Analysis
-
max time kernel
212s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
27-01-2025 19:49
General
-
Target
Tryhard - External.exe
-
Size
15.2MB
-
MD5
b032db979b409e9c010322709ccfa2ca
-
SHA1
ade674caa85fbce63b6226d100a3e1ca12b7abce
-
SHA256
6e730445f480928385d507a3cfb776caba82e0097c4a754d427a1777dc649c98
-
SHA512
9e62ceb443863659af0ba8334bd89138e0b557d67c4a9ff5c09a120dba2e3eae820b426122449fad70454296ec90889388dfb749dfe35f893cfc1a3b4c7bd016
-
SSDEEP
393216:znyYZteycGUMPXZ5MOD9dbH2urEUWjJjIfoo4jLxhI:zyiteycQZOOx1WdbJ8fUnxhI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 20 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tryhard - External.exe"C:\Users\Admin\AppData\Local\Temp\Tryhard - External.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\tryhard - external.exe"c:\users\admin\appdata\local\temp\tryhard - external.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\tryhard - external.exe"c:\users\admin\appdata\local\temp\tryhard - external.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 19:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
Filesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
Filesize
1.7MB
MD5fb8bedf8440eb432c9f3587b8114abc0
SHA1136bb4dd38a7f6cb3e2613910607131c97674f7c
SHA256cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6
SHA512b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
206KB
MD52a9a75881394cf3f5d3ddde34c19fe1c
SHA10255921cfa316a74e13eed0bb5cda3f45a77ceba
SHA2560eea3b616221d0e3a89a5f54fbe208f18f27bd466f7035e449177a5bb2fa9378
SHA512182a321cb9eecdcf4bdc389faa05cc18ffd2fa82aee0ce531a0fa525e60c8b99429e3dc9a89736252cc05b882de258f65ebbfc561dd9208a7194fbe8b60dfb9d
-
Filesize
207KB
MD503a09ed474f2fc96aa5a9760a49f18b2
SHA1dc9be93b4d857791820f9ed01b37230df6664065
SHA256c6248a08e69bf2d1ba7be25e574a5234460c6e0673fe6de88f22beb298c0e867
SHA5123d20b6f5b80c54ce3634616250e1dd4534fd31890960acdb37e459ffd50d62a4a6d70699dab2e44fd3f297b5349ea1e3bfbfaab2f0b5ee06f58fcfdf9a7d74c3
-
Filesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
Filesize
15.0MB
MD59a734facf345e670da596dfafe58bd2b
SHA15da6d276f31aea758605321412c5a8aeaa31c9d3
SHA256da93fb3f0ce8c6d5388607359db3388cd3448d5f291d984dd05a4ca851240a56
SHA51266b3e76a28c15fcedab2b967476cfc32a4737ab598f6cf138346076bbb3154b3040b251a2e9f8372552fcd14732a0382472e9ec8212dc2dbc124545a8ab346d2
-
Filesize
206KB
MD5e387e3245b8270c962a7523eb8a0406d
SHA11931834a11565c29d347d1c16d8bf01dc47bc34b
SHA256d9eb0356b0cabfc941b93106997e6f18ed2a62949251f1ad8c5e432ce897910f
SHA512b95acf286ab48bc3745824e7953bc21bfabf0797bc55a8ce379dd14a38969bb1d76333b135ec53847fd9724abe3c85285676905575416501982f8fea5eb986ae
-
Filesize
206KB
MD549bdf5ef97e93b4f258fb732084e70c6
SHA16a4fa73c081d4c0b4cdcacb784730208a731917f
SHA256bcfb7650135e30c99188cca42fcb4b777771c6194ceabd22957ebae923d40fe2
SHA51255e79b429489d7038bca0f6488d08ab60769279a92b6add6eccf53c13e7292eaffcdb77aada6bbd4b60e3f292994076dd785c9ad50f2a35f5e233e5cbe72a843
-
Filesize
206KB
MD5a9a53f2aa98ecc890e90b8b31f6cc9ff
SHA1e3e4e29c1eef88b39c371635e40b87de1c3dfaf6
SHA2560458f661891d78ef1a79908c641cd5e263cc0fafd874be1679b66317bd391528
SHA512c0a8e389f22825048ddb0aef162e1a17e40b5c64215713c8c5213c5e615d4f955f7f1a872b5e7f2fde73f4db8b79bf9137065d3352eb5f2d699fe388849cf8a3
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.8MB