Analysis
-
max time kernel
123s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
General
-
Target
file.exe
-
Size
969KB
-
MD5
0599ca3253f47f56391b864e687bea41
-
SHA1
6360e75a69c56504cacb8db5e20cf3d350dcfe6f
-
SHA256
9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782
-
SHA512
7abe72d12746af263522cb1c34530321c70b62ff4db11b9c77c1cd6df7b2adb1fa55b424d9370fe1fa1896e0c5eca571a470454e98ca3322609757b1348899b6
-
SSDEEP
24576:SHdnyYRdpKhSi9fLefeIcrYZ11jg+9mFZE2:SHdrRdpKhSi9z5IcI1J8Z
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Virtual.exe.pifVirtual.exe.pifpid process 2340 Virtual.exe.pif 2432 Virtual.exe.pif -
Loads dropped DLL 6 IoCs
Processes:
Virtual.exe.pifpid process 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Virtual.exe.pifdescription pid process target process PID 2340 set thread context of 2432 2340 Virtual.exe.pif Virtual.exe.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4484 tasklist.exe 3124 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Virtual.exe.pifpid process 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
robocopy.exetasklist.exetasklist.exedescription pid process Token: SeBackupPrivilege 320 robocopy.exe Token: SeRestorePrivilege 320 robocopy.exe Token: SeSecurityPrivilege 320 robocopy.exe Token: SeTakeOwnershipPrivilege 320 robocopy.exe Token: SeDebugPrivilege 4484 tasklist.exe Token: SeDebugPrivilege 3124 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Virtual.exe.pifpid process 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Virtual.exe.pifpid process 2340 Virtual.exe.pif 2340 Virtual.exe.pif 2340 Virtual.exe.pif -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
file.execmd.execmd.exeVirtual.exe.pifdescription pid process target process PID 3028 wrote to memory of 320 3028 file.exe robocopy.exe PID 3028 wrote to memory of 320 3028 file.exe robocopy.exe PID 3028 wrote to memory of 320 3028 file.exe robocopy.exe PID 3028 wrote to memory of 4412 3028 file.exe cmd.exe PID 3028 wrote to memory of 4412 3028 file.exe cmd.exe PID 3028 wrote to memory of 4412 3028 file.exe cmd.exe PID 4412 wrote to memory of 3832 4412 cmd.exe cmd.exe PID 4412 wrote to memory of 3832 4412 cmd.exe cmd.exe PID 4412 wrote to memory of 3832 4412 cmd.exe cmd.exe PID 3832 wrote to memory of 4484 3832 cmd.exe tasklist.exe PID 3832 wrote to memory of 4484 3832 cmd.exe tasklist.exe PID 3832 wrote to memory of 4484 3832 cmd.exe tasklist.exe PID 3832 wrote to memory of 2292 3832 cmd.exe find.exe PID 3832 wrote to memory of 2292 3832 cmd.exe find.exe PID 3832 wrote to memory of 2292 3832 cmd.exe find.exe PID 3832 wrote to memory of 3124 3832 cmd.exe tasklist.exe PID 3832 wrote to memory of 3124 3832 cmd.exe tasklist.exe PID 3832 wrote to memory of 3124 3832 cmd.exe tasklist.exe PID 3832 wrote to memory of 1264 3832 cmd.exe find.exe PID 3832 wrote to memory of 1264 3832 cmd.exe find.exe PID 3832 wrote to memory of 1264 3832 cmd.exe find.exe PID 3832 wrote to memory of 3572 3832 cmd.exe findstr.exe PID 3832 wrote to memory of 3572 3832 cmd.exe findstr.exe PID 3832 wrote to memory of 3572 3832 cmd.exe findstr.exe PID 3832 wrote to memory of 2340 3832 cmd.exe Virtual.exe.pif PID 3832 wrote to memory of 2340 3832 cmd.exe Virtual.exe.pif PID 3832 wrote to memory of 2340 3832 cmd.exe Virtual.exe.pif PID 3832 wrote to memory of 4940 3832 cmd.exe PING.EXE PID 3832 wrote to memory of 4940 3832 cmd.exe PING.EXE PID 3832 wrote to memory of 4940 3832 cmd.exe PING.EXE PID 4412 wrote to memory of 4936 4412 cmd.exe PING.EXE PID 4412 wrote to memory of 4936 4412 cmd.exe PING.EXE PID 4412 wrote to memory of 4936 4412 cmd.exe PING.EXE PID 2340 wrote to memory of 2432 2340 Virtual.exe.pif Virtual.exe.pif PID 2340 wrote to memory of 2432 2340 Virtual.exe.pif Virtual.exe.pif PID 2340 wrote to memory of 2432 2340 Virtual.exe.pif Virtual.exe.pif PID 2340 wrote to memory of 2432 2340 Virtual.exe.pif Virtual.exe.pif PID 2340 wrote to memory of 2432 2340 Virtual.exe.pif Virtual.exe.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\robocopy.exerobocopy /?2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Traditional.html & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fQEttMyCnt$" Dated.html4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifVirtual.exe.pif p4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dllFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dllFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dllFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dllFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dllFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dllFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bills.htmlFilesize
1.1MB
MD58f8aa7e4918b72b2573c5ae3dcdf191a
SHA1f7a0b1b044c1c106f1faa946bd16e1a3be2212e5
SHA2564c715f7c96fc32aee231eb1a92c5a710a0b677975c39ceb7dc3879e7b73183f4
SHA51219587dd844bf331ac7f058ef96a116a821047f9f3eda90e2ae7cc23ea50c0ad8c6b126f2e03ae7ff53c1397adbed049930ef29e8f7be55f0c6c4383190373761
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dated.htmlFilesize
924KB
MD568078fe11bddfae803b5e36a3c315a00
SHA173db45e41a5f460d0a3f2482397a4ee1d70673c4
SHA256a127d4270b1855e60558e5609f761c3a91924123b5671d19ee06110af5c600e0
SHA512dcaff8db3c0732c6d14279c4a4881d635ae5288a3fcfe3ed1a5af4c533b8739056fa75950278629e8f5ff6a0eb155b678abbddfcdf16c0ee74b32033e971fa51
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Traditional.htmlFilesize
12KB
MD5d5fc0ee5abf94f5260ac486659c95f6f
SHA1d5e51109b60ac95a966a63712ab82027b4c2ce51
SHA256fcd3ea5066fa825cd86fe234663bc372b47d27c829943f03b6537aa630e61ebf
SHA512d618269c68816e4bcd50075bcbc3b4b37a18746066d21184cb21b4a323d48cd9413209f667a89879bb122f444db1211673667dda935572951da933b32b56fdbf
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
memory/320-132-0x0000000000000000-mapping.dmp
-
memory/1264-139-0x0000000000000000-mapping.dmp
-
memory/2292-137-0x0000000000000000-mapping.dmp
-
memory/2340-143-0x0000000000000000-mapping.dmp
-
memory/2432-153-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2432-148-0x0000000000000000-mapping.dmp
-
memory/2432-158-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2432-159-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2432-160-0x0000000000FD0000-0x0000000000FD9000-memory.dmpFilesize
36KB
-
memory/2432-161-0x0000000001000000-0x000000000100D000-memory.dmpFilesize
52KB
-
memory/3124-138-0x0000000000000000-mapping.dmp
-
memory/3572-140-0x0000000000000000-mapping.dmp
-
memory/3832-135-0x0000000000000000-mapping.dmp
-
memory/4412-133-0x0000000000000000-mapping.dmp
-
memory/4484-136-0x0000000000000000-mapping.dmp
-
memory/4936-146-0x0000000000000000-mapping.dmp
-
memory/4940-145-0x0000000000000000-mapping.dmp