Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-11-2024 03:46
General
-
Target
TeenTube_90767.exe
-
Size
197KB
-
MD5
1105c4df3562b7ac9aaa3bf6037397c9
-
SHA1
5abd5e024b85078b9060e4eb75c9fc9c7549ad55
-
SHA256
efd8f55e43b1ab6379cac9d2f037fe5260ffae11433fb076fad3b639f9f9d4df
-
SHA512
98156f3f1707feaac20bc0250238aa3a4a8d0e531f77281e092c8b454a055bfbe97bc32b01538bbdc4f9b1ba76af6b626279bc8848484c79646aa5ea6bb8ad85
-
SSDEEP
3072:Oz+92mhTMMJ/cPiq5bVioBih1PJ8RsaX/Bv3WxAyZBQ73Uen/+V:Oz+92mhAMJ/cPl3iogavsAMBLen/U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe" -pass -s22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f5⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f /reg:644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f /reg:645⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5f052a9fa8b537c241287b4dca3c11a37
SHA1295eb1eeabb085e516ede2c625b5a08e9da62430
SHA256881a394fab156cf1d585be408aa34c979e99a1d74f3a0729c54f982cb845cd82
SHA5126120f0e194b2222e0a444e412b0f4d3543836f13ae0656f1a69ec61970467104e90348f836dbb6394e74b3351d00d87f3101688e011de842d71fb8ed305aee6a
-
Filesize
132KB
MD5a26b0b3948676b82c4796c169bd043eb
SHA12e464f6f61b42871c1bf42d84f30ff58d7eef784
SHA25657d514bdcf2d47f04adf993b682bab6b9dfd150d47f3fef05541106096e6e4e5
SHA512aa71dc61929eb477ac64153a658bad2ddc6c003989587c42abdb8d4219512a1aaa8793f66247b868b2d92722e4bd01895c084b4a219272c0f6745a55a6d0f162
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB