55108ea57f47939a336a8bed35d8be38509c3a88f120797e62ebdb2e025a49b8

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
Size

1.1MB
MD5

aedef5976cbed764e16089f0cd5b79e0
SHA1

a21cc8e454927fa878efb34491fdba1cd7ff90c7
SHA256

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
SHA512

c3e0066946bb2934b682d1cc7293822e57b2a8451e64150053c4e8c2bee76f14a3d7e11b2b77145f60e3479df5d0f25453cb2f776ecf5c2a9263e33c105d4d63
SSDEEP

24576:5Q+7rOqFARbKlkTPiZ/V2RdpldkWeaoF9pG5QqRtuAZ:5Q+7rOqF8bKuIULp7kWexte

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1244 created 1248	1244	Grandi.exe.pif	16

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	Grandi.exe.pif

Loads dropped DLL 1 IoCs

pid	Process
432	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
728	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
460	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1436	PING.EXE
1736	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	27
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	27
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	27
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	27
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	28
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	28
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	28
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	28
PID 304 wrote to memory of 432	304	cmd.exe	30
PID 304 wrote to memory of 432	304	cmd.exe	30
PID 304 wrote to memory of 432	304	cmd.exe	30
PID 304 wrote to memory of 432	304	cmd.exe	30
PID 432 wrote to memory of 460	432	cmd.exe	31
PID 432 wrote to memory of 460	432	cmd.exe	31
PID 432 wrote to memory of 460	432	cmd.exe	31
PID 432 wrote to memory of 460	432	cmd.exe	31
PID 432 wrote to memory of 1312	432	cmd.exe	32
PID 432 wrote to memory of 1312	432	cmd.exe	32
PID 432 wrote to memory of 1312	432	cmd.exe	32
PID 432 wrote to memory of 1312	432	cmd.exe	32
PID 432 wrote to memory of 1992	432	cmd.exe	34
PID 432 wrote to memory of 1992	432	cmd.exe	34
PID 432 wrote to memory of 1992	432	cmd.exe	34
PID 432 wrote to memory of 1992	432	cmd.exe	34
PID 432 wrote to memory of 1244	432	cmd.exe	35
PID 432 wrote to memory of 1244	432	cmd.exe	35
PID 432 wrote to memory of 1244	432	cmd.exe	35
PID 432 wrote to memory of 1244	432	cmd.exe	35
PID 432 wrote to memory of 1436	432	cmd.exe	36
PID 432 wrote to memory of 1436	432	cmd.exe	36
PID 432 wrote to memory of 1436	432	cmd.exe	36
PID 432 wrote to memory of 1436	432	cmd.exe	36
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	37
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	37
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	37
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	37
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	39
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	39
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	39
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	39
PID 304 wrote to memory of 1736	304	cmd.exe	41
PID 304 wrote to memory of 1736	304	cmd.exe	41
PID 304 wrote to memory of 1736	304	cmd.exe	41
PID 304 wrote to memory of 1736	304	cmd.exe	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
  "C:\Users\Admin\AppData\Local\Temp\315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\TapiUnattend.exe
    TapiUnattend
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Confusa.wp5 & ping -n 5 localhost
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:460
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        5⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^NinSXkvlDSHtQcrcJOkLdmfruNxwOsNOWjYiRYKTwErNWmzxiFKRcYFhSxLpRxvjtToDvWDLrsKLcBiGxZToHVaYGKgvjBeGoRIrsPXkwZNrgTSshtPRAhFoApWMHinCftDESrfEeIiIifKMR$" Chiave.wp5
        5⤵
        
        PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif
        
        Grandi.exe.pif X
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Mondo" /tr "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgTEuEwmXC\\KzmFiRkxPq.exe.com C:\\Users\\Admin\\AppData\\Local\\Temp\\hgTEuEwmXC\\k" /sc minute /mo 3 /F
        6⤵
        Creates scheduled task(s)
        
        PID:728
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 5
        5⤵
        Runs ping.exe
        
        PID:1436
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\hgTEuEwmXC\XKQJgjogwBm.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url"
  2⤵
  - Drops startup file
  PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiave.wp5

Filesize
924KB

MD5
6e41cef95094d6cd62ccc384b49653b2

SHA1
990c782d8732d9b0e23d6de4f7bd2fa08ae571f3

SHA256
1efed630d1abb539b246eb664541c762e14dd676cdea4e2063328f6d832aedd2

SHA512
a9cc9e0ce439e60b1a56a3d9d574421676bedddf2da3b3a43844013ff7ab0c9068b29e9940584e2aa19f276f02daf0e960b9cd6a1a690bf93ed0efda5f7803c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Confusa.wp5

Filesize
10KB

MD5
18c08f8da42aa0e34cc45c6f03220edb

SHA1
e150d1eba02d4ea0c7800872f2c3922d6686b930

SHA256
424565ebfca0ab2935e345c4a6e13ad75bf55d11f0997c59e3f1f5eea11d97b8

SHA512
9cf3205af5d1b6cfbcc0e04fed7b7d0de192dddbdeb6dfa12d1cf05adc1fc251e53bfd5ba69cc95adf323dce6ed2fe7b91359f2cd3797a172c1ce6b44e155d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.wp5

Filesize
1.6MB

MD5
4b443bbcf2e9f1c5868c901618632df4

SHA1
ef2973033ce11862227e5fa65a6fc53c45858519

SHA256
c8d782aceefd0d425e97f5c580b54ee7c18550245330d37ab8dba62152818352

SHA512
f9ce3cee530bccb2225bf5de90645b04a152cb99b0876a33db5ec003d07bf16c74105c7367a3e64f55902d59af44b2b890e2647a68026f5e12786eb8e70ed7ae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit