp\9943256.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c start http://youporn.ru2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://youporn.ru/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
-
-
C:\ProgramData\Media\plugin.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Media\watcher.exeC:\ProgramData\Media\watcher.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD525e54dfbce20546da0e8cd8152ee2b8e
SHA13f0b80ef090c0b14821309b6110839cbd2312afe
SHA2564725414537a3605ee6cdd226d189419cc5d3a7df1b092b526b61b8c5e2a59386
SHA512215f4d5d35153622f159970e0097cde6e00d387f5636a1c28d3de6c0f5f84b61dfcaf4d390464eb888738786a0028d7d6f6ce13a29e07116ad032027428215a2
-
Filesize
97B
MD55303b5018a6cd19200b98d31ab04f25d
SHA18285eb92f131111e40d2dc864d3b386dad6b9129
SHA256464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524
SHA512654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b
-
Filesize
13B
MD538de427224a5082a04fe82e2bd4ea9ec
SHA17e4a53de1f83762dd2febd39b818e2258bc83bc1
SHA25612f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028
SHA512ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD59bdda174b3af9d63b92902748ec9d3c4
SHA19b0506dbb4aa39a0273beaa15fef4fbe1498908d
SHA256343fce68b4cdeb16888ea7d5c7aba6d5c49db7c998cbf696d6d8c2ec9d97b576
SHA5126ff803027acd8676f3b29ac2b302147832603fcbf4fa0f9c16546f005400d0638dedce40e812398b269827c4d9d5a53f99db7af79922d36a4b452fdf64d43747
-
Filesize
342B
MD53ef1dfb5c536fa507a32d22716d1a417
SHA12d30b006c53140c7657dabeab9dc9eb6ef46e91e
SHA256f044839982442901c4387ff73761b9e7880b9add41158f79548dd34319fb6633
SHA512d39f9cc6a87e05d13c877b4cc4ec5660a4c45038983a5b1aef46556e51af619148ac9b6099d2f64ebb0188a7a5ec736c4e75832d6fcd73ef66118caa089d8be4
-
Filesize
342B
MD5dfce2da501a854d9c106ede584d1406a
SHA16a2ff13b533ecbe7d8b73a2a1c7cf11763d463e8
SHA2563e9f51d5e9e901196022e4a09936b5e4817027ca5ffff3a62f5d3e5647d4ef98
SHA512d7334f7be05ec9ba3ca0508dda8e584acf1905d1938fa66bfbc8ef4853a6a33f6fa5d77f071d82fc07d90f400fabf1be3314b65993dff57b3e05db2cc130bb63
-
Filesize
342B
MD5eb6a4c714f9cd643dd454946e668a93b
SHA10c4902c1a43d504052e1ab6a97cf6446eb777610
SHA2565958626ca4a86d4764d4109db026aa4dcc822cbe4134b531acdff0bfb5e895a8
SHA5128518b4585b0a9920c0a07eb532d9bac9239b1313b989eeb1cb8f56edc825d38b3aa97e871429e7803641b969920a671fc24db9db33e6c37a3400513fb074ab1b
-
Filesize
342B
MD507216bed7123ae50f6ccbf14e149b199
SHA133bc07e1daf87dca70876138d451fd6de55d55b0
SHA25662ced37fe5fe899626aae56a7d80ad72758d31d3f200d0b940a1d5a0c57128fc
SHA51279f64d39f5249d659a38f09072e3044b83655ee102bc41525014e1f5d8a41ab0a3c0ed6176a9be26f5479c77a5cb648ae9f92f0e04a14e0237fb0643067a807b
-
Filesize
342B
MD5f93274956fb54009e91899ff601e2bd5
SHA11ffc4062eb435bd7d762b9116b08620d89ca4a22
SHA2561ab2b9f52f0bdd5a0ce291df35c9f106bffe4238363f8e1d83b2e4f0b46a4c7b
