c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23

General

Target

c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
Size

1.3MB
MD5

e87958faafc944de105df5d77166543f
SHA1

a6624993a89299038e5cda27b48f77313d02dfd5
SHA256

c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23
SHA512

56b886f4e9dcf9629242b07e46c6619d7f7ed716c9738438c4973f1c951ff5da0be51babb7d6b49f7f1555a4810c3974d9fd6a3d591992d91b9f78f32413836f
SSDEEP

24576:+yIOTaHGeTylZra0y3uZIy+o87vbvLBq97N/3KjLOTR8:N3aHGeu7Py+Bf87TvLA97JsD

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Secure.exe.pif

description pid process target process

PID 1948 created 1412 1948 Secure.exe.pif Explorer.EXE
Executes dropped EXE 1 IoCs

Processes:

Secure.exe.pif

pid process

1948 Secure.exe.pif

description	pid	process	target process
PID 1948 created 1412	1948	Secure.exe.pif	Explorer.EXE

pid	process
1948	Secure.exe.pif

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe

pid	process
1760	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1776 tasklist.exe
612 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1484 PING.EXE
1308 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Secure.exe.pif

pid process

1948 Secure.exe.pif
1948 Secure.exe.pif
1948 Secure.exe.pif
1948 Secure.exe.pif

pid	process
1776	tasklist.exe
612	tasklist.exe

pid	process
1484	PING.EXE
1308	PING.EXE

pid	process
1948	Secure.exe.pif
1948	Secure.exe.pif
1948	Secure.exe.pif
1948	Secure.exe.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

robocopy.exetasklist.exetasklist.exe

description	pid	process
Token: SeBackupPrivilege	1400	robocopy.exe
Token: SeRestorePrivilege	1400	robocopy.exe
Token: SeSecurityPrivilege	1400	robocopy.exe
Token: SeTakeOwnershipPrivilege	1400	robocopy.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	612	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Secure.exe.pif

pid process

1948 Secure.exe.pif
1948 Secure.exe.pif
1948 Secure.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Secure.exe.pif

pid process

1948 Secure.exe.pif
1948 Secure.exe.pif
1948 Secure.exe.pif

pid	process
1948	Secure.exe.pif
1948	Secure.exe.pif
1948	Secure.exe.pif

pid	process
1948	Secure.exe.pif
1948	Secure.exe.pif
1948	Secure.exe.pif

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.execmd.execmd.exeSecure.exe.pif

description	pid	process	target process
PID 2020 wrote to memory of 1400	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	robocopy.exe
PID 2020 wrote to memory of 1400	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	robocopy.exe
PID 2020 wrote to memory of 1400	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	robocopy.exe
PID 2020 wrote to memory of 1400	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	robocopy.exe
PID 2020 wrote to memory of 744	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	cmd.exe
PID 2020 wrote to memory of 744	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	cmd.exe
PID 2020 wrote to memory of 744	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	cmd.exe
PID 2020 wrote to memory of 744	2020	c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe	cmd.exe
PID 744 wrote to memory of 1760	744	cmd.exe	cmd.exe
PID 744 wrote to memory of 1760	744	cmd.exe	cmd.exe
PID 744 wrote to memory of 1760	744	cmd.exe	cmd.exe
PID 744 wrote to memory of 1760	744	cmd.exe	cmd.exe
PID 1760 wrote to memory of 1776	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1776	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1776	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1776	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 944	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 944	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 944	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 944	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 612	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 612	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 612	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 612	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1880	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1880	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1880	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1880	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1948	1760	cmd.exe	Secure.exe.pif
PID 1760 wrote to memory of 1948	1760	cmd.exe	Secure.exe.pif
PID 1760 wrote to memory of 1948	1760	cmd.exe	Secure.exe.pif
PID 1760 wrote to memory of 1948	1760	cmd.exe	Secure.exe.pif
PID 1760 wrote to memory of 1484	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1484	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1484	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1484	1760	cmd.exe	PING.EXE
PID 1948 wrote to memory of 1040	1948	Secure.exe.pif	cmd.exe
PID 1948 wrote to memory of 1040	1948	Secure.exe.pif	cmd.exe
PID 1948 wrote to memory of 1040	1948	Secure.exe.pif	cmd.exe
PID 1948 wrote to memory of 1040	1948	Secure.exe.pif	cmd.exe
PID 744 wrote to memory of 1308	744	cmd.exe	PING.EXE
PID 744 wrote to memory of 1308	744	cmd.exe	PING.EXE
PID 744 wrote to memory of 1308	744	cmd.exe	PING.EXE
PID 744 wrote to memory of 1308	744	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
"C:\Users\Admin\AppData\Local\Temp\c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\robocopy.exe
robocopy 8927387376487263745672673846276374982938486273568279384982384972834
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Fold.xltm & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
5⤵
PID:944

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
5⤵
PID:1880

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fnEMjhsMHNjDK$" Moments.xltm
5⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif
Secure.exe.pif v
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:1484

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:1308

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\CXKBMOwtux\xjofqU.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url"
2⤵
- Drops startup file
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fold.xltm
Filesize
11KB

MD5
90d8f5e3ac6018518f62e956d2880e7b

SHA1
0c990d51199f360b1b92b2ecf59e2fcbf271370d

SHA256
2d94baac5ea323a4c8e5b85086b3d633bc0665cf519b9125e54d21f23bdca29a

SHA512
6cec14f3814fe2663fdac8018c96e751f7e3dcb0352e675965a5ea608f50f48674cc271875ae1ac3a4bf7a29dbdab7447afc7c9f8dc718869b7f2f0a21678593

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Moments.xltm
Filesize
924KB

MD5
fdeac3f6ababd1a476ea5439e32c1644

SHA1
567d87f642781f6928652cd7a84e08b490a3d8ba

SHA256
9c1c55b4be77c21d1d1cf7976c4db12f7cb7da9651da5acb8fdaebdc2496d824

SHA512
5098d26edef958b6e5428dcd83240096012449534a9cf7d35d4cf90beb1770ec729744045c10cf245dc3ea18186790032d879a899399193ddaf009b956f5539a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zambia.xltm
Filesize
1.6MB

MD5
4cc5098b13c4399f6ff959497462f327

SHA1
676d5607891bad100eda09913e239b0b0a0024b8

SHA256
621e7010c0c2e6b361cb3c2e8cce4c514c91f2fe62e211e1f0992f796bef114f

SHA512
614ca78a7aaecc9bb823e644a9f581b9ee95a27023c117ad07d7479bcc7782295146ad4309fddfb159e72181b95dfb325a3162b75a12d181c9f7539e00fe3b20

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/612-60-0x0000000000000000-mapping.dmp

Download
memory/744-55-0x0000000000000000-mapping.dmp

Download
memory/944-59-0x0000000000000000-mapping.dmp

Download
memory/1040-71-0x0000000000000000-mapping.dmp

Download
memory/1308-72-0x0000000000000000-mapping.dmp

Download
memory/1400-54-0x0000000000000000-mapping.dmp

Download
memory/1484-68-0x0000000000000000-mapping.dmp

Download
memory/1760-57-0x0000000000000000-mapping.dmp

Download
memory/1776-58-0x0000000000000000-mapping.dmp

Download
memory/1880-61-0x0000000000000000-mapping.dmp

Download
memory/1912-62-0x0000000000000000-mapping.dmp

Download
memory/1948-69-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1948-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads