bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659

General

Target

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
Size

1.2MB
MD5

c257adbfd6c6ca7d12197eb2a843af29
SHA1

5388b0214498f81785859ef5b8ad886af8090cb1
SHA256

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659
SHA512

797c631248612fd9190ac06c8badc9c78d212c1284cbec5da6a6b57b3606e1a5e9307bffe41a0cdd2dbd32670260d778850d7636a26292c79c375481bcf43eec

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Venir.exe.pif

pid process

1236 Venir.exe.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

744 cmd.exe

pid	process
1236	Venir.exe.pif

pid	process
744	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1164 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1728 tasklist.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

856 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 1728 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Venir.exe.pif

pid process

1236 Venir.exe.pif
1236 Venir.exe.pif
1236 Venir.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Venir.exe.pif

pid process

1236 Venir.exe.pif
1236 Venir.exe.pif
1236 Venir.exe.pif

pid	process
1164	schtasks.exe

pid	process
1728	tasklist.exe

pid	process
856	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1728	tasklist.exe

pid	process
1236	Venir.exe.pif
1236	Venir.exe.pif
1236	Venir.exe.pif

pid	process
1236	Venir.exe.pif
1236	Venir.exe.pif
1236	Venir.exe.pif

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exenet.execmd.execmd.exeVenir.exe.pif

description	pid	process	target process
PID 1968 wrote to memory of 1504	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 1968 wrote to memory of 1504	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 1968 wrote to memory of 1504	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 1968 wrote to memory of 1504	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	net.exe
PID 1504 wrote to memory of 1832	1504	net.exe	net1.exe
PID 1504 wrote to memory of 1832	1504	net.exe	net1.exe
PID 1504 wrote to memory of 1832	1504	net.exe	net1.exe
PID 1504 wrote to memory of 1832	1504	net.exe	net1.exe
PID 1968 wrote to memory of 1696	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 1968 wrote to memory of 1696	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 1968 wrote to memory of 1696	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 1968 wrote to memory of 1696	1968	bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe	cmd.exe
PID 1696 wrote to memory of 744	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 744	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 744	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 744	1696	cmd.exe	cmd.exe
PID 744 wrote to memory of 1728	744	cmd.exe	tasklist.exe
PID 744 wrote to memory of 1728	744	cmd.exe	tasklist.exe
PID 744 wrote to memory of 1728	744	cmd.exe	tasklist.exe
PID 744 wrote to memory of 1728	744	cmd.exe	tasklist.exe
PID 744 wrote to memory of 940	744	cmd.exe	find.exe
PID 744 wrote to memory of 940	744	cmd.exe	find.exe
PID 744 wrote to memory of 940	744	cmd.exe	find.exe
PID 744 wrote to memory of 940	744	cmd.exe	find.exe
PID 744 wrote to memory of 1232	744	cmd.exe	findstr.exe
PID 744 wrote to memory of 1232	744	cmd.exe	findstr.exe
PID 744 wrote to memory of 1232	744	cmd.exe	findstr.exe
PID 744 wrote to memory of 1232	744	cmd.exe	findstr.exe
PID 744 wrote to memory of 1236	744	cmd.exe	Venir.exe.pif
PID 744 wrote to memory of 1236	744	cmd.exe	Venir.exe.pif
PID 744 wrote to memory of 1236	744	cmd.exe	Venir.exe.pif
PID 744 wrote to memory of 1236	744	cmd.exe	Venir.exe.pif
PID 744 wrote to memory of 856	744	cmd.exe	PING.EXE
PID 744 wrote to memory of 856	744	cmd.exe	PING.EXE
PID 744 wrote to memory of 856	744	cmd.exe	PING.EXE
PID 744 wrote to memory of 856	744	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1164	1236	Venir.exe.pif	schtasks.exe
PID 1236 wrote to memory of 1164	1236	Venir.exe.pif	schtasks.exe
PID 1236 wrote to memory of 1164	1236	Venir.exe.pif	schtasks.exe
PID 1236 wrote to memory of 1164	1236	Venir.exe.pif	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
"C:\Users\Admin\AppData\Local\Temp\bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\net.exe
net -?
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 -?
3⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Mio.mpeg
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:940

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CyeykLUQNXJSDjdLKpQAeXmdxwOyFRjpssKapjdmLVpksUOnZVuYTkTEGLLlXOlWKAAkCXCbSsOuOhZmhdyKKhdubyMbBuCXLhBRzCVeaIuCvNQaMkXGIAkbpxNbkyWMPRcAMiuKxrawiOJKg$" Sul.mpeg
4⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Venir.exe.pif t
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "pUWUkVNDpP" /tr "C:\\Users\\Admin\\AppData\\Roaming\\rmsXjBNEEc\\pUWUkVNDpP.exe.pif C:\\Users\\Admin\\AppData\\Roaming\\rmsXjBNEEc\\w" /sc onstart /F /RU SYSTEM
5⤵
- Creates scheduled task(s)
PID:1164

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arcate.mpeg
Filesize
1.8MB

MD5
19570c9356c64a6aec328e94846e97ca

SHA1
0133b60fb4fa78840635cf5b0907b7c6b0f04404

SHA256
2695dd08cae46454df5ed300521c84881c399ea1d642a4e770d3511ca4fce427

SHA512
3563096c2a0ef155cb8cb4fb233c75f0926445d116ddd25a2ffc03db96ed53d4d7c41c881111c1c7e4a91388b64f193eb8cd4832ac40c97177fe4b826ebac2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mio.mpeg
Filesize
8KB

MD5
37ca0d14ed4efa0b5fc02be1149c9b57

SHA1
a33fa850a812b9befc0d582affc9f2b9ecfe1b09

SHA256
455b8b81e22200feb8963f862c1132ca37aa1ef6cf92300a97ab446377a9913b

SHA512
7889cb39bbb38a3c3f03f6df6290091c70631e7fce6458ca33029a05a88c0743a8d6d904b2c517a3eb35df04e2436aa7d61e16b1729580b96b9872f5b7209a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sul.mpeg
Filesize
924KB

MD5
6ab3dd0a956b403d92d76f816dd89e38

SHA1
d2519741b8e8a9f09fd0c7de64817ad8fc0debd5

SHA256
4e70ccedae995ce7d39fcb70eceda2befba258f59fa4a95f7834b0354cc09e96

SHA512
32f8c89265b704ffe1b824ac406df3dfe3a496523a459747f42191ab5c8bb1c09745f7c34c662a66242f0517191bea34335b148590a2aac0e29b5dcfb7f2cbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/744-58-0x0000000000000000-mapping.dmp

Download
memory/856-67-0x0000000000000000-mapping.dmp

Download
memory/940-60-0x0000000000000000-mapping.dmp

Download
memory/1164-70-0x0000000000000000-mapping.dmp

Download
memory/1232-61-0x0000000000000000-mapping.dmp

Download
memory/1236-65-0x0000000000000000-mapping.dmp

Download
memory/1236-68-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1504-54-0x0000000000000000-mapping.dmp

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download
memory/1832-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads