Analysis
-
max time kernel
37s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
Resource
win10-20220901-en
General
-
Target
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe
-
Size
1.3MB
-
MD5
e87958faafc944de105df5d77166543f
-
SHA1
a6624993a89299038e5cda27b48f77313d02dfd5
-
SHA256
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23
-
SHA512
56b886f4e9dcf9629242b07e46c6619d7f7ed716c9738438c4973f1c951ff5da0be51babb7d6b49f7f1555a4810c3974d9fd6a3d591992d91b9f78f32413836f
-
SSDEEP
24576:+yIOTaHGeTylZra0y3uZIy+o87vbvLBq97N/3KjLOTR8:N3aHGeu7Py+Bf87TvLA97JsD
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Secure.exe.pifdescription pid process target process PID 1948 created 1412 1948 Secure.exe.pif Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
Secure.exe.pifpid process 1948 Secure.exe.pif -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1760 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 1776 tasklist.exe 612 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Secure.exe.pifpid process 1948 Secure.exe.pif 1948 Secure.exe.pif 1948 Secure.exe.pif 1948 Secure.exe.pif -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
robocopy.exetasklist.exetasklist.exedescription pid process Token: SeBackupPrivilege 1400 robocopy.exe Token: SeRestorePrivilege 1400 robocopy.exe Token: SeSecurityPrivilege 1400 robocopy.exe Token: SeTakeOwnershipPrivilege 1400 robocopy.exe Token: SeDebugPrivilege 1776 tasklist.exe Token: SeDebugPrivilege 612 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Secure.exe.pifpid process 1948 Secure.exe.pif 1948 Secure.exe.pif 1948 Secure.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Secure.exe.pifpid process 1948 Secure.exe.pif 1948 Secure.exe.pif 1948 Secure.exe.pif -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.execmd.execmd.exeSecure.exe.pifdescription pid process target process PID 2020 wrote to memory of 1400 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe robocopy.exe PID 2020 wrote to memory of 1400 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe robocopy.exe PID 2020 wrote to memory of 1400 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe robocopy.exe PID 2020 wrote to memory of 1400 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe robocopy.exe PID 2020 wrote to memory of 744 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe cmd.exe PID 2020 wrote to memory of 744 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe cmd.exe PID 2020 wrote to memory of 744 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe cmd.exe PID 2020 wrote to memory of 744 2020 c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe cmd.exe PID 744 wrote to memory of 1760 744 cmd.exe cmd.exe PID 744 wrote to memory of 1760 744 cmd.exe cmd.exe PID 744 wrote to memory of 1760 744 cmd.exe cmd.exe PID 744 wrote to memory of 1760 744 cmd.exe cmd.exe PID 1760 wrote to memory of 1776 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 1776 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 1776 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 1776 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 944 1760 cmd.exe find.exe PID 1760 wrote to memory of 944 1760 cmd.exe find.exe PID 1760 wrote to memory of 944 1760 cmd.exe find.exe PID 1760 wrote to memory of 944 1760 cmd.exe find.exe PID 1760 wrote to memory of 612 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 612 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 612 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 612 1760 cmd.exe tasklist.exe PID 1760 wrote to memory of 1880 1760 cmd.exe find.exe PID 1760 wrote to memory of 1880 1760 cmd.exe find.exe PID 1760 wrote to memory of 1880 1760 cmd.exe find.exe PID 1760 wrote