89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3

Analysis

max time kernel
25s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-11-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe
Size

588.6MB
MD5

406da853741b451e074e2d66567b126a
SHA1

4a2e040b94eabb5e72b647db64586b4dc3e22a62
SHA256

89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3
SHA512

b47a095b79ee25cb8d794e6397b2279636f153f1919acdb8bbddd22768a99d10f1120e5587fd54301fd6b4323ac7e0eefe9e78d40fd0bf32eaf52b84de2c4eeb
SSDEEP

98304:qDsqmfeoT5qEM+1+LofOz7VNBLghT2tNcTWTQbictE:X5GoVasEofyrRsEEWTQ3tE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1184	Cunt.exe.pif

Loads dropped DLL 1 IoCs

pid	Process
1744	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
888	tasklist.exe
1956	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
776	PING.EXE
932	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1184	Cunt.exe.pif
1184	Cunt.exe.pif
1184	Cunt.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	tasklist.exe
Token: SeDebugPrivilege	1956	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1184	Cunt.exe.pif
1184	Cunt.exe.pif
1184	Cunt.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1184	Cunt.exe.pif
1184	Cunt.exe.pif
1184	Cunt.exe.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1472	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	26
PID 1096 wrote to memory of 1472	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	26
PID 1096 wrote to memory of 1472	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	26
PID 1096 wrote to memory of 1472	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	26
PID 1096 wrote to memory of 1352	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	27
PID 1096 wrote to memory of 1352	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	27
PID 1096 wrote to memory of 1352	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	27
PID 1096 wrote to memory of 1352	1096	89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe	27
PID 1352 wrote to memory of 1744	1352	cmd.exe	29
PID 1352 wrote to memory of 1744	1352	cmd.exe	29
PID 1352 wrote to memory of 1744	1352	cmd.exe	29
PID 1352 wrote to memory of 1744	1352	cmd.exe	29
PID 1744 wrote to memory of 888	1744	cmd.exe	30
PID 1744 wrote to memory of 888	1744	cmd.exe	30
PID 1744 wrote to memory of 888	1744	cmd.exe	30
PID 1744 wrote to memory of 888	1744	cmd.exe	30
PID 1744 wrote to memory of 1804	1744	cmd.exe	31
PID 1744 wrote to memory of 1804	1744	cmd.exe	31
PID 1744 wrote to memory of 1804	1744	cmd.exe	31
PID 1744 wrote to memory of 1804	1744	cmd.exe	31
PID 1744 wrote to memory of 1956	1744	cmd.exe	33
PID 1744 wrote to memory of 1956	1744	cmd.exe	33
PID 1744 wrote to memory of 1956	1744	cmd.exe	33
PID 1744 wrote to memory of 1956	1744	cmd.exe	33
PID 1744 wrote to memory of 1772	1744	cmd.exe	34
PID 1744 wrote to memory of 1772	1744	cmd.exe	34
PID 1744 wrote to memory of 1772	1744	cmd.exe	34
PID 1744 wrote to memory of 1772	1744	cmd.exe	34
PID 1744 wrote to memory of 580	1744	cmd.exe	35
PID 1744 wrote to memory of 580	1744	cmd.exe	35
PID 1744 wrote to memory of 580	1744	cmd.exe	35
PID 1744 wrote to memory of 580	1744	cmd.exe	35
PID 1744 wrote to memory of 1184	1744	cmd.exe	36
PID 1744 wrote to memory of 1184	1744	cmd.exe	36
PID 1744 wrote to memory of 1184	1744	cmd.exe	36
PID 1744 wrote to memory of 1184	1744	cmd.exe	36
PID 1744 wrote to memory of 776	1744	cmd.exe	37
PID 1744 wrote to memory of 776	1744	cmd.exe	37
PID 1744 wrote to memory of 776	1744	cmd.exe	37
PID 1744 wrote to memory of 776	1744	cmd.exe	37
PID 1352 wrote to memory of 932	1352	cmd.exe	38
PID 1352 wrote to memory of 932	1352	cmd.exe	38
PID 1352 wrote to memory of 932	1352	cmd.exe	38
PID 1352 wrote to memory of 932	1352	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe
"C:\Users\Admin\AppData\Local\Temp\89f80d49e027e99e2f5413ef2d29651236eb10845452207e595f5bebc65dcbb3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\dllhost.exe
  dllhost vfrfgh ningggfdee
  2⤵
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Fox.wks & ping -n 5 localhost
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:888
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^xogwVTG$" Karma.wks
      4⤵
      PID:580
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif
      Cunt.exe.pif t
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1184
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      Runs ping.exe
      PID:776
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fox.wks

Filesize
10KB

MD5
c39714e32d3c98a8a2afd420d527095d

SHA1
5b924df4bb3614a9f1358b8ed0e818277acaccea

SHA256
f2f514c76e7c8411d37ea79c7be6d0dd4024a9ac83e3a5d59acb6480b2a13573

SHA512
df0f89acb6535c144308ff78322416441d2f3f8b83840f4edce3348481ee94402e9b4cb0d7753c0b46db1c0a7f4305539860a2d75c6a54bacb70d53baa2c4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I.wks

Filesize
7.6MB

MD5
6d942fa1ae7ab3c902b73b8ff6358b09

SHA1
c88abd3912d28ad2bf389f79e7958f214316c9a2

SHA256
e194a2403a27f5cb5fa4ccced81512be3f9116064e2253e0af9b1506cc2090de

SHA512
f4450511a30df618e7004dca4d6c08679f186153fe27107715c2700bf473bceebc12ff249fe030e13f7e3dd544d760bd34f22003c071db4a928d84a5ab63290c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Karma.wks

Filesize
924KB

MD5
c48ecf8c0b6236b0927ba0f0e3636176

SHA1
d9dd633ff4cc6c9502ff2e3455b9aba8e0420b91

SHA256
d1d6b505460c22b9851a34ecc77c1503b04a901400348921989d71688288eb61

SHA512
c8917b1cc3a123c4f32120e0b1f16a3448f52054324f6df2983f0fecd07bda13f9f05285e21f44499da5feb1c889c7d7709cb5f2232dd49988a4d9c8b91bb003

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/580-62-0x0000000000000000-mapping.dmp

Download
memory/776-68-0x0000000000000000-mapping.dmp

Download
memory/888-58-0x0000000000000000-mapping.dmp

Download
memory/932-70-0x0000000000000000-mapping.dmp

Download
memory/1184-66-0x0000000000000000-mapping.dmp

Download
memory/1184-69-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1472-54-0x0000000000000000-mapping.dmp

Download
memory/1744-57-0x0000000000000000-mapping.dmp

Download
memory/1772-61-0x0000000000000000-mapping.dmp

Download
memory/1804-59-0x0000000000000000-mapping.dmp

Download
memory/1956-60-0x0000000000000000-mapping.dmp

Download