Analysis

  • max time kernel
    44s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-05-2022 11:10

General

  • Target

    37710c8c1faa69416e6fd5ef93bff1b2.exe

  • Size

    1.2MB

  • MD5

    37710c8c1faa69416e6fd5ef93bff1b2

  • SHA1

    65457baa7458cafd4e1e69c17e05f897fb75f6d5

  • SHA256

    a11547298e187eb98cb99e5fbaa66260ce912a398252adf09da4ae816045961f

  • SHA512

    0c709ee122c950d4da796caecfc44beeaab5954bd8dcec44799f2715cb4f30e3493d02bfba35273510015158bc059496a21ee463be9265ac099d41b639cbb61a

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1356
      • C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe
        "C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c 888
          3⤵
            PID:1640
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c cmd < Bisogna.xltx
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Windows\SysWOW64\cmd.exe
              cmd
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FI "imagename eq BullGuardCore.exe"
                5⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2044
              • C:\Windows\SysWOW64\find.exe
                find /I /N "bullguardcore.exe"
                5⤵
                  PID:2032
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /FI "imagename eq PSUAService.exe"
                  5⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:572
                • C:\Windows\SysWOW64\find.exe
                  find /I /N "psuaservice.exe"
                  5⤵
                    PID:1284
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr /V /R "^QlYYGayeJrJMVaFucCpjnLjXjfCAOcjSVkPrFqRcTeOzyFebtlQOryCyXqLdPEhgQRRJCCBxLOzvXSSHh$" Vederlo.xltx
                    5⤵
                      PID:360
                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
                      Sia.exe.pif o
                      5⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:280
                    • C:\Windows\SysWOW64\PING.EXE
                      ping localhost -n 5
                      5⤵
                      • Runs ping.exe
                      PID:276
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\rYrhtCJypf\iIvLPClunfOCW.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url"
                2⤵
                • Drops startup file
                PID:1204

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.xltx

              Filesize

              9KB

              MD5

              3dc4a3ab1f072e3596ab62442a8895f5

              SHA1

              87888d06ed28a9139afe0986ef230fb80c2ad35a

              SHA256

              fae92ed3d0ecaa46a0b7aebbc75f3268824068dec93f2ce8d0df3c38b279f046

              SHA512

              0215d031307f1c6cd55dca966fdab8387f70a50e2734e6fca4176892c4f3d33b1bb02ddaefb8cd6f79e9f122d0162f9ac010a287f15201b5938fd1f84709143a

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Giacche.xltx

              Filesize

              1.8MB

              MD5

              0adef5c57cf8c90d23e956595826726e

              SHA1

              8732d83dd37f4b1745d96175ab66edc9b5ec7281

              SHA256

              02e454b2b7dd43d262fd3c3ff8a8baded76a556653d17bfd2dba5457bc8c22d5

              SHA512

              72cc8591e6994938d0c28b34617bc0218004a1e4cf2e9e0783bbc804527d837bcbe0f0310c392d92ae4ed9d4555d3637e821613d16a2e91592f4b34c5ee57645

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif

              Filesize

              924KB

              MD5

              6987e4cd3f256462f422326a7ef115b9

              SHA1

              71672a495b4603ecfec40a65254cb3ba8766bbe0

              SHA256

              3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

              SHA512

              4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif

              Filesize

              924KB

              MD5

              6987e4cd3f256462f422326a7ef115b9

              SHA1

              71672a495b4603ecfec40a65254cb3ba8766bbe0

              SHA256

              3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

              SHA512

              4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vederlo.xltx

              Filesize

              924KB

              MD5

              4f740a8b34570d48a914076ff4785932

              SHA1

              3029a7e0769f2ecc60f2cb46142dea6ff975dd09

              SHA256

              f4515fb1d5ee3db30f1edd3b40ec3d792f9f386091156012d08f1451272e7809

              SHA512

              48640664678a793736582a58ecfc3fc2c6679b6957e0fd81d6e71210c2a1b3ead944229ec3e496383ab3d0905be33b2051b5eb4cc151cdca1f8746e086a57d88

            • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif

              Filesize

              924KB

              MD5

              6987e4cd3f256462f422326a7ef115b9

              SHA1

              71672a495b4603ecfec40a65254cb3ba8766bbe0

              SHA256

              3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

              SHA512

              4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

            • memory/276-68-0x0000000000000000-mapping.dmp

            • memory/280-69-0x00000000762C1000-0x00000000762C3000-memory.dmp

              Filesize

              8KB

            • memory/280-66-0x0000000000000000-mapping.dmp

            • memory/360-62-0x0000000000000000-mapping.dmp

            • memory/572-60-0x0000000000000000-mapping.dmp

            • memory/1204-71-0x0000000000000000-mapping.dmp

            • memory/1284-61-0x0000000000000000-mapping.dmp

            • memory/1472-57-0x0000000000000000-mapping.dmp

            • memory/1640-54-0x0000000000000000-mapping.dmp

            • memory/1924-55-0x0000000000000000-mapping.dmp

            • memory/2032-59-0x0000000000000000-mapping.dmp

            • memory/2044-58-0x0000000000000000-mapping.dmp