d32f28ba0890002ca897903a45f7d3b939abecd09de1128e3b5134cf57ab4960

Analysis

max time kernel
117s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

82bafdf75a03a4d6721fa6a81738713a
SHA1

007a61c81937a2a1213c2cffa5147b595e86cc36
SHA256

d32f28ba0890002ca897903a45f7d3b939abecd09de1128e3b5134cf57ab4960
SHA512

2aa5f70dbe26020ad6ee09d2e939e4468e4a03168f21ace45c445fe69eb728809009081c8cace5c30df72a83ed7db601936a0ec6a4b87befd84df4f33eaca3fc
SSDEEP

24576:hyL8b4owu2oJBsjxeuyYUwoNue0CqZTIl:UCHcVUVu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4556	Quite.exe.pif
1408	Quite.exe.pif

Loads dropped DLL 6 IoCs

pid	Process
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 1408	4556	Quite.exe.pif	94

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
556	tasklist.exe
5024	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1760	PING.EXE
1556	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	4992	robocopy.exe
Token: SeRestorePrivilege	4992	robocopy.exe
Token: SeSecurityPrivilege	4992	robocopy.exe
Token: SeTakeOwnershipPrivilege	4992	robocopy.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeDebugPrivilege	5024	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4556	Quite.exe.pif
4556	Quite.exe.pif
4556	Quite.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 4992	1252	file.exe	80
PID 1252 wrote to memory of 4992	1252	file.exe	80
PID 1252 wrote to memory of 4992	1252	file.exe	80
PID 1252 wrote to memory of 4120	1252	file.exe	82
PID 1252 wrote to memory of 4120	1252	file.exe	82
PID 1252 wrote to memory of 4120	1252	file.exe	82
PID 4120 wrote to memory of 1436	4120	cmd.exe	84
PID 4120 wrote to memory of 1436	4120	cmd.exe	84
PID 4120 wrote to memory of 1436	4120	cmd.exe	84
PID 1436 wrote to memory of 556	1436	cmd.exe	85
PID 1436 wrote to memory of 556	1436	cmd.exe	85
PID 1436 wrote to memory of 556	1436	cmd.exe	85
PID 1436 wrote to memory of 3832	1436	cmd.exe	86
PID 1436 wrote to memory of 3832	1436	cmd.exe	86
PID 1436 wrote to memory of 3832	1436	cmd.exe	86
PID 1436 wrote to memory of 5024	1436	cmd.exe	87
PID 1436 wrote to memory of 5024	1436	cmd.exe	87
PID 1436 wrote to memory of 5024	1436	cmd.exe	87
PID 1436 wrote to memory of 2372	1436	cmd.exe	88
PID 1436 wrote to memory of 2372	1436	cmd.exe	88
PID 1436 wrote to memory of 2372	1436	cmd.exe	88
PID 1436 wrote to memory of 2324	1436	cmd.exe	89
PID 1436 wrote to memory of 2324	1436	cmd.exe	89
PID 1436 wrote to memory of 2324	1436	cmd.exe	89
PID 1436 wrote to memory of 4556	1436	cmd.exe	90
PID 1436 wrote to memory of 4556	1436	cmd.exe	90
PID 1436 wrote to memory of 4556	1436	cmd.exe	90
PID 1436 wrote to memory of 1760	1436	cmd.exe	91
PID 1436 wrote to memory of 1760	1436	cmd.exe	91
PID 1436 wrote to memory of 1760	1436	cmd.exe	91
PID 4120 wrote to memory of 1556	4120	cmd.exe	92
PID 4120 wrote to memory of 1556	4120	cmd.exe	92
PID 4120 wrote to memory of 1556	4120	cmd.exe	92
PID 4556 wrote to memory of 1408	4556	Quite.exe.pif	94
PID 4556 wrote to memory of 1408	4556	Quite.exe.pif	94
PID 4556 wrote to memory of 1408	4556	Quite.exe.pif	94
PID 4556 wrote to memory of 1408	4556	Quite.exe.pif	94
PID 4556 wrote to memory of 1408	4556	Quite.exe.pif	94

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\robocopy.exe
  robocopy 8927387376487263745672673846276374982938486273568279384982384972834
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Provide.accdt & ping -n 5 localhost
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5024
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^NpDypcc$" Corner.accdt
      4⤵
      PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
      Quite.exe.pif r
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
        5⤵
        Executes dropped EXE
        
        PID:1408
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      Runs ping.exe
      PID:1760
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Corner.accdt

Filesize
924KB

MD5
6382237b9a2acb5e9561a528bf320cb1

SHA1
6f4f8f15083d33b6bd4420fedb5c1dfa88bd29e4

SHA256
0c188fb29ea7e3c5f7dca9e36510daa23842a05d62ce939aae533637987c23b6

SHA512
788c58c2079ed99cc50402715d8864ee88c980daf810af80ee6807e52c1ca07f4101322709add26e2756435bad6b07b2aa3f636e4d6096bceeb42081c56475c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Provide.accdt

Filesize
11KB

MD5
e3f10080ab2a68f4e23d1b1409716d1a

SHA1
aa8408183051703f1130234ab2025cb3f0bc784d

SHA256
536a71f9826978c11537a4d727c31cf133b26942262d17fd2e2514ca2e68be2b

SHA512
548ef52dfeeec0431a22454eff457b85189e98a326be0f271eb7cbbaf093d0e0c7fdb1c692bd2b604073326c4ece8af5b9ccd8a62f15d172754c7b7660b2c9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Spotlight.accdt

Filesize
1019KB

MD5
7589f2b25aab67fa51982d2123c06aed

SHA1
49ba0088845dd5a650805bc8eba149f1eb8088b0

SHA256
10c21ca00df6e31e4402ac703f55d326d66d431d5b8b4f414b5ce631fcdb1e3e

SHA512
ead1e5916c6f8758637e912ffdd6ee6166cde8e8b596643467311139cb63e72fdb6bdeca4eaad13f54cacde1473e637c81d30157112a8ed910d57711a1d25a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lWYwfys.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lWYwfys.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lWYwfys.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lWYwfys.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lWYwfys.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lWYwfys.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1408-160-0x00000000008E0000-0x00000000008E9000-memory.dmp

Filesize
36KB

Download
memory/1408-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-161-0x0000000000910000-0x000000000091D000-memory.dmp

Filesize
52KB

Download