Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
969KB
-
MD5
0599ca3253f47f56391b864e687bea41
-
SHA1
6360e75a69c56504cacb8db5e20cf3d350dcfe6f
-
SHA256
9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782
-
SHA512
7abe72d12746af263522cb1c34530321c70b62ff4db11b9c77c1cd6df7b2adb1fa55b424d9370fe1fa1896e0c5eca571a470454e98ca3322609757b1348899b6
-
SSDEEP
24576:SHdnyYRdpKhSi9fLefeIcrYZ11jg+9mFZE2:SHdrRdpKhSi9z5IcI1J8Z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Virtual.exe.pifpid process 832 Virtual.exe.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2008 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2020 tasklist.exe 1692 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Virtual.exe.pifpid process 832 Virtual.exe.pif 832 Virtual.exe.pif 832 Virtual.exe.pif -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
robocopy.exetasklist.exetasklist.exedescription pid process Token: SeBackupPrivilege 916 robocopy.exe Token: SeRestorePrivilege 916 robocopy.exe Token: SeSecurityPrivilege 916 robocopy.exe Token: SeTakeOwnershipPrivilege 916 robocopy.exe Token: SeDebugPrivilege 2020 tasklist.exe Token: SeDebugPrivilege 1692 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Virtual.exe.pifpid process 832 Virtual.exe.pif 832 Virtual.exe.pif 832 Virtual.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Virtual.exe.pifpid process 832 Virtual.exe.pif 832 Virtual.exe.pif 832 Virtual.exe.pif -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
file.execmd.execmd.exedescription pid process target process PID 768 wrote to memory of 916 768 file.exe robocopy.exe PID 768 wrote to memory of 916 768 file.exe robocopy.exe PID 768 wrote to memory of 916 768 file.exe robocopy.exe PID 768 wrote to memory of 916 768 file.exe robocopy.exe PID 768 wrote to memory of 1000 768 file.exe cmd.exe PID 768 wrote to memory of 1000 768 file.exe cmd.exe PID 768 wrote to memory of 1000 768 file.exe cmd.exe PID 768 wrote to memory of 1000 768 file.exe cmd.exe PID 1000 wrote to memory of 2008 1000 cmd.exe cmd.exe PID 1000 wrote to memory of 2008 1000 cmd.exe cmd.exe PID 1000 wrote to memory of 2008 1000 cmd.exe cmd.exe PID 1000 wrote to memory of 2008 1000 cmd.exe cmd.exe PID 2008 wrote to memory of 2020 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 2020 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 2020 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 2020 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 2032 2008 cmd.exe find.exe PID 2008 wrote to memory of 2032 2008 cmd.exe find.exe PID 2008 wrote to memory of 2032 2008 cmd.exe find.exe PID 2008 wrote to memory of 2032 2008 cmd.exe find.exe PID 2008 wrote to memory of 1692 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 1692 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 1692 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 1692 2008 cmd.exe tasklist.exe PID 2008 wrote to memory of 1312 2008 cmd.exe find.exe PID 2008 wrote to memory of 1312 2008 cmd.exe find.exe PID 2008 wrote to memory of 1312 2008 cmd.exe find.exe PID 2008 wrote to memory of 1312 2008 cmd.exe find.exe PID 2008 wrote to memory of 1476 2008 cmd.exe findstr.exe PID 2008 wrote to memory of 1476 2008 cmd.exe findstr.exe PID 2008 wrote to memory of 1476 2008 cmd.exe findstr.exe PID 2008 wrote to memory of 1476 2008 cmd.exe findstr.exe PID 2008 wrote to memory of 832 2008 cmd.exe Virtual.exe.pif PID 2008 wrote to memory of 832 2008 cmd.exe Virtual.exe.pif PID 2008 wrote to memory of 832 2008 cmd.exe Virtual.exe.pif PID 2008 wrote to memory of 832 2008 cmd.exe Virtual.exe.pif PID 2008 wrote to memory of 1284 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1284 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1284 2008 cmd.exe PING.EXE PID 2008 wrote to memory of 1284 2008 cmd.exe PING.EXE PID 1000 wrote to memory of 1752 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1752 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1752 1000 cmd.exe PING.EXE PID 1000 wrote to memory of 1752 1000 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\robocopy.exerobocopy /?2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Traditional.html & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fQEttMyCnt$" Dated.html4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifVirtual.exe.pif p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bills.htmlFilesize
1.1MB
MD58f8aa7e4918b72b2573c5ae3dcdf191a
SHA1f7a0b1b044c1c106f1faa946bd16e1a3be2212e5
SHA2564c715f7c96fc32aee231eb1a92c5a710a0b677975c39ceb7dc3879e7b73183f4
SHA51219587dd844bf331ac7f058ef96a116a821047f9f3eda90e2ae7cc23ea50c0ad8c6b126f2e03ae7ff53c1397adbed049930ef29e8f7be55f0c6c4383190373761
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dated.htmlFilesize
924KB
MD568078fe11bddfae803b5e36a3c315a00
SHA173db45e41a5f460d0a3f2482397a4ee1d70673c4
SHA256a127d4270b1855e60558e5609f761c3a91924123b5671d19ee06110af5c600e0
SHA512dcaff8db3c0732c6d14279c4a4881d635ae5288a3fcfe3ed1a5af4c533b8739056fa75950278629e8f5ff6a0eb155b678abbddfcdf16c0ee74b32033e971fa51
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Traditional.htmlFilesize
12KB
MD5d5fc0ee5abf94f5260ac486659c95f6f
SHA1d5e51109b60ac95a966a63712ab82027b4c2ce51
SHA256fcd3ea5066fa825cd86fe234663bc372b47d27c829943f03b6537aa630e61ebf
SHA512d618269c68816e4bcd50075bcbc3b4b37a18746066d21184cb21b4a323d48cd9413209f667a89879bb122f444db1211673667dda935572951da933b32b56fdbf
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
memory/832-66-0x0000000000000000-mapping.dmp
-
memory/832-69-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/916-54-0x0000000000000000-mapping.dmp
-
memory/1000-55-0x0000000000000000-mapping.dmp
-
memory/1284-68-0x0000000000000000-mapping.dmp
-
memory/1312-61-0x0000000000000000-mapping.dmp
-
memory/1476-62-0x0000000000000000-mapping.dmp
-
memory/1692-60-0x0000000000000000-mapping.dmp
-
memory/1752-70-0x0000000000000000-mapping.dmp
-
memory/2008-57-0x0000000000000000-mapping.dmp
-
memory/2020-58-0x0000000000000000-mapping.dmp
-
memory/2032-59-0x0000000000000000-mapping.dmp