9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782

General

Target

file.exe
Size

969KB
MD5

0599ca3253f47f56391b864e687bea41
SHA1

6360e75a69c56504cacb8db5e20cf3d350dcfe6f
SHA256

9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782
SHA512

7abe72d12746af263522cb1c34530321c70b62ff4db11b9c77c1cd6df7b2adb1fa55b424d9370fe1fa1896e0c5eca571a470454e98ca3322609757b1348899b6
SSDEEP

24576:SHdnyYRdpKhSi9fLefeIcrYZ11jg+9mFZE2:SHdrRdpKhSi9z5IcI1J8Z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Virtual.exe.pif

pid process

832 Virtual.exe.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2008 cmd.exe

pid	process
832	Virtual.exe.pif

pid	process
2008	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2020 tasklist.exe
1692 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1284 PING.EXE
1752 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Virtual.exe.pif

pid process

832 Virtual.exe.pif
832 Virtual.exe.pif
832 Virtual.exe.pif

pid	process
2020	tasklist.exe
1692	tasklist.exe

pid	process
1284	PING.EXE
1752	PING.EXE

pid	process
832	Virtual.exe.pif
832	Virtual.exe.pif
832	Virtual.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

robocopy.exetasklist.exetasklist.exe

description	pid	process
Token: SeBackupPrivilege	916	robocopy.exe
Token: SeRestorePrivilege	916	robocopy.exe
Token: SeSecurityPrivilege	916	robocopy.exe
Token: SeTakeOwnershipPrivilege	916	robocopy.exe
Token: SeDebugPrivilege	2020	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Virtual.exe.pif

pid process

832 Virtual.exe.pif
832 Virtual.exe.pif
832 Virtual.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Virtual.exe.pif

pid process

832 Virtual.exe.pif
832 Virtual.exe.pif
832 Virtual.exe.pif

pid	process
832	Virtual.exe.pif
832	Virtual.exe.pif
832	Virtual.exe.pif

pid	process
832	Virtual.exe.pif
832	Virtual.exe.pif
832	Virtual.exe.pif

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

file.execmd.execmd.exe

description	pid	process	target process
PID 768 wrote to memory of 916	768	file.exe	robocopy.exe
PID 768 wrote to memory of 916	768	file.exe	robocopy.exe
PID 768 wrote to memory of 916	768	file.exe	robocopy.exe
PID 768 wrote to memory of 916	768	file.exe	robocopy.exe
PID 768 wrote to memory of 1000	768	file.exe	cmd.exe
PID 768 wrote to memory of 1000	768	file.exe	cmd.exe
PID 768 wrote to memory of 1000	768	file.exe	cmd.exe
PID 768 wrote to memory of 1000	768	file.exe	cmd.exe
PID 1000 wrote to memory of 2008	1000	cmd.exe	cmd.exe
PID 1000 wrote to memory of 2008	1000	cmd.exe	cmd.exe
PID 1000 wrote to memory of 2008	1000	cmd.exe	cmd.exe
PID 1000 wrote to memory of 2008	1000	cmd.exe	cmd.exe
PID 2008 wrote to memory of 2020	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 2020	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 2020	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 2020	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 2032	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 2032	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 2032	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 2032	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 1692	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 1692	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 1692	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 1692	2008	cmd.exe	tasklist.exe
PID 2008 wrote to memory of 1312	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 1312	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 1312	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 1312	2008	cmd.exe	find.exe
PID 2008 wrote to memory of 1476	2008	cmd.exe	findstr.exe
PID 2008 wrote to memory of 1476	2008	cmd.exe	findstr.exe
PID 2008 wrote to memory of 1476	2008	cmd.exe	findstr.exe
PID 2008 wrote to memory of 1476	2008	cmd.exe	findstr.exe
PID 2008 wrote to memory of 832	2008	cmd.exe	Virtual.exe.pif
PID 2008 wrote to memory of 832	2008	cmd.exe	Virtual.exe.pif
PID 2008 wrote to memory of 832	2008	cmd.exe	Virtual.exe.pif
PID 2008 wrote to memory of 832	2008	cmd.exe	Virtual.exe.pif
PID 2008 wrote to memory of 1284	2008	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1284	2008	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1284	2008	cmd.exe	PING.EXE
PID 2008 wrote to memory of 1284	2008	cmd.exe	PING.EXE
PID 1000 wrote to memory of 1752	1000	cmd.exe	PING.EXE
PID 1000 wrote to memory of 1752	1000	cmd.exe	PING.EXE
PID 1000 wrote to memory of 1752	1000	cmd.exe	PING.EXE
PID 1000 wrote to memory of 1752	1000	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Traditional.html & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:2032

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
4⤵
PID:1312

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fQEttMyCnt$" Dated.html
4⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Virtual.exe.pif p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:832

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:1284

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bills.html
Filesize
1.1MB

MD5
8f8aa7e4918b72b2573c5ae3dcdf191a

SHA1
f7a0b1b044c1c106f1faa946bd16e1a3be2212e5

SHA256
4c715f7c96fc32aee231eb1a92c5a710a0b677975c39ceb7dc3879e7b73183f4

SHA512
19587dd844bf331ac7f058ef96a116a821047f9f3eda90e2ae7cc23ea50c0ad8c6b126f2e03ae7ff53c1397adbed049930ef29e8f7be55f0c6c4383190373761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dated.html
Filesize
924KB

MD5
68078fe11bddfae803b5e36a3c315a00

SHA1
73db45e41a5f460d0a3f2482397a4ee1d70673c4

SHA256
a127d4270b1855e60558e5609f761c3a91924123b5671d19ee06110af5c600e0

SHA512
dcaff8db3c0732c6d14279c4a4881d635ae5288a3fcfe3ed1a5af4c533b8739056fa75950278629e8f5ff6a0eb155b678abbddfcdf16c0ee74b32033e971fa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Traditional.html
Filesize
12KB

MD5
d5fc0ee5abf94f5260ac486659c95f6f

SHA1
d5e51109b60ac95a966a63712ab82027b4c2ce51

SHA256
fcd3ea5066fa825cd86fe234663bc372b47d27c829943f03b6537aa630e61ebf

SHA512
d618269c68816e4bcd50075bcbc3b4b37a18746066d21184cb21b4a323d48cd9413209f667a89879bb122f444db1211673667dda935572951da933b32b56fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/832-69-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/916-54-0x0000000000000000-mapping.dmp

Download
memory/1000-55-0x0000000000000000-mapping.dmp

Download
memory/1284-68-0x0000000000000000-mapping.dmp

Download
memory/1312-61-0x0000000000000000-mapping.dmp

Download
memory/1476-62-0x0000000000000000-mapping.dmp

Download
memory/1692-60-0x0000000000000000-mapping.dmp

Download
memory/1752-70-0x0000000000000000-mapping.dmp

Download
memory/2008-57-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads