9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe
Size

969KB
MD5

0599ca3253f47f56391b864e687bea41
SHA1

6360e75a69c56504cacb8db5e20cf3d350dcfe6f
SHA256

9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782
SHA512

7abe72d12746af263522cb1c34530321c70b62ff4db11b9c77c1cd6df7b2adb1fa55b424d9370fe1fa1896e0c5eca571a470454e98ca3322609757b1348899b6
SSDEEP

24576:SHdnyYRdpKhSi9fLefeIcrYZ11jg+9mFZE2:SHdrRdpKhSi9z5IcI1J8Z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Virtual.exe.pifVirtual.exe.pif

pid process

796 Virtual.exe.pif
3772 Virtual.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Virtual.exe.pif

pid process

796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif

pid	process
796	Virtual.exe.pif
3772	Virtual.exe.pif

pid	process
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Virtual.exe.pif

description pid process target process

PID 796 set thread context of 3772 796 Virtual.exe.pif Virtual.exe.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4200 tasklist.exe
4136 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

440 PING.EXE
3180 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Virtual.exe.pif

pid process

796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif

description	pid	process	target process
PID 796 set thread context of 3772	796	Virtual.exe.pif	Virtual.exe.pif

pid	process
4200	tasklist.exe
4136	tasklist.exe

pid	process
440	PING.EXE
3180	PING.EXE

pid	process
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

robocopy.exetasklist.exetasklist.exe

description	pid	process
Token: SeBackupPrivilege	1792	robocopy.exe
Token: SeRestorePrivilege	1792	robocopy.exe
Token: SeSecurityPrivilege	1792	robocopy.exe
Token: SeTakeOwnershipPrivilege	1792	robocopy.exe
Token: SeDebugPrivilege	4200	tasklist.exe
Token: SeDebugPrivilege	4136	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Virtual.exe.pif

pid process

796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Virtual.exe.pif

pid process

796 Virtual.exe.pif
796 Virtual.exe.pif
796 Virtual.exe.pif

pid	process
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif

pid	process
796	Virtual.exe.pif
796	Virtual.exe.pif
796	Virtual.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.execmd.execmd.exeVirtual.exe.pif

description	pid	process	target process
PID 5012 wrote to memory of 1792	5012	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe	robocopy.exe
PID 5012 wrote to memory of 1792	5012	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe	robocopy.exe
PID 5012 wrote to memory of 1792	5012	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe	robocopy.exe
PID 5012 wrote to memory of 212	5012	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe	cmd.exe
PID 5012 wrote to memory of 212	5012	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe	cmd.exe
PID 5012 wrote to memory of 212	5012	9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe	cmd.exe
PID 212 wrote to memory of 2696	212	cmd.exe	cmd.exe
PID 212 wrote to memory of 2696	212	cmd.exe	cmd.exe
PID 212 wrote to memory of 2696	212	cmd.exe	cmd.exe
PID 2696 wrote to memory of 4200	2696	cmd.exe	tasklist.exe
PID 2696 wrote to memory of 4200	2696	cmd.exe	tasklist.exe
PID 2696 wrote to memory of 4200	2696	cmd.exe	tasklist.exe
PID 2696 wrote to memory of 1444	2696	cmd.exe	find.exe
PID 2696 wrote to memory of 1444	2696	cmd.exe	find.exe
PID 2696 wrote to memory of 1444	2696	cmd.exe	find.exe
PID 2696 wrote to memory of 4136	2696	cmd.exe	tasklist.exe
PID 2696 wrote to memory of 4136	2696	cmd.exe	tasklist.exe
PID 2696 wrote to memory of 4136	2696	cmd.exe	tasklist.exe
PID 2696 wrote to memory of 1016	2696	cmd.exe	find.exe
PID 2696 wrote to memory of 1016	2696	cmd.exe	find.exe
PID 2696 wrote to memory of 1016	2696	cmd.exe	find.exe
PID 2696 wrote to memory of 1976	2696	cmd.exe	findstr.exe
PID 2696 wrote to memory of 1976	2696	cmd.exe	findstr.exe
PID 2696 wrote to memory of 1976	2696	cmd.exe	findstr.exe
PID 2696 wrote to memory of 796	2696	cmd.exe	Virtual.exe.pif
PID 2696 wrote to memory of 796	2696	cmd.exe	Virtual.exe.pif
PID 2696 wrote to memory of 796	2696	cmd.exe	Virtual.exe.pif
PID 2696 wrote to memory of 440	2696	cmd.exe	PING.EXE
PID 2696 wrote to memory of 440	2696	cmd.exe	PING.EXE
PID 2696 wrote to memory of 440	2696	cmd.exe	PING.EXE
PID 212 wrote to memory of 3180	212	cmd.exe	PING.EXE
PID 212 wrote to memory of 3180	212	cmd.exe	PING.EXE
PID 212 wrote to memory of 3180	212	cmd.exe	PING.EXE
PID 796 wrote to memory of 3772	796	Virtual.exe.pif	Virtual.exe.pif
PID 796 wrote to memory of 3772	796	Virtual.exe.pif	Virtual.exe.pif
PID 796 wrote to memory of 3772	796	Virtual.exe.pif	Virtual.exe.pif
PID 796 wrote to memory of 3772	796	Virtual.exe.pif	Virtual.exe.pif
PID 796 wrote to memory of 3772	796	Virtual.exe.pif	Virtual.exe.pif

