547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9

Analysis

max time kernel
136s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe
Size

812KB
MD5

551df386aa1f13198e40b49b7dbf0df2
SHA1

995436802a0499ed7c787383097cbffc485f3165
SHA256

547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9
SHA512

2ea907b7d543dcfa235d441342f8b0c9a96e253b274ac94a21427ec5c3ae56455254b6562dba64c304bc1a1924daf9258edf74b2d4588d9393d6ca8cf55a396f
SSDEEP

24576:bxgx2GapHJRODYznqf5WyaLbyuhgVbhzV65KavUxXCZ:OxwrJqxfaauhgzzAKavUy

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4348	Beliefs.exe.pif
2664	Beliefs.exe.pif

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2664-154-0x0000000000400000-0x000000000047C000-memory.dmp	upx

Loads dropped DLL 7 IoCs

pid	Process
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 2664	4348	Beliefs.exe.pif	101

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	2664	WerFault.exe	101

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4936	tasklist.exe
1456	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1156	PING.EXE
3036	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	tasklist.exe
Token: SeDebugPrivilege	1456	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif
4348	Beliefs.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 4596	1216	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe	81
PID 1216 wrote to memory of 4596	1216	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe	81
PID 1216 wrote to memory of 4596	1216	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe	81
PID 1216 wrote to memory of 2432	1216	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe	83
PID 1216 wrote to memory of 2432	1216	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe	83
PID 1216 wrote to memory of 2432	1216	547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe	83
PID 2432 wrote to memory of 4888	2432	cmd.exe	85
PID 2432 wrote to memory of 4888	2432	cmd.exe	85
PID 2432 wrote to memory of 4888	2432	cmd.exe	85
PID 4888 wrote to memory of 4936	4888	cmd.exe	86
PID 4888 wrote to memory of 4936	4888	cmd.exe	86
PID 4888 wrote to memory of 4936	4888	cmd.exe	86
PID 4888 wrote to memory of 4828	4888	cmd.exe	87
PID 4888 wrote to memory of 4828	4888	cmd.exe	87
PID 4888 wrote to memory of 4828	4888	cmd.exe	87
PID 4888 wrote to memory of 1456	4888	cmd.exe	90
PID 4888 wrote to memory of 1456	4888	cmd.exe	90
PID 4888 wrote to memory of 1456	4888	cmd.exe	90
PID 4888 wrote to memory of 1736	4888	cmd.exe	91
PID 4888 wrote to memory of 1736	4888	cmd.exe	91
PID 4888 wrote to memory of 1736	4888	cmd.exe	91
PID 4888 wrote to memory of 4520	4888	cmd.exe	92
PID 4888 wrote to memory of 4520	4888	cmd.exe	92
PID 4888 wrote to memory of 4520	4888	cmd.exe	92
PID 4888 wrote to memory of 4348	4888	cmd.exe	93
PID 4888 wrote to memory of 4348	4888	cmd.exe	93
PID 4888 wrote to memory of 4348	4888	cmd.exe	93
PID 4888 wrote to memory of 1156	4888	cmd.exe	94
PID 4888 wrote to memory of 1156	4888	cmd.exe	94
PID 4888 wrote to memory of 1156	4888	cmd.exe	94
PID 2432 wrote to memory of 3036	2432	cmd.exe	95
PID 2432 wrote to memory of 3036	2432	cmd.exe	95
PID 2432 wrote to memory of 3036	2432	cmd.exe	95
PID 4348 wrote to memory of 2664	4348	Beliefs.exe.pif	101
PID 4348 wrote to memory of 2664	4348	Beliefs.exe.pif	101
PID 4348 wrote to memory of 2664	4348	Beliefs.exe.pif	101
PID 4348 wrote to memory of 2664	4348	Beliefs.exe.pif	101
PID 4348 wrote to memory of 2664	4348	Beliefs.exe.pif	101

C:\Users\Admin\AppData\Local\Temp\547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe
"C:\Users\Admin\AppData\Local\Temp\547f005eee6aed88c0a505e9f80a58985491072aa6b448c7acb465fcfa8bb5e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\choice.exe
  choice 3489834785637788484436574374756367847583
  2⤵
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Fl.pst & ping -n 5 localhost
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      PID:4828
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^grSnbZnuavrEo$" Passport.pst
      4⤵
      PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beliefs.exe.pif
      Beliefs.exe.pif V
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beliefs.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beliefs.exe.pif
        5⤵
        Executes dropped EXE
        
        PID:2664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 12
        6⤵
        Program crash
        
        PID:2728
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      Runs ping.exe
      PID:1156
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2664 -ip 2664
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beliefs.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beliefs.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Beliefs.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Emotions.pst

Filesize
937KB

MD5
437f5d6b2abd3c479ee8d7ab1b08a581

SHA1
05ce05d8a33d8fbac3d8979f9007df92dda97edd

SHA256
8ae2fc5d161b8d06035f7c382a27aa8ab37880f934c1e624d6b1b644496e987b

SHA512
9b4f0ca101523f777b40ebe4f0b96d1e2ae9040d90897493459feafe885d906e1419416db724318022a578fabe4baa93e7d861a98afb2fb414758ec8484b570c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EnNMidGzT.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fl.pst

Filesize
11KB

MD5
1b0e78b88025f81c18516908d3fd5bae

SHA1
a0e6cf4398dd233c4414dbc7b58846b1d6ab8be1

SHA256
baaa3ba656252dd188fcfe83a96106bfbf99a7d738f023b79ed522206bca9005

SHA512
bb22815a84e3862f6ff22f767001af4af84fcc0be6f6f56a3376a96cb4e775c71bb53f06ced9b65047b0766509f276dc60cced1b5650dcb9c2714f3c6d19b098

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Passport.pst

Filesize
924KB

MD5
0dc3ae877f4f4b596509c4af755d3810

SHA1
a3ddcab5e2c8df87d3a4c74832304d3f88692901

SHA256
8200cd55480ad7af0cea3bebc569de8fd412f1dc901ae761c2475308a155abae

SHA512
8b615fffd5ded1c66c70c49fef99c7406936056a442bc04a51eb92d5c9c694c32b57ea36b507447aee29213eb077c7908fae31b776b31d228c4ccd819d24e552

Download Submit
memory/2664-154-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download