5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3

General

Target

tmp.exe
Size

737KB
MD5

8d013b4129e9f90f841a494190847b31
SHA1

53cefb2945a37889b5442cc45aea28dea8a5ac22
SHA256

5a53c1d7e6761dbe6b6ae5788cc6ffbbe78794d1eabc736251cce47c13ccfcc3
SHA512

c9152eb756d1d7ecf988c275365bb4bc4e7de7286a00893b9814d65bd6693e25be9509e1f3829db93bec629c6a9cec9252f645858bef0f6ee221b913da20dfbb
SSDEEP

12288:OS7vhV8dsyhucBzpzsr84zykKlj1tQowfxAiMNCXMfoufjuKLtnY3jIqP:VVEspUzxs4+Wlj1TZnJfo2TwEqP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Adventure.exe.pif

pid process

1252 Adventure.exe.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe

pid	process
1760	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2016 tasklist.exe
1716 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1168 PING.EXE
1200 PING.EXE

pid	process
2016	tasklist.exe
1716	tasklist.exe

pid	process
1168	PING.EXE
1200	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Adventure.exe.pif

pid	process
1252	Adventure.exe.pif
1252	Adventure.exe.pif
1252	Adventure.exe.pif
1252	Adventure.exe.pif
1252	Adventure.exe.pif
1252	Adventure.exe.pif
1252	Adventure.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2016 tasklist.exe
Token: SeDebugPrivilege 1716 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Adventure.exe.pif

pid process

1252 Adventure.exe.pif
1252 Adventure.exe.pif
1252 Adventure.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Adventure.exe.pif

pid process

1252 Adventure.exe.pif
1252 Adventure.exe.pif
1252 Adventure.exe.pif

description	pid	process
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 1864	1584	tmp.exe	dllhost.exe
PID 1584 wrote to memory of 1864	1584	tmp.exe	dllhost.exe
PID 1584 wrote to memory of 1864	1584	tmp.exe	dllhost.exe
PID 1584 wrote to memory of 1864	1584	tmp.exe	dllhost.exe
PID 1584 wrote to memory of 1484	1584	tmp.exe	cmd.exe
PID 1584 wrote to memory of 1484	1584	tmp.exe	cmd.exe
PID 1584 wrote to memory of 1484	1584	tmp.exe	cmd.exe
PID 1584 wrote to memory of 1484	1584	tmp.exe	cmd.exe
PID 1484 wrote to memory of 1760	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1760	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1760	1484	cmd.exe	cmd.exe
PID 1484 wrote to memory of 1760	1484	cmd.exe	cmd.exe
PID 1760 wrote to memory of 2016	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 2016	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 2016	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 2016	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 2028	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 2028	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 2028	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 2028	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1716	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1716	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1716	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1716	1760	cmd.exe	tasklist.exe
PID 1760 wrote to memory of 1764	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1764	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1764	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1764	1760	cmd.exe	find.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1912	1760	cmd.exe	findstr.exe
PID 1760 wrote to memory of 1252	1760	cmd.exe	Adventure.exe.pif
PID 1760 wrote to memory of 1252	1760	cmd.exe	Adventure.exe.pif
PID 1760 wrote to memory of 1252	1760	cmd.exe	Adventure.exe.pif
PID 1760 wrote to memory of 1252	1760	cmd.exe	Adventure.exe.pif
PID 1760 wrote to memory of 1168	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1168	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1168	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 1168	1760	cmd.exe	PING.EXE
PID 1484 wrote to memory of 1200	1484	cmd.exe	PING.EXE
PID 1484 wrote to memory of 1200	1484	cmd.exe	PING.EXE
PID 1484 wrote to memory of 1200	1484	cmd.exe	PING.EXE
PID 1484 wrote to memory of 1200	1484	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\dllhost.exe
dllhost vfrfgh ningggfdee
2⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Chrome.pdf & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
4⤵
PID:2028

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
4⤵
PID:1764

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^kuSBdsbDhZNHQD$" Chicago.pdf
4⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Adventure.exe.pif I
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:1168

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:1200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chicago.pdf
Filesize
924KB

MD5
aabe6813697af03369aa450bb4436f55

SHA1
6e2ab9fdebe157325f1e83318bfa502b83b164ad

SHA256
969066f1533d7f8295294934cae842d6e04bf995347a926f59eab567554699a1

SHA512
bc169c94564c22e40a446dd6c64de09f98bf09f6b0ec238ef252c29e1e2e9c10a0bef8cf8fca1192f5a7d4cd7afe4c4fa4597a3307b7c71916dda73d3fb2f188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chrome.pdf
Filesize
11KB

MD5
615333778325ed2e1d9deff0a5039a15

SHA1
40ab327c890707a9c9a5c2a10a6cdea8649a3341

SHA256
dc5bc0a06f4879eb547f8be95543452755fc4bd84725e6637b37fd541ca21c1e

SHA512
4359da53340dd931d38d268a7180f56c5ac1f88fe4e120dac7c13966a151f2d5d7331d9eeb5ee6d24bb4f3aa53f573bc3f7fe71e9eb148d8f808e0b2bb400b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Softball.pdf
Filesize
598KB

MD5
06fd6f511cf200e7732d6e39caaab63f

SHA1
b6215c6e20e9135743041559ef8d90f28ebbea5b

SHA256
62aa5a27b09fc6b8573fc9ab0f0d6a8aacb1f8b2323525a5592a773b008fcdb5

SHA512
57ecfbcd488136ab2adaca45cb7d2122275bdd7fc9b19bedaef5a06d45019b7a9a6b98e5f5f4df26e1cdd206552b38306bf4dd045bfdb7ab12224244f8a80d49

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adventure.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/1168-68-0x0000000000000000-mapping.dmp

Download
memory/1200-70-0x0000000000000000-mapping.dmp

Download
memory/1252-69-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1252-66-0x0000000000000000-mapping.dmp

Download
memory/1484-55-0x0000000000000000-mapping.dmp

Download
memory/1716-60-0x0000000000000000-mapping.dmp

Download
memory/1760-57-0x0000000000000000-mapping.dmp

Download
memory/1764-61-0x0000000000000000-mapping.dmp

Download
memory/1864-54-0x0000000000000000-mapping.dmp

Download
memory/1912-62-0x0000000000000000-mapping.dmp

Download
memory/2016-58-0x0000000000000000-mapping.dmp

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads