Overview

overview

8

Static

static

3

main.exe

windows11-21h2-x64

8

Resubmissions

22-01-2025 15:54

250122-tca45stnat 8

22-01-2025 13:12

250122-qfg53sxpfv 10

Analysis

  • max time kernel
    49s
  • max time network
    34s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-01-2025 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    7.3MB

  • MD5

    17741d73622b968fb2994a7ecab90b21

  • SHA1

    bf1676bd064c4b9a1151348bc4310c15f506d205

  • SHA256

    9dc579518e8d00546ce132209aee6f5c8eb78b22ed5828f316cdf0f81c720521

  • SHA512

    3a5833a9c687f79428707e1be15fcda5d7aacd21b05e765235efa13f6424d30d501f5bd85d6dc1b62bcab947dae7069334ed8fba39365b1fa217ad7daec62f06

  • SSDEEP

    196608:/snm8b83kdaXMCHGLLc54i1wN+DrRRu7NtbFRKnZMvDrGmh1wlxN8:G5/cXMCHWUj7rRQ7XbFsn6vH5WN

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 61 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\main.exe
      "C:\Users\Admin\AppData\Local\Temp\main.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /0
          4⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:2916
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3032
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\SNF4KQJV\www.bing[1].xml
    Filesize

    17KB

    MD5

    7bf4d55690e47b3137fe8054e1faf359

    SHA1

    bc7100588fd309e27198840b78334db9b53e5a6d

    SHA256

    1b41f1b2373a2838a1352ee86f60eb9a0d9820144cd1dfcd45b460d30d05976e

    SHA512

    40552249a38146c245d5cd6a136337e51bc2449f4cc3f5aa6c8107e2bf28188c2f70b385b63741e33019ea2eccd3e74669b4f53f72c01281661301eb553468d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\MSVCP140.dll
    Filesize

    561KB

    MD5

    72f3d84384e888bf0d38852eb863026b

    SHA1

    8e6a0257591eb913ae7d0e975c56306b3f680b3f

    SHA256

    a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde

    SHA512

    6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\VCRUNTIME140.dll
    Filesize

    117KB

    MD5

    862f820c3251e4ca6fc0ac00e4092239

    SHA1

    ef96d84b253041b090c243594f90938e9a487a9a

    SHA256

    36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

    SHA512

    2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\VCRUNTIME140_1.dll
    Filesize

    48KB

    MD5

    68156f41ae9a04d89bb6625a5cd222d4

    SHA1

    3be29d5c53808186eba3a024be377ee6f267c983

    SHA256

    82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

    SHA512

    f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\_bz2.pyd
    Filesize

    83KB

    MD5

    c17dcb7fc227601471a641ec90e6237f

    SHA1

    c93a8c2430e844f40f1d9c880aa74612409ffbb9

    SHA256

    55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

    SHA512

    38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\_ctypes.pyd
    Filesize

    129KB

    MD5

    2bd5dabbb35398a506e3406bc01eba26

    SHA1

    af3ab9d8467e25367d03cb7479a3e4324917f8d0

    SHA256

    5c4c489ac052795c27af063c96bc4db5ab250144d4839050cfa9bb3836b87c32

    SHA512

    c07860d86ae0d900e44945da77e3b620005667304c0715985f06000f3d410fffb7e38e1bc84e4e6d24889d46b9dac6bf18861c95b2b09e760012edc5406b3838

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\_decimal.pyd
    Filesize

    274KB

    MD5

    ad4324e5cc794d626ffccda544a5a833

    SHA1

    ef925e000383b6cad9361430fc38264540d434a5

    SHA256

    040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

    SHA512

    0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\_hashlib.pyd
    Filesize

    63KB

    MD5

    422e214ca76421e794b99f99a374b077

    SHA1

    58b24448ab889948303cdefe28a7c697687b7ebc

    SHA256

    78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

    SHA512

    03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\_lzma.pyd
    Filesize

    155KB

    MD5

    66a9028efd1bb12047dafce391fd6198

    SHA1

    e0b61ce28ea940f1f0d5247d40abe61ae2b91293

    SHA256

    e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

    SHA512

    3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\_socket.pyd
    Filesize

    82KB

    MD5

    abf998769f3cba685e90fa06e0ec8326

    SHA1

    daa66047cf22b6be608127f8824e59b30c9026bf

    SHA256

    62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

    SHA512

    08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\base_library.zip
    Filesize

    1.3MB

    MD5

    18c3f8bf07b4764d340df1d612d28fad

    SHA1

    fc0e09078527c13597c37dbea39551f72bbe9ae8

    SHA256

    6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

    SHA512

    135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\libcrypto-3.dll
    Filesize

    5.0MB

    MD5

    123ad0908c76ccba4789c084f7a6b8d0

    SHA1

    86de58289c8200ed8c1fc51d5f00e38e32c1aad5

    SHA256

    4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

    SHA512

    80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\libery.dll
    Filesize

    111KB

    MD5

    655e4e9a4280e04ef71088581d2ee960

    SHA1

    933c7742d8ea0b57ce10f25cc48f7130c10dbd22

    SHA256

    c11a3d0e04e33e083ffb071002c1e7d8d851bf1b05867f1d29ec9cdbb35e5ca4

    SHA512

    a0e44726d4ef87dbfd1b8f5ed37968444e0cbb8ea7b88395467fe979e306120461085c9aa738ce997d08e08d31109b7eb810034e2ef53b16538e9d1c50f1fd27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\libffi-8.dll
    Filesize

    38KB

    MD5

    0f8e4992ca92baaf54cc0b43aaccce21

    SHA1

    c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

    SHA256

    eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

    SHA512

    6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\python313.dll
    Filesize

    5.8MB

    MD5

    3aad23292404a7038eb07ce5a6348256

    SHA1

    35cac5479699b28549ebe36c1d064bfb703f0857

    SHA256

    78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

    SHA512

    f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\rc.exe
    Filesize

    49KB

    MD5

    a67d6f660c7094d1007037d764bd80e3

    SHA1

    503d86c0999a213159223de7890d786ca1b64842

    SHA256

    9274b05389a0a99c9d7c7aba9ecb6341023b2addc3435dd814fbf04af641c5e5

    SHA512

    8e253b705d1b5579e7c71702389a62c46f9714b63f2c4b33f9d33e3384daffe9c49e7be5210713c2459afa6a6a9c7075cf0b45489332a33ca0985ad38a6f8882

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\rcdll.dll
    Filesize

    19KB

    MD5

    924239278b93e09b6e97125a18079f70

    SHA1

    de0591ee2e171df31783a0239c96134b7b786923

    SHA256

    cfe8de2fc5b222a84e6e8a537a45027cc929004782e04fbb6f6eb40da707061e

    SHA512

    0264f0ddc0a1a34238d5244945aa295ac2024e869a5f266d77da522dcb87c9f7ec7fd7efd039bd6d44700f30d8a7a9074617ef539998fcf2abe008281004426a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\select.pyd
    Filesize

    31KB

    MD5

    62fe3761d24b53d98cc9b0cbbd0feb7c

    SHA1

    317344c9edf2fcfa2b9bc248a18f6e6acedafffb

    SHA256

    81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

    SHA512

    a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI46842\unicodedata.pyd
    Filesize

    695KB

    MD5

    43b8b61debbc6dd93124a00ddd922d8c

    SHA1

    5dee63d250ac6233aac7e462eee65c5326224f01

    SHA256

    3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

    SHA512

    dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

    Download Submit

  • memory/2916-413-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-417-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-415-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-416-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-414-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-405-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-406-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-407-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-411-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-412-0x000002285CC40000-0x000002285CC41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3032-146-0x0000028FD8B80000-0x0000028FD8C80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3032-280-0x0000028FDCA80000-0x0000028FDCB80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3032-191-0x0000028FD8AF0000-0x0000028FD8B10000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3032-190-0x0000028FD8EA0000-0x0000028FD8FA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3032-189-0x0000028FD8E20000-0x0000028FD8E40000-memory.dmp

    Filesize

    128KB

    Download