Resubmissions
13/02/2025, 01:26
250213-btppra1pcz 1017/01/2025, 20:14
250117-yz7h3s1qfw 1017/01/2025, 20:12
250117-yy9l2sslcr 1017/01/2025, 17:25
250117-vy9p9sxpez 1017/01/2025, 17:21
250117-vw8eesyjfp 1017/01/2025, 14:16
250117-rk9ass1rhk 1017/01/2025, 14:12
250117-rhv1ds1lds 1016/01/2025, 12:52
250116-p4et7a1mez 10Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
17/01/2025, 20:14
General
-
Target
Malware-1-master/butterflyondesktop.exe
-
Size
2.8MB
-
MD5
1535aa21451192109b86be9bcc7c4345
-
SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c
-
SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
-
SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
SSDEEP
49152:5aA7f7tlVmdqK23H2bpHI4Qs5ABV9WRHZRsgI82lcHGAaKLinXBgJ:Q+VMkX224QsWBq5SfARGRgJ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 8 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\butterflyondesktop.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\butterflyondesktop.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4UKQV.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-4UKQV.tmp\butterflyondesktop.tmp" /SL5="$401D8,2719719,54272,C:\Users\Admin\AppData\Local\Temp\Malware-1-master\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x104,0x130,0x7ffa3ed046f8,0x7ffa3ed04708,0x7ffa3ed047184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x144,0x254,0x7ff6d06b5460,0x7ff6d06b5470,0x7ff6d06b54805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2224597591129965051,2949298417588043942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:14⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
152B
MD5501a25f290332c25255eaaf70ee6f240
SHA123cba10495d7098ad6de6936cf31c1b0eefd1246
SHA256420c031363bcb69b4cc540b0afad7180d21b4957a2d6eabe23a40e669aeeebcc
SHA51284ba813e4036be7d9fa08d5fab885421017d008f8fe8d99f56313b54f490c9151a27a67734bb17101691df563efef7e5379250f476e869a848f225786a913081
-
Filesize
152B
MD54c2eb126a03012e4645cbf12fa576adb
SHA1f4fc0dbbe2fca0aab23014eeee6d533aad91b5fb
SHA256ce9774b847a66f7dce4153518d56469986dedfe78acbcca8e97a64d21df5a1ec
SHA51240008285483a37d186c6feaaea96e92f8d665193eb2cd4af0ccd2e77544fa2afedd8aa89b8f09e49e1d6960cbe8543389151d2413c8be408794b70da0eb122e7
-
Filesize
48B
MD5b07c1c79fbd0c3615f528716a6f2896c
SHA1d8c3d943031b3056c4e1e767b6748036d1552308
SHA2564fc0dadcd229233416a2422daf8ef9998a6658ff10197ef6f4ffd4dc5b08e9f2
SHA5121fdf537529e13ebaa822de2a16ed5b7d58979ec262e1c5c37525afdb810d70649e905e074174c86a3ae7aaf4dca4388cad5a878408d57e64143bd41894380765
-
Filesize
408B
MD57d7e57d201b69d213ca67ea960648f27
SHA1ebf078ae2c06f214044fc7616a6ba274a0ecc531
SHA256976d1a5c649ebf026ebde356c9315f96a92269332e8a170dc051a318b6e83178
SHA512b885d028debc1cd49923d888d3f47a2476cac9578f372e37e5a7a5dfb239f84a8075f8dd714ff246a4e38adb2373bfa10b5b0ae449d3f62f2168a27746aafab9
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
1003B
