Overview
overview
10Static
static
10PL/6523.exe
windows7-x64
10PL/6523.exe
windows10-2004-x64
10PL/Galaxy.exe
windows7-x64
8PL/Galaxy.exe
windows10-2004-x64
10PL/Service.exe
windows7-x64
10PL/Service.exe
windows10-2004-x64
10PL/Une1.exe
windows7-x64
8PL/Une1.exe
windows10-2004-x64
8PL/pb1115.exe
windows7-x64
8PL/pb1115.exe
windows10-2004-x64
8PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
10PL/setup.exe
windows7-x64
8PL/setup.exe
windows10-2004-x64
8PL/setup331.exe
windows7-x64
7PL/setup331.exe
windows10-2004-x64
7Analysis
-
max time kernel
43s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 21:11
Behavioral task
behavioral1
Sample
PL/6523.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PL/6523.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
PL/Galaxy.exe
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
PL/Galaxy.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
PL/Service.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
PL/Service.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
PL/Une1.exe
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
PL/Une1.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
PL/pb1115.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
PL/pb1115.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
PL/setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
PL/setup.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
PL/setup.exe
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
PL/setup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
PL/setup331.exe
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
PL/setup331.exe
Resource
win10v2004-20220812-en
General
-
Target
PL/Une1.exe
-
Size
900KB
-
MD5
c340449d532642420d4bedc2e9f7ce7c
-
SHA1
6153df468674d2eb1680eb6bb0e1bdbc0d6856b7
-
SHA256
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
-
SHA512
c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3
-
SSDEEP
12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Tanks.exe.pifpid process 1544 Tanks.exe.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 768 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Une1.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce Une1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Une1.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 620 tasklist.exe 336 tasklist.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Tanks.exe.pifpid process 1544 Tanks.exe.pif 1544 Tanks.exe.pif 1544 Tanks.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 620 tasklist.exe Token: SeDebugPrivilege 336 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Tanks.exe.pifpid process 1544 Tanks.exe.pif 1544 Tanks.exe.pif 1544 Tanks.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Tanks.exe.pifpid process 1544 Tanks.exe.pif 1544 Tanks.exe.pif 1544 Tanks.exe.pif -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
Une1.execmd.execmd.exedescription pid process target process PID 1048 wrote to memory of 948 1048 Une1.exe at.exe PID 1048 wrote to memory of 948 1048 Une1.exe at.exe PID 1048 wrote to memory of 948 1048 Une1.exe at.exe PID 1048 wrote to memory of 948 1048 Une1.exe at.exe PID 1048 wrote to memory of 552 1048 Une1.exe cmd.exe PID 1048 wrote to memory of 552 1048 Une1.exe cmd.exe PID 1048 wrote to memory of 552 1048 Une1.exe cmd.exe PID 1048 wrote to memory of 552 1048 Une1.exe cmd.exe PID 552 wrote to memory of 768 552 cmd.exe cmd.exe PID 552 wrote to memory of 768 552 cmd.exe cmd.exe PID 552 wrote to memory of 768 552 cmd.exe cmd.exe PID 552 wrote to memory of 768 552 cmd.exe cmd.exe PID 768 wrote to memory of 620 768 cmd.exe tasklist.exe PID 768 wrote to memory of 620 768 cmd.exe tasklist.exe PID 768 wrote to memory of 620 768 cmd.exe tasklist.exe PID 768 wrote to memory of 620 768 cmd.exe tasklist.exe PID 768 wrote to memory of 1688 768 cmd.exe find.exe PID 768 wrote to memory of 1688 768 cmd.exe find.exe PID 768 wrote to memory of 1688 768 cmd.exe find.exe PID 768 wrote to memory of 1688 768 cmd.exe find.exe PID 768 wrote to memory of 336 768 cmd.exe tasklist.exe PID 768 wrote to memory of 336 768 cmd.exe tasklist.exe PID 768 wrote to memory of 336 768 cmd.exe tasklist.exe PID 768 wrote to memory of 336 768 cmd.exe tasklist.exe PID 768 wrote to memory of 1820 768 cmd.exe find.exe PID 768 wrote to memory of 1820 768 cmd.exe find.exe PID 768 wrote to memory of 1820 768 cmd.exe find.exe PID 768 wrote to memory of 1820 768 cmd.exe find.exe PID 768 wrote to memory of 1548 768 cmd.exe findstr.exe PID 768 wrote to memory of 1548 768 cmd.exe findstr.exe PID 768 wrote to memory of 1548 768 cmd.exe findstr.exe PID 768 wrote to memory of 1548 768 cmd.exe findstr.exe PID 768 wrote to memory of 1544 768 cmd.exe Tanks.exe.pif PID 768 wrote to memory of 1544 768 cmd.exe Tanks.exe.pif PID 768 wrote to memory of 1544 768 cmd.exe Tanks.exe.pif PID 768 wrote to memory of 1544 768 cmd.exe Tanks.exe.pif PID 768 wrote to memory of 744 768 cmd.exe PING.EXE PID 768 wrote to memory of 744 768 cmd.exe PING.EXE PID 768 wrote to memory of 744 768 cmd.exe PING.EXE PID 768 wrote to memory of 744 768 cmd.exe PING.EXE PID 552 wrote to memory of 1968 552 cmd.exe PING.EXE PID 552 wrote to memory of 1968 552 cmd.exe PING.EXE PID 552 wrote to memory of 1968 552 cmd.exe PING.EXE PID 552 wrote to memory of 1968 552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\at.exeat 3874982763784yhwgdfg78234789s42809374918uf2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Film.aspx & ping -n 5 localhost2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^otPcqYaF$" Deliver.aspx4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pifTanks.exe.pif A4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accurate.aspxFilesize
891KB
MD5ffc713ff8173dac3c96bc583eb916705
SHA13c1b3e1eb258e304722ecc876820a470d491467d
SHA2568d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4
SHA5128af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deliver.aspxFilesize
924KB
MD5701381da8e4a87f18a22b98eee09a22b
SHA1f5ff5c1714155b853a8335b1d359a010c012c596
SHA2568b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3
SHA51255ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Film.aspxFilesize
12KB
MD58eb593f08a4cca9959a469af6528ac0d
SHA18f4ae3c90b6d653eb75224683358f12dfc442dca
SHA2567903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70
SHA512631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pifFilesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
memory/336-61-0x0000000000000000-mapping.dmp
-
memory/552-56-0x0000000000000000-mapping.dmp
-
memory/620-59-0x0000000000000000-mapping.dmp
-
memory/744-69-0x0000000000000000-mapping.dmp
-
memory/768-58-0x0000000000000000-mapping.dmp
-
memory/948-54-0x0000000000000000-mapping.dmp
-
memory/948-55-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1544-67-0x0000000000000000-mapping.dmp
-
memory/1548-63-0x0000000000000000-mapping.dmp
-
memory/1688-60-0x0000000000000000-mapping.dmp
-
memory/1820-62-0x0000000000000000-mapping.dmp
-
memory/1968-71-0x0000000000000000-mapping.dmp