Overview
overview
10Static
static
10The-MALWAR...36c859
ubuntu-22.04-amd64
8The-MALWAR...caa742
ubuntu-22.04-amd64
8The-MALWAR...c1a732
ubuntu-24.04-amd64
8The-MALWAR...57c046
ubuntu-22.04-amd64
8The-MALWAR...4cde86
ubuntu-24.04-amd64
8The-MALWAR...460a01
ubuntu-22.04-amd64
8The-MALWAR...ece0c5
ubuntu-22.04-amd64
8The-MALWAR...257619
ubuntu-24.04-amd64
8The-MALWAR...fbcc59
ubuntu-24.04-amd64
8The-MALWAR...54f69c
ubuntu-22.04-amd64
8The-MALWAR...d539a6
ubuntu-24.04-amd64
8The-MALWAR...4996dd
ubuntu-24.04-amd64
8The-MALWAR...8232d5
ubuntu-22.04-amd64
8The-MALWAR...66b948
ubuntu-24.04-amd64
8The-MALWAR...f9db86
ubuntu-24.04-amd64
8The-MALWAR...ea2485
ubuntu-22.04-amd64
8The-MALWAR...us.exe
windows7-x64
6The-MALWAR...us.exe
windows10-2004-x64
6The-MALWAR....a.exe
windows7-x64
3The-MALWAR....a.exe
windows10-2004-x64
3The-MALWAR....a.exe
windows7-x64
7The-MALWAR....a.exe
windows10-2004-x64
7The-MALWAR...ok.exe
windows7-x64
10The-MALWAR...ok.exe
windows10-2004-x64
1The-MALWAR...y.html
windows7-x64
3The-MALWAR...y.html
windows10-2004-x64
3The-MALWAR...ft.exe
windows7-x64
4The-MALWAR...ft.exe
windows10-2004-x64
4The-MALWAR...en.exe
windows7-x64
6The-MALWAR...en.exe
windows10-2004-x64
6The-MALWAR...min.js
windows7-x64
3The-MALWAR...min.js
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-01-2025 15:12
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
Resource
ubuntu2204-amd64-20240729-en
ubuntu-22.04-amd64
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
Resource
ubuntu2204-amd64-20240729-en
ubuntu-22.04-amd64
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
Resource
ubuntu2204-amd64-20240522.1-en
ubuntu-22.04-amd64
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
Resource
ubuntu2404-amd64-20240729-en
ubuntu-24.04-amd64
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/90b61cc77bb2d726219fd00ae2d0ecdf6f0fe7078529e87b7ec8e603008232d5
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/9384b9e39334479194aacb53cb25ace289b6afe2e41bdc8619b2d2cae966b948
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/985ffee662969825146d1b465d068ea4f5f01990d13827511415fd497cf9db86
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Botnets/FritzFrog/d1e82d4a37959a9e6b661e31b8c8c6d2813c93ac92508a2771b2491b04ea2485
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Email-Worm/Amus.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Email-Worm/Amus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Email-Worm/Anap.a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Email-Worm/Axam.a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Email-Worm/BubbleBoy.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Email-Worm/BubbleBoy.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Email-Worm/Bugsoft.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Email-Worm/Duksten.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/Email-Worm/Emin.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/Email-Worm/Emin.js
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
The-MALWARE-Repo-master/Email-Worm/Brontok.exe
-
Size
106KB
-
MD5
d7506150617460e34645025f1ca2c74b
-
SHA1
5e7d5daf73a72473795d591f831e8a2054947668
-
SHA256
941ebf1dc12321bbe430994a55f6e22a1b83cea2fa7d281484ea2dab06353112
-
SHA512
69e0bd07a8bdbfe066593cdd81acd530b3d12b21e637c1af511b8fee447831b8d822065c5a74a477fe6590962ceff8d64d83ae9c41efd930636921d4d6567f6f
-
SSDEEP
768:i9R/zAKUQfZw7j4KBHZD8f5R3ETmv48Xxh04UwQaMzl6G1gNov35BMC:0AcwPf5D8rUTmnX9maQ6SgM5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.pif\"" Brontok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.pif\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.pif\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.pif\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.pif\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.pif\"" inetinfo.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Brontok.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" inetinfo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Brontok.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" inetinfo.exe -
Disables RegEdit via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" Brontok.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Brontok.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" inetinfo.exe -
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" Brontok.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" services.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com inetinfo.exe File created C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com inetinfo.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif smss.exe -
Executes dropped EXE 5 IoCs
pid Process 2608 smss.exe 1484 winlogon.exe 2800 services.exe 2984 lsass.exe 1680 inetinfo.exe -
Loads dropped DLL 10 IoCs
