Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 06:14
General
-
Target
dildobuttsex.exe
-
Size
203KB
-
MD5
2acc98b579007810e2bf738900e7c8bd
-
SHA1
e001d58be0422c5511044b15f67f30f5c6fa319d
-
SHA256
bda855dc115902664e92ff1c4b945f367ea2a9372dc00d7b2f560ab15aca4835
-
SHA512
3b2399afd11424854639b8fc79a32a5cc36283615427b0233500f12726bf0f5fa67feb8ef7183f785fd0882e0be55c4d66a3ada86284345f57fa34ff6f3fdf45
-
SSDEEP
6144:MLV6Bta6dtJmakIM5wplNzULgm7SB7e+s:MLV6BtpmkPzcb87et
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dildobuttsex.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" dildobuttsex.exe -
Processes:
dildobuttsex.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dildobuttsex.exe -
Drops file in Program Files directory 2 IoCs
Processes:
dildobuttsex.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe dildobuttsex.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe dildobuttsex.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3852 schtasks.exe 3220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
dildobuttsex.exepid process 772 dildobuttsex.exe 772 dildobuttsex.exe 772 dildobuttsex.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dildobuttsex.exepid process 772 dildobuttsex.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dildobuttsex.exedescription pid process Token: SeDebugPrivilege 772 dildobuttsex.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dildobuttsex.exedescription pid process target process PID 772 wrote to memory of 3852 772 dildobuttsex.exe schtasks.exe PID 772 wrote to memory of 3852 772 dildobuttsex.exe schtasks.exe PID 772 wrote to memory of 3852 772 dildobuttsex.exe schtasks.exe PID 772 wrote to memory of 3220 772 dildobuttsex.exe schtasks.exe PID 772 wrote to memory of 3220 772 dildobuttsex.exe schtasks.exe PID 772 wrote to memory of 3220 772 dildobuttsex.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe"C:\Users\Admin\AppData\Local\Temp\dildobuttsex.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp33FC.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3CC7.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp33FC.tmpFilesize
1KB
MD51156c8494f802c2458973e9358495fde
SHA10e0eca23efc056ebe032b95b94d2246f05946874
SHA256467138bedaa8358054acdb93ed4237f4e8125471402d2046a2fd26016500e353
SHA512a8bfb90b48042703209d2c7437af324c9b42e34447a33dbbb50a706b89fb388ce3e807c99c98cc904491e7bdb8c68a4247b48f9632ebc3e18a892b0059e8c82a
-
C:\Users\Admin\AppData\Local\Temp\tmp3CC7.tmpFilesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
memory/772-0-0x00000000750F2000-0x00000000750F3000-memory.dmpFilesize
4KB
-
memory/772-1-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/772-2-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/772-10-0x00000000750F2000-0x00000000750F3000-memory.dmpFilesize
4KB
-
memory/772-11-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/772-12-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB
-
memory/772-13-0x00000000750F0000-0x00000000756A1000-memory.dmpFilesize
5.7MB