Analysis
-
max time kernel
108s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 06:30
Behavioral task
behavioral1
Sample
strip-girl-2.0bdcom_patches.exe
Resource
win7-20240903-en
General
-
Target
strip-girl-2.0bdcom_patches.exe
-
Size
22KB
-
MD5
53df39092394741514bc050f3d6a06a9
-
SHA1
f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5
-
SHA256
fff0ccf5feaf5d46b295f770ad398b6d572909b00e2b8bcd1b1c286c70cd9151
-
SHA512
9792017109cf6ffc783e67be2a4361aa2c0792a359718434fec53e83feed6a9a2f0f331e9951f798e7fb89421fdc1ac0e083527c3d3b6dd71b7fdd90836023a0
-
SSDEEP
384:96ZQHXcE7hUHwT56cC9Kg65JdwGADkHw/Rjxtuu7VIGGwQWEqpD6:CavuHAUcW/ojwG6kHw/lxqbW
Malware Config
Signatures
-
Detects MyDoom family 1 IoCs
resource yara_rule behavioral2/memory/2080-6-0x00000000004A0000-0x00000000004AD000-memory.dmp family_mydoom -
Mydoom family
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000c000000023bac-2.dat acprotect behavioral2/memory/2080-4-0x000000007E1A0000-0x000000007E1A7000-memory.dmp acprotect behavioral2/memory/2080-8-0x000000007E1A0000-0x000000007E1A7000-memory.dmp acprotect -
Loads dropped DLL 1 IoCs
pid Process 2080 strip-girl-2.0bdcom_patches.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shimgapi.dll strip-girl-2.0bdcom_patches.exe -
resource yara_rule behavioral2/memory/2080-0-0x00000000004A0000-0x00000000004AD000-memory.dmp upx behavioral2/files/0x000c000000023bac-2.dat upx behavioral2/memory/2080-4-0x000000007E1A0000-0x000000007E1A7000-memory.dmp upx behavioral2/memory/2080-8-0x000000007E1A0000-0x000000007E1A7000-memory.dmp upx behavioral2/memory/2080-6-0x00000000004A0000-0x00000000004AD000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language strip-girl-2.0bdcom_patches.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4572 taskmgr.exe Token: SeSystemProfilePrivilege 4572 taskmgr.exe Token: SeCreateGlobalPrivilege 4572 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe 4572 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\strip-girl-2.0bdcom_patches.exe"C:\Users\Admin\AppData\Local\Temp\strip-girl-2.0bdcom_patches.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2080
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD58750df7c3d110ebc870f7afe319426e6
SHA1a770fff05a829f666517a5f42e44785d6f0b4ae7
SHA256fa3f934083746a702de18b927284f0145d4b82a92f2111693e93a4f762b50c00
SHA512dfcbc2ba358ec40143e842d5242781a59943e646f50c41010a8cc4e2c5a15d5b19dcd2ee9556a0317ca73283e84d1f9d1b0b8b7470b493fe38e4e027336b8a2a