1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746

Analysis

max time kernel
57s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-06-2022 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe
Size

1.3MB
MD5

3522dc4a208a91f7042864ce15bc1398
SHA1

0d29e13a249fa713570418d5e1b306e59f4c7ea5
SHA256

1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746
SHA512

a2559e23bdf8791bd570842e70836319978214944c62065dc8ef67125ccd12ee37d9a82939fc8c62b8ec2913c993e0abf231c5f7e539e5bf2df6501ec4d99602

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1308	Indicibile.com
1960	Indicibile.com

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uNNTjIpEly.url	Indicibile.com

Loads dropped DLL 2 IoCs

pid	Process
2036	cmd.exe
1308	Indicibile.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
948	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1924	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	28
PID 748 wrote to memory of 1924	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	28
PID 748 wrote to memory of 1924	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	28
PID 748 wrote to memory of 1924	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	28
PID 748 wrote to memory of 1364	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	30
PID 748 wrote to memory of 1364	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	30
PID 748 wrote to memory of 1364	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	30
PID 748 wrote to memory of 1364	748	1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe	30
PID 1364 wrote to memory of 2036	1364	cmd.exe	32
PID 1364 wrote to memory of 2036	1364	cmd.exe	32
PID 1364 wrote to memory of 2036	1364	cmd.exe	32
PID 1364 wrote to memory of 2036	1364	cmd.exe	32
PID 2036 wrote to memory of 1208	2036	cmd.exe	33
PID 2036 wrote to memory of 1208	2036	cmd.exe	33
PID 2036 wrote to memory of 1208	2036	cmd.exe	33
PID 2036 wrote to memory of 1208	2036	cmd.exe	33
PID 2036 wrote to memory of 1308	2036	cmd.exe	34
PID 2036 wrote to memory of 1308	2036	cmd.exe	34
PID 2036 wrote to memory of 1308	2036	cmd.exe	34
PID 2036 wrote to memory of 1308	2036	cmd.exe	34
PID 2036 wrote to memory of 948	2036	cmd.exe	35
PID 2036 wrote to memory of 948	2036	cmd.exe	35
PID 2036 wrote to memory of 948	2036	cmd.exe	35
PID 2036 wrote to memory of 948	2036	cmd.exe	35
PID 1308 wrote to memory of 1960	1308	Indicibile.com	36
PID 1308 wrote to memory of 1960	1308	Indicibile.com	36
PID 1308 wrote to memory of 1960	1308	Indicibile.com	36
PID 1308 wrote to memory of 1960	1308	Indicibile.com	36

C:\Users\Admin\AppData\Local\Temp\1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe
"C:\Users\Admin\AppData\Local\Temp\1b37a296595a5ec34d72b2d833116cad9869d9b6cd795117c16f75a8eeffb746.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c kWVICA
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Pensai.xll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^PezDHcDOyTUXYowHLWSjrrYddvoFPhAhfJxUvPVlMOxeagyDNUFZYqeLrejkhYZRzHIgNukWwHmfIVYedESUHBf$" Sorridente.ppsx
      4⤵
      PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com
      Indicibile.com Avvelenate.bmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com Avvelenate.bmp
        5⤵
        Executes dropped EXE
        Drops startup file
        
        PID:1960
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Avvelenate.bmp

Filesize
1.1MB

MD5
d38fbf3003834442e5662a0c54615a69

SHA1
eb3217127b82cd0cdfd3ee34b65112d95c027a73

SHA256
f92b2f15d409db36db232878f74a1b3a1324fe90125e6e4eaa9903351c0c8a15

SHA512
8081112b4544f8b72e535d7d3188b3d0272b79a00a7cedfc7da3a7810f6516d81cc91caf320972899ce28e353347cf95373c42a48082d54f9f30c9d515dc8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Inespresso.xlsm

Filesize
288KB

MD5
072d168817db1479fa1ad1d48e2a635e

SHA1
52c8e5f955d819216e5a5d0c1cc380710559f859

SHA256
086db4aa8a29e0c1140da0017c4f3f3b6d3758682f95658805c55b2c2556cccf

SHA512
60d67704417d33302f2802bda81d52a1f6cf6679b83b315e6e28475916c1f7ded0706d75538ab7db275379570e632b41088c150ccdf071b29fa45d785b5042c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensai.xll

Filesize
113KB

MD5
0a0ac2863533d4a9a3ad9a555786a4dc

SHA1
f6d53675a880079f56c19edfe99f755a1f0a0df7

SHA256
4ae1c9d0c61bf6cf3f0d8abdc4507114c737b341c4315432e0dac83f81a179ce

SHA512
776f3852c5c26785d3175bb86518675eec6ba0b95e0cc6bdee62abad740ca7efff152d28134f854c4b038b9fa0ddb2e93615d36cb9d0ba5d677b594cd546ed03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.ppsx

Filesize
921KB

MD5
7e72b4d06d86451bf084bfd368ded8f6

SHA1
f6bf2b7f37434f479fa39a4bb147c4b8ce133aec

SHA256
2590785501807851a903c650059bbd427fea6c1a61c244792e856d262cf570ac

SHA512
9748ad567d377ed920a62dabeee12d4556dd6b2f7a64ec4fbed3e183a2489b24842cff9e913ef71ad9a297b62d7b7e6502e0593a608184d308a0dbf87cb8cad4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Indicibile.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/1308-64-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download