MD51c507308cc0af6cf24a5e38f9eee5b2a
SHA113bcf840668f9859fe4ff9c9dfe6e3a6cff78e01
SHA256da2a1f6b2042ff72240b1337066ca1284868dd8b1ffd87cec6f909ee72d798bc
SHA51238ef2ab233a9931760f104847891a162b60c5c5a04466ce6a59bc5c499d285f223d19ca36cf8a2f40e084bddfd31cf14ae69686c097515f1e9b656d714c4b015
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
6KB
MD5a25a3837a457be5994320f5289f4336d
SHA1e7284e6ecd5bbb2d41c013278eda8b182b9ef0d1
SHA256405fa0740ea7e031245afe465091f9ba40b04b055162b98b89f9104c76417219
SHA5125feee8d5854e11283ebb1fc5f9ca839bb768d9cc74704ad0cff4eb13fd25c88d5427709f596a04f17f1e2bed169c2b5b16a7dc979c94635ca7ec54542fa929ff
-
Filesize
5KB
MD501e617c88264e75154ea0e8d3b22fe23
SHA19f57b5b3e19c022216fcec9acde48b35a528896a
SHA25641c520aedf20766e64ccb21abf07eb980f55835340b97591f6f33ca372248d90
SHA512d138bb707dc65f5663091240b42a8b51c5fc3e83a1bc4cea1e97eaa34ff65de9a1db0e4d14f3793dd71fe8959e68807a2d13331139ccc8f7b68ca2acf0a44f3f
-
Filesize
6KB
MD59f80e90679fe779187ba8dd4f49dafd7
SHA125336af48da62b8266f704007c4180ec357e8d1f
SHA2563083136bd3f89f1706eeb1bfda7aada73c99288e23c63788981e6983cb84400d
SHA5126bedc813629338bbc3f8d07f85be92de92bfbe45a526fbdba764d975e0324ff0ae6e1aca7f22cef2b966d751c4b41043d208f902e4c5b1caad2ee39f11d6fcd8
-
Filesize
24KB
MD5ef30b5850d78b050b13ae82ee13c6b28
SHA125bcd922ab2c62d47c9bfac3fafcca08317ad8e5
SHA256dfd732ede1af0d6dc560b9fbef26f92f9fdf83a72da3e6910cb39843be4fed30
SHA512f9bdbddff6fe99cacf3a670ab5504849668c9049053eca2a4b51f74eb050ea4d60629ce29a571223b1cf293101d646067f9f00e4fb3039738921e1c042419f8e
-
Filesize
24KB
MD594ce4b2ff0abce6d838ac24a1b0f4e73
SHA102f4a956ed4f2e2e0ca9c4b75bf8e7245a1cec88
SHA25606180545891f02875414f56a2a8ca3f21c2f415e03644674cff1c9674cb9b222
SHA512b3bf05777fa4abbd7c475657dea5ca9c00600ab6226843150eff563837c3232c3b513afc0ac5ff1976e35979a51f34710ab74582d1316282bdcb67cc17493c90
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD5b58053cb0a993f3675c6fcf70f4e8491
SHA17edc98933d593b7af5b96d228a2cceced6541600
SHA2562b58c2ab1513dba21a4d502808c84dbcd7fbef005ceff8a276b7cda334465a83
SHA5123fcc06a813544513a67620f35f8452fc490a0d96d9653a0971909af39e2700b480114beda04a17bacbaae2a5980b7d96d951d1ae68b84eae8590c95383a099ae
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
3KB
MD56475d64d07197abbb74fee1342b9303f
SHA1a80f3d8d79fb38279c28820c943cec6b96a4cf50
SHA2562445c1933f0955d1f18fb4a3ae2293e46e5fe0cf452db4087348746413adad5a
SHA512e848c759e070194d208d20539411e7d21bbbdad801af9cf121c05b309b9e2844a6e053fceffa55f5e400cc8d74675e7403dc8c9a0f7486df0190964e7ed6ae03
-
Filesize
3KB
MD52c2762981293edbfe56e2c8c3d635e63
SHA105461c36b1f16f099d2de03b7db5308a432b5b83
SHA2565c06ccbff39827a2b5d9d1ba89e292ed2c4d5a9942723be8a78abca450574d14
SHA5125194a575a4e50ce76afec138c1d2af637c00e66c1da0f19c08e7512122d6cbd02345a9b4407ed46cca065a9082e507c44535bedd8a3c7c01fab00ff4cd3e4f6e
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
40KB
-
Filesize
80KB