to memory of 1880 1760 cmd.exe find.exe PID 1760 wrote to memory of 1912 1760 cmd.exe findstr.exe PID 1760 wrote to memory of 1912 1760 cmd.exe findstr.exe PID 1760 wrote to memory of 1912 1760 cmd.exe findstr.exe PID 1760 wrote to memory of 1912 1760 cmd.exe findstr.exe PID 1760 wrote to memory of 1948 1760 cmd.exe Secure.exe.pif PID 1760 wrote to memory of 1948 1760 cmd.exe Secure.exe.pif PID 1760 wrote to memory of 1948 1760 cmd.exe Secure.exe.pif PID 1760 wrote to memory of 1948 1760 cmd.exe Secure.exe.pif PID 1760 wrote to memory of 1484 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1484 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1484 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 1484 1760 cmd.exe PING.EXE PID 1948 wrote to memory of 1040 1948 Secure.exe.pif cmd.exe PID 1948 wrote to memory of 1040 1948 Secure.exe.pif cmd.exe PID 1948 wrote to memory of 1040 1948 Secure.exe.pif cmd.exe PID 1948 wrote to memory of 1040 1948 Secure.exe.pif cmd.exe PID 744 wrote to memory of 1308 744 cmd.exe PING.EXE PID 744 wrote to memory of 1308 744 cmd.exe PING.EXE PID 744 wrote to memory of 1308 744 cmd.exe PING.EXE PID 744 wrote to memory of 1308 744 cmd.exe PING.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe"C:\Users\Admin\AppData\Local\Temp\c4122524776c195199816a4e57635c7d32f15aa2e9080feb32ae0c2b05446a23.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\robocopy.exerobocopy 89273873764872637456726738462763749829384862735682793849823849728343⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Fold.xltm & ping -n 5 localhost3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fnEMjhsMHNjDK$" Moments.xltm5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pifSecure.exe.pif v5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\CXKBMOwtux\xjofqU.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOURxLBXVe.url"2⤵
- Drops startup file
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fold.xltmFilesize
11KB
MD590d8f5e3ac6018518f62e956d2880e7b
SHA10c990d51199f360b1b92b2ecf59e2fcbf271370d
SHA2562d94baac5ea323a4c8e5b85086b3d633bc0665cf519b9125e54d21f23bdca29a
SHA5126cec14f3814fe2663fdac8018c96e751f7e3dcb0352e675965a5ea608f50f48674cc271875ae1ac3a4bf7a29dbdab7447afc7c9f8dc718869b7f2f0a21678593
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Moments.xltmFilesize
924KB
MD5fdeac3f6ababd1a476ea5439e32c1644
SHA1567d87f642781f6928652cd7a84e08b490a3d8ba
SHA2569c1c55b4be77c21d1d1cf7976c4db12f7cb7da9651da5acb8fdaebdc2496d824
SHA5125098d26edef958b6e5428dcd83240096012449534a9cf7d35d4cf90beb1770ec729744045c10cf245dc3ea18186790032d879a899399193ddaf009b956f5539a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Zambia.xltmFilesize
1.6MB
MD54cc5098b13c4399f6ff959497462f327
SHA1676d5607891bad100eda09913e239b0b0a0024b8
SHA256621e7010c0c2e6b361cb3c2e8cce4c514c91f2fe62e211e1f0992f796bef114f
SHA512614ca78a7aaecc9bb823e644a9f581b9ee95a27023c117ad07d7479bcc7782295146ad4309fddfb159e72181b95dfb325a3162b75a12d181c9f7539e00fe3b20
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Secure.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
memory/612-60-0x0000000000000000-mapping.dmp
-
memory/744-55-0x0000000000000000-mapping.dmp
-
memory/944-59-0x0000000000000000-mapping.dmp
-
memory/1040-71-0x0000000000000000-mapping.dmp
-
memory/1308-72-0x0000000000000000-mapping.dmp
-
memory/1400-54-0x0000000000000000-mapping.dmp
-
memory/1484-68-0x0000000000000000-mapping.dmp
-
memory/1760-57-0x0000000000000000-mapping.dmp
-
memory/1776-58-0x0000000000000000-mapping.dmp
-
memory/1880-61-0x0000000000000000-mapping.dmp
-
memory/1912-62-0x0000000000000000-mapping.dmp
-
memory/1948-69-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1948-66-0x0000000000000000-mapping.dmp