74f81488637d5ab5ff32aa75dec6c9fc0995abd76d1ff80bd93a0a20b995271f

Analysis

max time kernel
141s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 05:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1024KB
MD5

7ca925cfbb7fbdf1bfec8669f2187eaf
SHA1

f19ab3424d46842e494cd73ade54be773a9c4a1d
SHA256

74f81488637d5ab5ff32aa75dec6c9fc0995abd76d1ff80bd93a0a20b995271f
SHA512

dfb9c20bb2d882e8ca661ce78a76903d527f7e3a35d2dbd725f28b04e5f7b4d412a050ba562165cec593ccfa06fec2a8d013f60abceb2e31270457e4e249e159
SSDEEP

24576:zymtT27bMup0ty9+8vCHkKURkd2dk9brsfA/fSylSUdQ:GyS0qcXJrsfA3S

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3764	Respect.exe.pif
1688	Respect.exe.pif

Loads dropped DLL 6 IoCs

pid	Process
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 1688	3764	Respect.exe.pif	103

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1984	tasklist.exe
4072	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3564	PING.EXE
840	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2200	robocopy.exe
Token: SeRestorePrivilege	2200	robocopy.exe
Token: SeSecurityPrivilege	2200	robocopy.exe
Token: SeTakeOwnershipPrivilege	2200	robocopy.exe
Token: SeDebugPrivilege	1984	tasklist.exe
Token: SeDebugPrivilege	4072	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif
3764	Respect.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2200	4840	file.exe	81
PID 4840 wrote to memory of 2200	4840	file.exe	81
PID 4840 wrote to memory of 2200	4840	file.exe	81
PID 4840 wrote to memory of 3100	4840	file.exe	83
PID 4840 wrote to memory of 3100	4840	file.exe	83
PID 4840 wrote to memory of 3100	4840	file.exe	83
PID 3100 wrote to memory of 4532	3100	cmd.exe	85
PID 3100 wrote to memory of 4532	3100	cmd.exe	85
PID 3100 wrote to memory of 4532	3100	cmd.exe	85
PID 4532 wrote to memory of 1984	4532	cmd.exe	86
PID 4532 wrote to memory of 1984	4532	cmd.exe	86
PID 4532 wrote to memory of 1984	4532	cmd.exe	86
PID 4532 wrote to memory of 3848	4532	cmd.exe	87
PID 4532 wrote to memory of 3848	4532	cmd.exe	87
PID 4532 wrote to memory of 3848	4532	cmd.exe	87
PID 4532 wrote to memory of 4072	4532	cmd.exe	89
PID 4532 wrote to memory of 4072	4532	cmd.exe	89
PID 4532 wrote to memory of 4072	4532	cmd.exe	89
PID 4532 wrote to memory of 216	4532	cmd.exe	90
PID 4532 wrote to memory of 216	4532	cmd.exe	90
PID 4532 wrote to memory of 216	4532	cmd.exe	90
PID 4532 wrote to memory of 4280	4532	cmd.exe	93
PID 4532 wrote to memory of 4280	4532	cmd.exe	93
PID 4532 wrote to memory of 4280	4532	cmd.exe	93
PID 4532 wrote to memory of 3764	4532	cmd.exe	94
PID 4532 wrote to memory of 3764	4532	cmd.exe	94
PID 4532 wrote to memory of 3764	4532	cmd.exe	94
PID 4532 wrote to memory of 3564	4532	cmd.exe	95
PID 4532 wrote to memory of 3564	4532	cmd.exe	95
PID 4532 wrote to memory of 3564	4532	cmd.exe	95
PID 3100 wrote to memory of 840	3100	cmd.exe	97
PID 3100 wrote to memory of 840	3100	cmd.exe	97
PID 3100 wrote to memory of 840	3100	cmd.exe	97
PID 3764 wrote to memory of 1688	3764	Respect.exe.pif	103
PID 3764 wrote to memory of 1688	3764	Respect.exe.pif	103
PID 3764 wrote to memory of 1688	3764	Respect.exe.pif	103
PID 3764 wrote to memory of 1688	3764	Respect.exe.pif	103
PID 3764 wrote to memory of 1688	3764	Respect.exe.pif	103

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\robocopy.exe
  robocopy /?
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Organisations.jpg & ping -n 5 localhost
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4072
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      PID:216
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^rCLEJGCiZAx$" Member.jpg
      4⤵
      PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif
      Respect.exe.pif z
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif
        5⤵
        Executes dropped EXE
        
        PID:1688
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      Runs ping.exe
      PID:3564
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Least.jpg

Filesize
1.0MB

MD5
03f808c39bf62f2a6b9abec8a4fe0a82

SHA1
ff28cc35b45e0eb7341855882e145d9e05291e9e

SHA256
617648709852d255c111c5f2fb07210634b121fdcb918cbda347f18eb0ee12ac

SHA512
699fb696971b70737ac678ea95a90b8b8d66664fbbdd94dac0f533468ad7b6f51a44485c1628f52d3eb50f71f48e30ab383382bb7c64dfb2ff71889999758132

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Member.jpg

Filesize
924KB

MD5
6f8ba0fb285f541d1a77dcf07480b82a

SHA1
9c79bf9d1ec190222e48668185a5d8dd180453f7

SHA256
46bebc12ec65133c022c6ee862abd2757f64fd6b6b38b8b8fbf32b5fe2fa7ed3

SHA512
3059bc29512c9f944261fd573c06642ab887d7b43022ab23a98906a8deb31e67d6beb2d6e8de4d344f77224e015e0a00f00cc655d9d29c2705d774c999d9612e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Organisations.jpg

Filesize
11KB

MD5
8c0c041c107dbedd83dd2fc002c7d9d6

SHA1
90b0e6f536705ff73f07937dc2ac89ecc407cbaf

SHA256
f2200e20650a60edf30175c49e0f4b21fefb4cd1f851660c8d19e6f9613e21e7

SHA512
f35ed7a2c22a193271a61befb8449cc092608789aa9125cc9508735d57aad0d8e50a422a01064cac68ac759b2d1d998206cb58d9d6b1ec27d6a0351b1a295f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respect.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fzoHXF.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fzoHXF.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fzoHXF.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fzoHXF.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fzoHXF.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fzoHXF.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1688-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-161-0x0000000000F00000-0x0000000000F0D000-memory.dmp

Filesize
52KB

Download
memory/1688-160-0x0000000000C80000-0x0000000000C89000-memory.dmp

Filesize
36KB

Download
memory/1688-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1688-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download