a11547298e187eb98cb99e5fbaa66260ce912a398252adf09da4ae816045961f

General

Target

37710c8c1faa69416e6fd5ef93bff1b2.exe
Size

1.2MB
MD5

37710c8c1faa69416e6fd5ef93bff1b2
SHA1

65457baa7458cafd4e1e69c17e05f897fb75f6d5
SHA256

a11547298e187eb98cb99e5fbaa66260ce912a398252adf09da4ae816045961f
SHA512

0c709ee122c950d4da796caecfc44beeaab5954bd8dcec44799f2715cb4f30e3493d02bfba35273510015158bc059496a21ee463be9265ac099d41b639cbb61a

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Sia.exe.pif

description pid process target process

PID 280 created 1356 280 Sia.exe.pif Explorer.EXE
Executes dropped EXE 1 IoCs

Processes:

Sia.exe.pif

pid process

280 Sia.exe.pif

description	pid	process	target process
PID 280 created 1356	280	Sia.exe.pif	Explorer.EXE

pid	process
280	Sia.exe.pif

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe

pid	process
1472	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

37710c8c1faa69416e6fd5ef93bff1b2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	37710c8c1faa69416e6fd5ef93bff1b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	37710c8c1faa69416e6fd5ef93bff1b2.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

572 tasklist.exe
2044 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

276 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Sia.exe.pif

pid process

280 Sia.exe.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2044 tasklist.exe
Token: SeDebugPrivilege 572 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Sia.exe.pif

pid process

280 Sia.exe.pif
280 Sia.exe.pif
280 Sia.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sia.exe.pif

pid process

280 Sia.exe.pif
280 Sia.exe.pif
280 Sia.exe.pif

pid	process
572	tasklist.exe
2044	tasklist.exe

pid	process
276	PING.EXE

pid	process
280	Sia.exe.pif

description	pid	process
Token: SeDebugPrivilege	2044	tasklist.exe
Token: SeDebugPrivilege	572	tasklist.exe

pid	process
280	Sia.exe.pif
280	Sia.exe.pif
280	Sia.exe.pif

pid	process
280	Sia.exe.pif
280	Sia.exe.pif
280	Sia.exe.pif

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

37710c8c1faa69416e6fd5ef93bff1b2.execmd.execmd.exeSia.exe.pif

description	pid	process	target process
PID 1668 wrote to memory of 1640	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1640	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1640	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1640	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1924	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1924	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1924	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1668 wrote to memory of 1924	1668	37710c8c1faa69416e6fd5ef93bff1b2.exe	cmd.exe
PID 1924 wrote to memory of 1472	1924	cmd.exe	cmd.exe
PID 1924 wrote to memory of 1472	1924	cmd.exe	cmd.exe
PID 1924 wrote to memory of 1472	1924	cmd.exe	cmd.exe
PID 1924 wrote to memory of 1472	1924	cmd.exe	cmd.exe
PID 1472 wrote to memory of 2044	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 2044	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 2044	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 2044	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 2032	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 2032	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 2032	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 2032	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 572	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 572	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 572	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 572	1472	cmd.exe	tasklist.exe
PID 1472 wrote to memory of 1284	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 1284	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 1284	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 1284	1472	cmd.exe	find.exe
PID 1472 wrote to memory of 360	1472	cmd.exe	findstr.exe
PID 1472 wrote to memory of 360	1472	cmd.exe	findstr.exe
PID 1472 wrote to memory of 360	1472	cmd.exe	findstr.exe
PID 1472 wrote to memory of 360	1472	cmd.exe	findstr.exe
PID 1472 wrote to memory of 280	1472	cmd.exe	Sia.exe.pif
PID 1472 wrote to memory of 280	1472	cmd.exe	Sia.exe.pif
PID 1472 wrote to memory of 280	1472	cmd.exe	Sia.exe.pif
PID 1472 wrote to memory of 280	1472	cmd.exe	Sia.exe.pif
PID 1472 wrote to memory of 276	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 276	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 276	1472	cmd.exe	PING.EXE
PID 1472 wrote to memory of 276	1472	cmd.exe	PING.EXE
PID 280 wrote to memory of 1204	280	Sia.exe.pif	cmd.exe
PID 280 wrote to memory of 1204	280	Sia.exe.pif	cmd.exe
PID 280 wrote to memory of 1204	280	Sia.exe.pif	cmd.exe
PID 280 wrote to memory of 1204	280	Sia.exe.pif	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe
"C:\Users\Admin\AppData\Local\Temp\37710c8c1faa69416e6fd5ef93bff1b2.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c 888
3⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Bisogna.xltx
3⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:2032

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:1284

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^QlYYGayeJrJMVaFucCpjnLjXjfCAOcjSVkPrFqRcTeOzyFebtlQOryCyXqLdPEhgQRRJCCBxLOzvXSSHh$" Vederlo.xltx
5⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Sia.exe.pif o
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:276

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\rYrhtCJypf\iIvLPClunfOCW.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ayzpVWmiSi.url"
2⤵
- Drops startup file
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bisogna.xltx
Filesize
9KB

MD5
3dc4a3ab1f072e3596ab62442a8895f5

SHA1
87888d06ed28a9139afe0986ef230fb80c2ad35a

SHA256
fae92ed3d0ecaa46a0b7aebbc75f3268824068dec93f2ce8d0df3c38b279f046

SHA512
0215d031307f1c6cd55dca966fdab8387f70a50e2734e6fca4176892c4f3d33b1bb02ddaefb8cd6f79e9f122d0162f9ac010a287f15201b5938fd1f84709143a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Giacche.xltx
Filesize
1.8MB

MD5
0adef5c57cf8c90d23e956595826726e

SHA1
8732d83dd37f4b1745d96175ab66edc9b5ec7281

SHA256
02e454b2b7dd43d262fd3c3ff8a8baded76a556653d17bfd2dba5457bc8c22d5

SHA512
72cc8591e6994938d0c28b34617bc0218004a1e4cf2e9e0783bbc804527d837bcbe0f0310c392d92ae4ed9d4555d3637e821613d16a2e91592f4b34c5ee57645

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vederlo.xltx
Filesize
924KB

MD5
4f740a8b34570d48a914076ff4785932

SHA1
3029a7e0769f2ecc60f2cb46142dea6ff975dd09

SHA256
f4515fb1d5ee3db30f1edd3b40ec3d792f9f386091156012d08f1451272e7809

SHA512
48640664678a793736582a58ecfc3fc2c6679b6957e0fd81d6e71210c2a1b3ead944229ec3e496383ab3d0905be33b2051b5eb4cc151cdca1f8746e086a57d88

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sia.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/276-68-0x0000000000000000-mapping.dmp

Download
memory/280-69-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/280-66-0x0000000000000000-mapping.dmp

Download
memory/360-62-0x0000000000000000-mapping.dmp

Download
memory/572-60-0x0000000000000000-mapping.dmp

Download
memory/1204-71-0x0000000000000000-mapping.dmp

Download
memory/1284-61-0x0000000000000000-mapping.dmp

Download
memory/1472-57-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x0000000000000000-mapping.dmp

Download
memory/1924-55-0x0000000000000000-mapping.dmp

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads