4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Analysis

max time kernel
90s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PL/Une1.exe
Size

900KB
MD5

c340449d532642420d4bedc2e9f7ce7c
SHA1

6153df468674d2eb1680eb6bb0e1bdbc0d6856b7
SHA256

a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
SHA512

c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3
SSDEEP

12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Tanks.exe.pifTanks.exe.pif

pid process

776 Tanks.exe.pif
4444 Tanks.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Tanks.exe.pif

pid process

776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif

pid	process
776	Tanks.exe.pif
4444	Tanks.exe.pif

pid	process
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Une1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Une1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Une1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tanks.exe.pif

description pid process target process

PID 776 set thread context of 4444 776 Tanks.exe.pif Tanks.exe.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4712 tasklist.exe
436 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3836 PING.EXE
5036 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Tanks.exe.pif

pid process

776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4712 tasklist.exe
Token: SeDebugPrivilege 436 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Tanks.exe.pif

pid process

776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Tanks.exe.pif

pid process

776 Tanks.exe.pif
776 Tanks.exe.pif
776 Tanks.exe.pif

description	pid	process	target process
PID 776 set thread context of 4444	776	Tanks.exe.pif	Tanks.exe.pif

pid	process
4712	tasklist.exe
436	tasklist.exe

pid	process
3836	PING.EXE
5036	PING.EXE

pid	process
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif

description	pid	process
Token: SeDebugPrivilege	4712	tasklist.exe
Token: SeDebugPrivilege	436	tasklist.exe

pid	process
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif

pid	process
776	Tanks.exe.pif
776	Tanks.exe.pif
776	Tanks.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Une1.execmd.execmd.exeTanks.exe.pif

description	pid	process	target process
PID 4792 wrote to memory of 2708	4792	Une1.exe	at.exe
PID 4792 wrote to memory of 2708	4792	Une1.exe	at.exe
PID 4792 wrote to memory of 2708	4792	Une1.exe	at.exe
PID 4792 wrote to memory of 1552	4792	Une1.exe	cmd.exe
PID 4792 wrote to memory of 1552	4792	Une1.exe	cmd.exe
PID 4792 wrote to memory of 1552	4792	Une1.exe	cmd.exe
PID 1552 wrote to memory of 4060	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 4060	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 4060	1552	cmd.exe	cmd.exe
PID 4060 wrote to memory of 4712	4060	cmd.exe	tasklist.exe
PID 4060 wrote to memory of 4712	4060	cmd.exe	tasklist.exe
PID 4060 wrote to memory of 4712	4060	cmd.exe	tasklist.exe
PID 4060 wrote to memory of 3660	4060	cmd.exe	find.exe
PID 4060 wrote to memory of 3660	4060	cmd.exe	find.exe
PID 4060 wrote to memory of 3660	4060	cmd.exe	find.exe
PID 4060 wrote to memory of 436	4060	cmd.exe	tasklist.exe
PID 4060 wrote to memory of 436	4060	cmd.exe	tasklist.exe
PID 4060 wrote to memory of 436	4060	cmd.exe	tasklist.exe
PID 4060 wrote to memory of 1036	4060	cmd.exe	find.exe
PID 4060 wrote to memory of 1036	4060	cmd.exe	find.exe
PID 4060 wrote to memory of 1036	4060	cmd.exe	find.exe
PID 4060 wrote to memory of 116	4060	cmd.exe	findstr.exe
PID 4060 wrote to memory of 116	4060	cmd.exe	findstr.exe
PID 4060 wrote to memory of 116	4060	cmd.exe	findstr.exe
PID 4060 wrote to memory of 776	4060	cmd.exe	Tanks.exe.pif
PID 4060 wrote to memory of 776	4060	cmd.exe	Tanks.exe.pif
PID 4060 wrote to memory of 776	4060	cmd.exe	Tanks.exe.pif
PID 4060 wrote to memory of 3836	4060	cmd.exe	PING.EXE
PID 4060 wrote to memory of 3836	4060	cmd.exe	PING.EXE
PID 4060 wrote to memory of 3836	4060	cmd.exe	PING.EXE
PID 1552 wrote to memory of 5036	1552	cmd.exe	PING.EXE
PID 1552 wrote to memory of 5036	1552	cmd.exe	PING.EXE
PID 1552 wrote to memory of 5036	1552	cmd.exe	PING.EXE
PID 776 wrote to memory of 4444	776	Tanks.exe.pif	Tanks.exe.pif
PID 776 wrote to memory of 4444	776	Tanks.exe.pif	Tanks.exe.pif
PID 776 wrote to memory of 4444	776	Tanks.exe.pif	Tanks.exe.pif
PID 776 wrote to memory of 4444	776	Tanks.exe.pif	Tanks.exe.pif
PID 776 wrote to memory of 4444	776	Tanks.exe.pif	Tanks.exe.pif

C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe
"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\at.exe
at 3874982763784yhwgdfg78234789s42809374918uf
2⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Film.aspx & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:3660

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
4⤵
PID:1036

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^otPcqYaF$" Deliver.aspx
4⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
Tanks.exe.pif A
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
5⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:3836

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accurate.aspx
Filesize
891KB

MD5
ffc713ff8173dac3c96bc583eb916705

SHA1
3c1b3e1eb258e304722ecc876820a470d491467d

SHA256
8d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4

SHA512
8af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deliver.aspx
Filesize
924KB

MD5
701381da8e4a87f18a22b98eee09a22b

SHA1
f5ff5c1714155b853a8335b1d359a010c012c596

SHA256
8b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3

SHA512
55ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Film.aspx
Filesize
12KB

MD5
8eb593f08a4cca9959a469af6528ac0d

SHA1
8f4ae3c90b6d653eb75224683358f12dfc442dca

SHA256
7903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70

SHA512
631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/116-140-0x0000000000000000-mapping.dmp

Download
memory/436-138-0x0000000000000000-mapping.dmp

Download
memory/776-143-0x0000000000000000-mapping.dmp

Download
memory/1036-139-0x0000000000000000-mapping.dmp

Download
memory/1552-133-0x0000000000000000-mapping.dmp

Download
memory/2708-132-0x0000000000000000-mapping.dmp

Download
memory/3660-137-0x0000000000000000-mapping.dmp

Download
memory/3836-145-0x0000000000000000-mapping.dmp

Download
memory/4060-135-0x0000000000000000-mapping.dmp

Download
memory/4444-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-148-0x0000000000000000-mapping.dmp

Download
memory/4444-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-161-0x0000000001780000-0x000000000178D000-memory.dmp

Filesize
52KB

Download
memory/4444-160-0x0000000001750000-0x0000000001759000-memory.dmp

Filesize
36KB

Download
memory/4712-136-0x0000000000000000-mapping.dmp

Download
memory/5036-146-0x0000000000000000-mapping.dmp

Download