pid Process 2828 Brontok.exe 2828 Brontok.exe 2608 smss.exe 2608 smss.exe 2608 smss.exe 2608 smss.exe 2608 smss.exe 2608 smss.exe 2608 smss.exe 2608 smss.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\"" Brontok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\"" services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" Brontok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\"" inetinfo.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" inetinfo.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Admin's Setting.scr smss.exe File created C:\Windows\SysWOW64\Admin's Setting.scr smss.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\ShellNew\bronstab.exe Brontok.exe File opened for modification C:\Windows\eksplorasi.pif smss.exe File opened for modification C:\Windows\eksplorasi.pif services.exe File opened for modification C:\Windows\ShellNew\bronstab.exe lsass.exe File opened for modification C:\Windows\eksplorasi.pif lsass.exe File created C:\Windows\eksplorasi.pif Brontok.exe File opened for modification C:\Windows\ShellNew\bronstab.exe winlogon.exe File opened for modification C:\Windows\ShellNew\bronstab.exe inetinfo.exe File opened for modification C:\Windows\eksplorasi.pif Brontok.exe File opened for modification C:\Windows\ShellNew\bronstab.exe smss.exe File opened for modification C:\Windows\ShellNew\bronstab.exe services.exe File opened for modification C:\Windows\ShellNew\bronstab.exe Brontok.exe File opened for modification C:\Windows\eksplorasi.pif winlogon.exe File opened for modification C:\Windows\eksplorasi.pif inetinfo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Brontok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inetinfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 inetinfo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a inetinfo.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a inetinfo.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2828 Brontok.exe 2608 smss.exe 1484 winlogon.exe 2800 services.exe 2984 lsass.exe 1680 inetinfo.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2676 2828 Brontok.exe 31 PID 2828 wrote to memory of 2676 2828 Brontok.exe 31 PID 2828 wrote to memory of 2676 2828 Brontok.exe 31 PID 2828 wrote to memory of 2676 2828 Brontok.exe 31 PID 2828 wrote to memory of 2608 2828 Brontok.exe 33 PID 2828 wrote to memory of 2608 2828 Brontok.exe 33 PID 2828 wrote to memory of 2608 2828 Brontok.exe 33 PID 2828 wrote to memory of 2608 2828 Brontok.exe 33 PID 2608 wrote to memory of 1484 2608 smss.exe 34 PID 2608 wrote to memory of 1484 2608 smss.exe 34 PID 2608 wrote to memory of 1484 2608 smss.exe 34 PID 2608 wrote to memory of 1484 2608 smss.exe 34 PID 2608 wrote to memory of 1052 2608 smss.exe 35 PID 2608 wrote to memory of 1052 2608 smss.exe 35 PID 2608 wrote to memory of 1052 2608 smss.exe 35 PID 2608 wrote to memory of 1052 2608 smss.exe 35 PID 2608 wrote to memory of 2796 2608 smss.exe 37 PID 2608 wrote to memory of 2796 2608 smss.exe 37 PID 2608 wrote to memory of 2796 2608 smss.exe 37 PID 2608 wrote to memory of 2796 2608 smss.exe 37 PID 2608 wrote to memory of 2800 2608 smss.exe 39 PID 2608 wrote to memory of 2800 2608 smss.exe 39 PID 2608 wrote to memory of 2800 2608 smss.exe 39 PID 2608 wrote to memory of 2800 2608 smss.exe 39 PID 2608 wrote to memory of 2984 2608 smss.exe 40 PID 2608 wrote to memory of 2984 2608 smss.exe 40 PID 2608 wrote to memory of 2984 2608 smss.exe 40 PID 2608 wrote to memory of 2984 2608 smss.exe 40 PID 2608 wrote to memory of 1680 2608 smss.exe 41 PID 2608 wrote to memory of 1680 2608 smss.exe 41 PID 2608 wrote to memory of 1680 2608 smss.exe 41 PID 2608 wrote to memory of 1680 2608 smss.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Brontok.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Email-Worm\Brontok.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Users\Admin\AppData\Local\smss.exeC:\Users\Admin\AppData\Local\smss.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Windows\SysWOW64\at.exeat /delete /y3⤵
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Windows\SysWOW64\at.exeat 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WowTumpeh.com"3⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Users\Admin\AppData\Local\services.exeC:\Users\Admin\AppData\Local\services.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\AppData\Local\lsass.exeC:\Users\Admin\AppData\Local\lsass.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Users\Admin\AppData\Local\inetinfo.exeC:\Users\Admin\AppData\Local\inetinfo.exe3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
106KB
MD5d7506150617460e34645025f1ca2c74b
SHA15e7d5daf73a72473795d591f831e8a2054947668
SHA256941ebf1dc12321bbe430994a55f6e22a1b83cea2fa7d281484ea2dab06353112
SHA51269e0bd07a8bdbfe066593cdd81acd530b3d12b21e637c1af511b8fee447831b8d822065c5a74a477fe6590962ceff8d64d83ae9c41efd930636921d4d6567f6f
-
Filesize
64KB
MD589f88ed3f1417d63ff221c7083e0dc32
SHA1d03142eac2e4b4046d844cc8b9c234bf32354774
SHA256a621a5dbfb406f3e3397169a89f27399b9b9bedf30a54bf9e198e3eebe17a0b6
SHA5124fe0fb2bfe6e15980479ad3e497600322b7c3364115e7646773d155d01fa5d4394a2f00e7575375039d18683b44e725c1d37ba8a578643ab74e056dc6e164d3c