SHA51206e17377a3819d0b50637eca6259e6e3870314cfa1012adc0f1cb84401027c686afdc4f9bf75c39c26873c1d3ca98a8b9ad09e4871625fab2bb4d2261143444a
-
Filesize
342B
MD5393d4384e6e54e62bae559031c19d6bc
SHA102d3e33e5c59098510335e472589e83599b39269
SHA2563a2130e7dea7374e4792a03016f8eb9da364a31d7960efde1386f164d0c3a2cf
SHA512e1fb075c24716d23b639b35d0c4f2bc565444b486e8cfeb5361db213a09c4772b8db8e1e8970c28b6a666474958a1353871a09f733a268f94bcf0ae96e9ca184
-
Filesize
342B
MD54d1315f2942d2f9164aeba570e006396
SHA1da42264303f3495d63af92a3ecbfb787d13777f5
SHA2561588f9eedc4c016b571337761f06b98d8e25e93052e3d150e7d40cca58de0ae8
SHA512754dd0d94d2478df02114b202d3b42331695bf39ed588f6290cc87d8e4ac155cec68a2295c11eea980bea1539f9b4a9ba794cdf9cb4f3df378af4ed3dac4dcf5
-
Filesize
342B
MD5c2c5f9f2bd2840d19b322da94252d814
SHA130d03327d8af8189f2952e58dbe785960d1f7660
SHA25600129ce5ea7224f542c530e07898f78726a688e999604cbb54be36dc905a7998
SHA51212add67aa8febd873651563ed41d256a0382509e17b320ba6143d938100de7e7ba094741bb399d59a92b4247c1091b8801712b6773bfe704e7f3d3cf4d65dc87
-
Filesize
342B
MD5124782982e966e7f436f993b4aea868b
SHA155fdbf77ef7975d514860fa1691a597114a29c8e
SHA256b5d4b79179649de40e1e27db04b2b0a5393b9cba93be4b5b6a757b723821ab6f
SHA512be01f926fd6509b97c8a8b8774ccf9f05872603bc886a00a231208ba759cd92d8f0160d84308c37ee6d5832a2380e6bb8b30967c6d807ea0514c3fe8aa60713e
-
Filesize
342B
MD58b2acacb4e3e6957a1162c004721ae8c
SHA1d1327dbc488d82863016d09cc9ca1a0123162dc6
SHA25613374377ad4cc1284d6a12398c641c572c91b6be7c2c7b695d0ddda4b7287e2a
SHA5125d65958b03ad4be4b742f24c376a2cdfb441d04948ff65890c50d5fcb693f887efacbd774a4d8d375db88e21f99f35cf4f46bc0b1e2419a439e7a689772f05c5
-
Filesize
342B
MD517235fbd848a4a72058395a0bc168885
SHA166876636c10e2b9d6af67961a4a7151ad3f71902
SHA25657f5e65feeece6dd7e1a6817ded8116e1cb6e97ce0616330f7c64338233aed25
SHA512fa3067a2e59984c68c8b42fe35f45dbb1e96be7467557409c537f88a4f54f1a882dad49ce19f6f8393c26525fb926d8ba870e51662c48428072d0d6574eed378
-
Filesize
342B
MD5f5c2039f32934856792c9bac89d31867
SHA193e7f9e7c3f7400dbb2ce226057dbff296a0a150
SHA256c2aa2043169f3c896d68b2efc3521a44d3725780de98b123fc5830f93b30d878
SHA5120817747fc37f100255f77cd6bca6fb5792e57cd4a30f63be35db6cdd9623085de0a310717c877e1dc1f74ea5ac8321d2c44081b6e23268ab7e6d48c3b249808c
-
Filesize
342B
MD517f6838aa37e82a22cc8a8a4b51d9ad0
SHA1bcf52e92d0a38e079d04d16388a35d4ef7dab529
SHA2564eb9ad19f8da6710206bc8d5aca51cbd1dd8d258da5b0badcab0ebb300bbebe5
SHA512d0376bb30702d495af2b634d53d5471fb04a66c0f9ab384ea542227f31de47380becb7715648d242f040ad420671dfeddba7161e476bd30ac0c2a33e3a076726
-
Filesize
242B
MD54caceb208912ad9dee9bf4a1cd3ad29e
SHA18ab047aa80af65fe83f09aeded6e6e28a211f6cd
SHA2566d6b6377e2c9212c92e2f295997fa350508a16cc902a30a7655dbe1c9277e24b
SHA512405fe812d7117ba04b6508472478d7f70df17f92d582d330d91949bac0e602665f4bf11feee6063fc12fe0fb5f072c06a9cd506167939833f726a910eb6dc4fb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b