Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
Resource
win10-20220414-en
General
-
Target
bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe
-
Size
1.2MB
-
MD5
c257adbfd6c6ca7d12197eb2a843af29
-
SHA1
5388b0214498f81785859ef5b8ad886af8090cb1
-
SHA256
bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659
-
SHA512
797c631248612fd9190ac06c8badc9c78d212c1284cbec5da6a6b57b3606e1a5e9307bffe41a0cdd2dbd32670260d778850d7636a26292c79c375481bcf43eec
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Venir.exe.pifpid process 1236 Venir.exe.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tasklist.exedescription pid process Token: SeDebugPrivilege 1728 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Venir.exe.pifpid process 1236 Venir.exe.pif 1236 Venir.exe.pif 1236 Venir.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Venir.exe.pifpid process 1236 Venir.exe.pif 1236 Venir.exe.pif 1236 Venir.exe.pif -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exenet.execmd.execmd.exeVenir.exe.pifdescription pid process target process PID 1968 wrote to memory of 1504 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe net.exe PID 1968 wrote to memory of 1504 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe net.exe PID 1968 wrote to memory of 1504 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe net.exe PID 1968 wrote to memory of 1504 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe net.exe PID 1504 wrote to memory of 1832 1504 net.exe net1.exe PID 1504 wrote to memory of 1832 1504 net.exe net1.exe PID 1504 wrote to memory of 1832 1504 net.exe net1.exe PID 1504 wrote to memory of 1832 1504 net.exe net1.exe PID 1968 wrote to memory of 1696 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe cmd.exe PID 1968 wrote to memory of 1696 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe cmd.exe PID 1968 wrote to memory of 1696 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe cmd.exe PID 1968 wrote to memory of 1696 1968 bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe cmd.exe PID 1696 wrote to memory of 744 1696 cmd.exe cmd.exe PID 1696 wrote to memory of 744 1696 cmd.exe cmd.exe PID 1696 wrote to memory of 744 1696 cmd.exe cmd.exe PID 1696 wrote to memory of 744 1696 cmd.exe cmd.exe PID 744 wrote to memory of 1728 744 cmd.exe tasklist.exe PID 744 wrote to memory of 1728 744 cmd.exe tasklist.exe PID 744 wrote to memory of 1728 744 cmd.exe tasklist.exe PID 744 wrote to memory of 1728 744 cmd.exe tasklist.exe PID 744 wrote to memory of 940 744 cmd.exe find.exe PID 744 wrote to memory of 940 744 cmd.exe find.exe PID 744 wrote to memory of 940 744 cmd.exe find.exe PID 744 wrote to memory of 940 744 cmd.exe find.exe PID 744 wrote to memory of 1232 744 cmd.exe findstr.exe PID 744 wrote to memory of 1232 744 cmd.exe findstr.exe PID 744 wrote to memory of 1232 744 cmd.exe findstr.exe PID 744 wrote to memory of 1232 744 cmd.exe findstr.exe PID 744 wrote to memory of 1236 744 cmd.exe Venir.exe.pif PID 744 wrote to memory of 1236 744 cmd.exe Venir.exe.pif PID 744 wrote to memory of 1236 744 cmd.exe Venir.exe.pif PID 744 wrote to memory of 1236 744 cmd.exe Venir.exe.pif PID 744 wrote to memory of 856 744 cmd.exe PING.EXE PID 744 wrote to memory of 856 744 cmd.exe PING.EXE PID 744 wrote to memory of 856 744 cmd.exe PING.EXE PID 744 wrote to memory of 856 744 cmd.exe PING.EXE PID 1236 wrote to memory of 1164 1236 Venir.exe.pif schtasks.exe PID 1236 wrote to memory of 1164 1236 Venir.exe.pif schtasks.exe PID 1236 wrote to memory of 1164 1236 Venir.exe.pif schtasks.exe PID 1236 wrote to memory of 1164 1236 Venir.exe.pif schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe"C:\Users\Admin\AppData\Local\Temp\bf5ac731a613d7ed4c1f304252c33affcee5ac48d6b74c0955fa9ccca7e35659.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet -?2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 -?3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Mio.mpeg2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^CyeykLUQNXJSDjdLKpQAeXmdxwOyFRjpssKapjdmLVpksUOnZVuYTkTEGLLlXOlWKAAkCXCbSsOuOhZmhdyKKhdubyMbBuCXLhBRzCVeaIuCvNQaMkXGIAkbpxNbkyWMPRcAMiuKxrawiOJKg$" Sul.mpeg4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pifVenir.exe.pif t4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "pUWUkVNDpP" /tr "C:\\Users\\Admin\\AppData\\Roaming\\rmsXjBNEEc\\pUWUkVNDpP.exe.pif C:\\Users\\Admin\\AppData\\Roaming\\rmsXjBNEEc\\w" /sc onstart /F /RU SYSTEM5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Arcate.mpegFilesize
1.8MB
MD519570c9356c64a6aec328e94846e97ca
SHA10133b60fb4fa78840635cf5b0907b7c6b0f04404
SHA2562695dd08cae46454df5ed300521c84881c399ea1d642a4e770d3511ca4fce427
SHA5123563096c2a0ef155cb8cb4fb233c75f0926445d116ddd25a2ffc03db96ed53d4d7c41c881111c1c7e4a91388b64f193eb8cd4832ac40c97177fe4b826ebac2b7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mio.mpegFilesize
8KB
MD537ca0d14ed4efa0b5fc02be1149c9b57
SHA1a33fa850a812b9befc0d582affc9f2b9ecfe1b09
SHA256455b8b81e22200feb8963f862c1132ca37aa1ef6cf92300a97ab446377a9913b
SHA5127889cb39bbb38a3c3f03f6df6290091c70631e7fce6458ca33029a05a88c0743a8d6d904b2c517a3eb35df04e2436aa7d61e16b1729580b96b9872f5b7209a27
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sul.mpegFilesize
924KB
MD56ab3dd0a956b403d92d76f816dd89e38
SHA1d2519741b8e8a9f09fd0c7de64817ad8fc0debd5
SHA2564e70ccedae995ce7d39fcb70eceda2befba258f59fa4a95f7834b0354cc09e96
SHA51232f8c89265b704ffe1b824ac406df3dfe3a496523a459747f42191ab5c8bb1c09745f7c34c662a66242f0517191bea34335b148590a2aac0e29b5dcfb7f2cbd7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Venir.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
memory/744-58-0x0000000000000000-mapping.dmp
-
memory/856-67-0x0000000000000000-mapping.dmp
-
memory/940-60-0x0000000000000000-mapping.dmp
-
memory/1164-70-0x0000000000000000-mapping.dmp
-
memory/1232-61-0x0000000000000000-mapping.dmp
-
memory/1236-65-0x0000000000000000-mapping.dmp
-
memory/1236-68-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1504-54-0x0000000000000000-mapping.dmp
-
memory/1696-56-0x0000000000000000-mapping.dmp
-
memory/1728-59-0x0000000000000000-mapping.dmp
-
memory/1832-55-0x0000000000000000-mapping.dmp