C:\Users\Admin\AppData\Local\Temp\9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe
"C:\Users\Admin\AppData\Local\Temp\9b4f7d0163558187ebe95edd5cdfd86adf987e35327f37548bb6712ad3f7d782.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Traditional.html & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:1444

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
4⤵
PID:1016

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fQEttMyCnt$" Dated.html
4⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Virtual.exe.pif p
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
5⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:440

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUmekvyWoIsUO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bills.html
Filesize
1.1MB

MD5
8f8aa7e4918b72b2573c5ae3dcdf191a

SHA1
f7a0b1b044c1c106f1faa946bd16e1a3be2212e5

SHA256
4c715f7c96fc32aee231eb1a92c5a710a0b677975c39ceb7dc3879e7b73183f4

SHA512
19587dd844bf331ac7f058ef96a116a821047f9f3eda90e2ae7cc23ea50c0ad8c6b126f2e03ae7ff53c1397adbed049930ef29e8f7be55f0c6c4383190373761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dated.html
Filesize
924KB

MD5
68078fe11bddfae803b5e36a3c315a00

SHA1
73db45e41a5f460d0a3f2482397a4ee1d70673c4

SHA256
a127d4270b1855e60558e5609f761c3a91924123b5671d19ee06110af5c600e0

SHA512
dcaff8db3c0732c6d14279c4a4881d635ae5288a3fcfe3ed1a5af4c533b8739056fa75950278629e8f5ff6a0eb155b678abbddfcdf16c0ee74b32033e971fa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Traditional.html
Filesize
12KB

MD5
d5fc0ee5abf94f5260ac486659c95f6f

SHA1
d5e51109b60ac95a966a63712ab82027b4c2ce51

SHA256
fcd3ea5066fa825cd86fe234663bc372b47d27c829943f03b6537aa630e61ebf

SHA512
d618269c68816e4bcd50075bcbc3b4b37a18746066d21184cb21b4a323d48cd9413209f667a89879bb122f444db1211673667dda935572951da933b32b56fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Virtual.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/212-133-0x0000000000000000-mapping.dmp

Download
memory/440-145-0x0000000000000000-mapping.dmp

Download
memory/796-143-0x0000000000000000-mapping.dmp

Download
memory/1016-139-0x0000000000000000-mapping.dmp

Download
memory/1444-137-0x0000000000000000-mapping.dmp

Download
memory/1792-132-0x0000000000000000-mapping.dmp

Download
memory/1976-140-0x0000000000000000-mapping.dmp

Download
memory/2696-135-0x0000000000000000-mapping.dmp

Download
memory/3180-146-0x0000000000000000-mapping.dmp

Download
memory/3772-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-148-0x0000000000000000-mapping.dmp

Download
memory/3772-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-160-0x0000000000D60000-0x0000000000D69000-memory.dmp

Filesize
36KB

Download
memory/3772-161-0x0000000000D90000-0x0000000000D9D000-memory.dmp

Filesize
52KB

Download
memory/4136-138-0x0000000000000000-mapping.dmp

Download
memory/4200-136-0x0000000000000000-mapping.dmp

Download