Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 11:10
Static task
static1
Behavioral task
behavioral1
Sample
37710c8c1faa69416e6fd5ef93bff1b2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
37710c8c1faa69416e6fd5ef93bff1b2.exe
Resource
win10v2004-20220414-en
General
-
Target
37710c8c1faa69416e6fd5ef93bff1b2.exe
-
Size
1.2MB
-
MD5
37710c8c1faa69416e6fd5ef93bff1b2
-
SHA1
65457baa7458cafd4e1e69c17e05f897fb75f6d5
-
SHA256
a11547298e187eb98cb99e5fbaa66260ce912a398252adf09da4ae816045961f
-
SHA512
0c709ee122c950d4da796caecfc44beeaab5954bd8dcec44799f2715cb4f30e3493d02bfba35273510015158bc059496a21ee463be9265ac099d41b639cbb61a
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Sia.exe.pifdescription pid process target process PID 280 created 1356 280 Sia.exe.pif Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
Sia.exe.pifpid process 280 Sia.exe.pif -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1472 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
37710c8c1faa69416e6fd5ef93bff1b2.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 37710c8c1faa69416e6fd5ef93bff1b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 37710c8c1faa69416e6fd5ef93bff1b2.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 572 tasklist.exe 2044 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Sia.exe.pifpid process 280 Sia.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2044 tasklist.exe Token: SeDebugPrivilege 572 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Sia.exe.pifpid process 280 Sia.exe.pif 280 Sia.exe.pif 280 Sia.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Sia.exe.pifpid process 280 Sia.exe.pif 280 Sia.exe.pif 280 Sia.exe.pif -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
37710c8c1faa69416e6fd5ef93bff1b2.execmd.execmd.exeSia.exe.pifdescription pid process target process PID 1668 wrote to memory of 1640 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1640 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1640 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1640 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1924 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1924 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1924 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1668 wrote to memory of 1924 1668 37710c8c1faa69416e6fd5ef93bff1b2.exe cmd.exe PID 1924 wrote to memory of 1472 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1472 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1472 1924 cmd.exe cmd.exe PID 1924 wrote to memory of 1472 1924 cmd.exe cmd.exe PID 1472 wrote to memory of 2044 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 2044 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 2044 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 2044 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 2032 1472 cmd.exe find.exe PID 1472 wrote to memory of 2032 1472 cmd.exe find.exe PID 1472 wrote to memory of 2032 1472 cmd.exe find.exe PID 1472 wrote to memory of 2032 1472 cmd.exe find.exe PID 1472 wrote to memory of 572 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 572 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 572 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 572 1472 cmd.exe tasklist.exe PID 1472 wrote to memory of 1284 1472 cmd.exe find.exe PID 1472 wrote to memory of 1284 1472 cmd.exe find.exe PID 1472 wrote to memory of 1284 1472 cmd.exe find.exe PID 1472 wrote to memory of 1284 1472 cmd.exe find.exe PID 1472 wrote to memory of 360 1472 cmd.exe findstr.exe PID 1472 wrote to memory of 360 1472 cmd.exe findstr.exe PID 1472 wrote to memory of 360 1472 cmd.exe findstr.exe PID 1472 wrote to memory of 360 1472 cmd.exe findstr.exe PID 1472 wrote to memory of 280 1472 cmd.exe Sia.exe.pif PID 1472 wrote to memory of 280 1472 cmd.exe Sia.exe.pif PID 1472 wrote to memory of 280 1472 cmd.exe Sia.exe.pif PID 1472 wrote to memory of 280 1472 cmd.exe Sia.exe.pif PID 1472 wrote to memory of 276 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 276 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 276 1472 cmd.exe PING.EXE PID 1472 wrote to memory of 276 1472 cmd.exe PING.EXE PID 280 wrote to memory of 1204 280 Sia.exe.pif cmd.exe PID 280 wrote to memory of 1204 280 Sia.exe.pif cmd.exe PID 280 wrote to memory of 1204 280 Sia.exe.pif cmd.exe PID 280 wrote to memory of 1204 280 Sia.exe.pif cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe"C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\cmd.execmd /c 8883⤵PID:1640
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Bisogna.xltx3⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\cmd.execmd4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"5⤵PID:2032
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"5⤵PID:1284
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QlYYGayeJrJMVaFucCpjnLjXjfCAOcjSVkPrFqRcTeOzyFebtlQOryCyXqLdPEhgQRRJCCBxLOzvXSSHh$" Vederlo.xltx5⤵PID:360
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pifSia.exe.pif o5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:280
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 55⤵
- Runs ping.exe
PID:276
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\rYrhtCJypf\iIvLPClunfOCW.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url"2⤵
- Drops startup file
PID:1204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD53dc4a3ab1f072e3596ab62442a8895f5
SHA187888d06ed28a9139afe0986ef230fb80c2ad35a
SHA256fae92ed3d0ecaa46a0b7aebbc75f3268824068dec93f2ce8d0df3c38b279f046
SHA5120215d031307f1c6cd55dca966fdab8387f70a50e2734e6fca4176892c4f3d33b1bb02ddaefb8cd6f79e9f122d0162f9ac010a287f15201b5938fd1f84709143a
-
Filesize
1.8MB
MD50adef5c57cf8c90d23e956595826726e
SHA18732d83dd37f4b1745d96175ab66edc9b5ec7281
SHA25602e454b2b7dd43d262fd3c3ff8a8baded76a556653d17bfd2dba5457bc8c22d5
SHA51272cc8591e6994938d0c28b34617bc0218004a1e4cf2e9e0783bbc804527d837bcbe0f0310c392d92ae4ed9d4555d3637e821613d16a2e91592f4b34c5ee57645
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
924KB
MD54f740a8b34570d48a914076ff4785932
SHA13029a7e0769f2ecc60f2cb46142dea6ff975dd09
SHA256f4515fb1d5ee3db30f1edd3b40ec3d792f9f386091156012d08f1451272e7809
SHA51248640664678a793736582a58ecfc3fc2c6679b6957e0fd81d6e71210c2a1b3ead944229ec3e496383ab3d0905be33b2051b5eb4cc151cdca1f8746e086a57d88
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4