c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23

Analysis

max time kernel
38s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-09-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
Size

1.3MB
MD5

e87958faafc944de105df5d77166543f
SHA1

a6624993a89299038e5cda27b48f77313d02dfd5
SHA256

c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23
SHA512

56b886f4e9dcf9629242b07e46c6619d7f7ed716c9738438c4973f1c951ff5da0be51babb7d6b49f7f1555a4810c3974d9fd6a3d591992d91b9f78f32413836f
SSDEEP

24576:+yIOTaHGeTylZra0y3uZIy+o87vbvLBq97N/3KjLOTR8:N3aHGeu7Py+Bf87TvLA97JsD

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1764 created 1356	1764	Secure.exe.pif	16

Executes dropped EXE 1 IoCs

pid	Process
1764	Secure.exe.pif

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1528	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
940	tasklist.exe
832	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1464	PING.EXE
1980	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1764	Secure.exe.pif
1764	Secure.exe.pif
1764	Secure.exe.pif
1764	Secure.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	1812	robocopy.exe
Token: SeRestorePrivilege	1812	robocopy.exe
Token: SeSecurityPrivilege	1812	robocopy.exe
Token: SeTakeOwnershipPrivilege	1812	robocopy.exe
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	832	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1764	Secure.exe.pif
1764	Secure.exe.pif
1764	Secure.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1764	Secure.exe.pif
1764	Secure.exe.pif
1764	Secure.exe.pif

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1812	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	26
PID 1612 wrote to memory of 1812	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	26
PID 1612 wrote to memory of 1812	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	26
PID 1612 wrote to memory of 1812	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	26
PID 1612 wrote to memory of 1860	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	28
PID 1612 wrote to memory of 1860	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	28
PID 1612 wrote to memory of 1860	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	28
PID 1612 wrote to memory of 1860	1612	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	28
PID 1860 wrote to memory of 1528	1860	cmd.exe	30
PID 1860 wrote to memory of 1528	1860	cmd.exe	30
PID 1860 wrote to memory of 1528	1860	cmd.exe	30
PID 1860 wrote to memory of 1528	1860	cmd.exe	30
PID 1528 wrote to memory of 940	1528	cmd.exe	31
PID 1528 wrote to memory of 940	1528	cmd.exe	31
PID 1528 wrote to memory of 940	1528	cmd.exe	31
PID 1528 wrote to memory of 940	1528	cmd.exe	31
PID 1528 wrote to memory of 240	1528	cmd.exe	32
PID 1528 wrote to memory of 240	1528	cmd.exe	32
PID 1528 wrote to memory of 240	1528	cmd.exe	32
PID 1528 wrote to memory of 240	1528	cmd.exe	32
PID 1528 wrote to memory of 832	1528	cmd.exe	34
PID 1528 wrote to memory of 832	1528	cmd.exe	34
PID 1528 wrote to memory of 832	1528	cmd.exe	34
PID 1528 wrote to memory of 832	1528	cmd.exe	34
PID 1528 wrote to memory of 2004	1528	cmd.exe	35
PID 1528 wrote to memory of 2004	1528	cmd.exe	35
PID 1528 wrote to memory of 2004	1528	cmd.exe	35
PID 1528 wrote to memory of 2004	1528	cmd.exe	35
PID 1528 wrote to memory of 1784	1528	cmd.exe	36
PID 1528 wrote to memory of 1784	1528	cmd.exe	36
PID 1528 wrote to memory of 1784	1528	cmd.exe	36
PID 1528 wrote to memory of 1784	1528	cmd.exe	36
PID 1528 wrote to memory of 1764	1528	cmd.exe	37
PID 1528 wrote to memory of 1764	1528	cmd.exe	37
PID 1528 wrote to memory of 1764	1528	cmd.exe	37
PID 1528 wrote to memory of 1764	1528	cmd.exe	37
PID 1528 wrote to memory of 1464	1528	cmd.exe	38
PID 1528 wrote to memory of 1464	1528	cmd.exe	38
PID 1528 wrote to memory of 1464	1528	cmd.exe	38
PID 1528 wrote to memory of 1464	1528	cmd.exe	38
PID 1764 wrote to memory of 1604	1764	Secure.exe.pif	39
PID 1764 wrote to memory of 1604	1764	Secure.exe.pif	39
PID 1764 wrote to memory of 1604	1764	Secure.exe.pif	39
PID 1764 wrote to memory of 1604	1764	Secure.exe.pif	39
PID 1860 wrote to memory of 1980	1860	cmd.exe	41
PID 1860 wrote to memory of 1980	1860	cmd.exe	41
PID 1860 wrote to memory of 1980	1860	cmd.exe	41
PID 1860 wrote to memory of 1980	1860	cmd.exe	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
  "C:\Users\Admin\AppData\Local\Temp\c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\robocopy.exe
    robocopy 8927387376487263745672673846276374982938486273568279384982384972834
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Fold.xltm & ping -n 5 localhost
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq AvastUI.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /N "avastui.exe"
        5⤵
        
        PID:240
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq AVGUI.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /N "avgui.exe"
        5⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^fnEMjhsMHNjDK$" Moments.xltm
        5⤵
        
        PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif
        
        Secure.exe.pif v
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1764
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 5
        5⤵
        Runs ping.exe
        
        PID:1464
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\CXKBMOwtux\xjofqU.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url"
  2⤵
  - Drops startup file
  PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fold.xltm

Filesize
11KB

MD5
90d8f5e3ac6018518f62e956d2880e7b

SHA1
0c990d51199f360b1b92b2ecf59e2fcbf271370d

SHA256
2d94baac5ea323a4c8e5b85086b3d633bc0665cf519b9125e54d21f23bdca29a

SHA512
6cec14f3814fe2663fdac8018c96e751f7e3dcb0352e675965a5ea608f50f48674cc271875ae1ac3a4bf7a29dbdab7447afc7c9f8dc718869b7f2f0a21678593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Moments.xltm

Filesize
924KB

MD5
fdeac3f6ababd1a476ea5439e32c1644

SHA1
567d87f642781f6928652cd7a84e08b490a3d8ba

SHA256
9c1c55b4be77c21d1d1cf7976c4db12f7cb7da9651da5acb8fdaebdc2496d824

SHA512
5098d26edef958b6e5428dcd83240096012449534a9cf7d35d4cf90beb1770ec729744045c10cf245dc3ea18186790032d879a899399193ddaf009b956f5539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zambia.xltm

Filesize
1.6MB

MD5
4cc5098b13c4399f6ff959497462f327

SHA1
676d5607891bad100eda09913e239b0b0a0024b8

SHA256
621e7010c0c2e6b361cb3c2e8cce4c514c91f2fe62e211e1f0992f796bef114f

SHA512
614ca78a7aaecc9bb823e644a9f581b9ee95a27023c117ad07d7479bcc7782295146ad4309fddfb159e72181b95dfb325a3162b75a12d181c9f7539e00fe3b20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/1764-69-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download