55108ea57f47939a336a8bed35d8be38509c3a88f120797e62ebdb2e025a49b8

General

Target

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
Size

1.1MB
MD5

aedef5976cbed764e16089f0cd5b79e0
SHA1

a21cc8e454927fa878efb34491fdba1cd7ff90c7
SHA256

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
SHA512

c3e0066946bb2934b682d1cc7293822e57b2a8451e64150053c4e8c2bee76f14a3d7e11b2b77145f60e3479df5d0f25453cb2f776ecf5c2a9263e33c105d4d63
SSDEEP

24576:5Q+7rOqFARbKlkTPiZ/V2RdpldkWeaoF9pG5QqRtuAZ:5Q+7rOqF8bKuIULp7kWexte

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Grandi.exe.pif

description pid process target process

PID 1244 created 1248 1244 Grandi.exe.pif Explorer.EXE

description	pid	process	target process
PID 1244 created 1248	1244	Grandi.exe.pif	Explorer.EXE

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

Grandi.exe.pif

pid process

1244 Grandi.exe.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

432 cmd.exe

pid	process
1244	Grandi.exe.pif

pid	process
432	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

728 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

460 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1436 PING.EXE
1736 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Grandi.exe.pif

pid process

1244 Grandi.exe.pif
1244 Grandi.exe.pif
1244 Grandi.exe.pif
1244 Grandi.exe.pif
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 460 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Grandi.exe.pif

pid process

1244 Grandi.exe.pif
1244 Grandi.exe.pif
1244 Grandi.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Grandi.exe.pif

pid process

1244 Grandi.exe.pif
1244 Grandi.exe.pif
1244 Grandi.exe.pif

pid	process
728	schtasks.exe

pid	process
460	tasklist.exe

pid	process
1436	PING.EXE
1736	PING.EXE

pid	process
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif

description	pid	process
Token: SeDebugPrivilege	460	tasklist.exe

pid	process
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif

pid	process
1244	Grandi.exe.pif
1244	Grandi.exe.pif
1244	Grandi.exe.pif

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.execmd.execmd.exeGrandi.exe.pif

description	pid	process	target process
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 1304 wrote to memory of 1904	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 1304 wrote to memory of 304	1304	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 304 wrote to memory of 432	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 432	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 432	304	cmd.exe	cmd.exe
PID 304 wrote to memory of 432	304	cmd.exe	cmd.exe
PID 432 wrote to memory of 460	432	cmd.exe	tasklist.exe
PID 432 wrote to memory of 460	432	cmd.exe	tasklist.exe
PID 432 wrote to memory of 460	432	cmd.exe	tasklist.exe
PID 432 wrote to memory of 460	432	cmd.exe	tasklist.exe
PID 432 wrote to memory of 1312	432	cmd.exe	find.exe
PID 432 wrote to memory of 1312	432	cmd.exe	find.exe
PID 432 wrote to memory of 1312	432	cmd.exe	find.exe
PID 432 wrote to memory of 1312	432	cmd.exe	find.exe
PID 432 wrote to memory of 1992	432	cmd.exe	findstr.exe
PID 432 wrote to memory of 1992	432	cmd.exe	findstr.exe
PID 432 wrote to memory of 1992	432	cmd.exe	findstr.exe
PID 432 wrote to memory of 1992	432	cmd.exe	findstr.exe
PID 432 wrote to memory of 1244	432	cmd.exe	Grandi.exe.pif
PID 432 wrote to memory of 1244	432	cmd.exe	Grandi.exe.pif
PID 432 wrote to memory of 1244	432	cmd.exe	Grandi.exe.pif
PID 432 wrote to memory of 1244	432	cmd.exe	Grandi.exe.pif
PID 432 wrote to memory of 1436	432	cmd.exe	PING.EXE
PID 432 wrote to memory of 1436	432	cmd.exe	PING.EXE
PID 432 wrote to memory of 1436	432	cmd.exe	PING.EXE
PID 432 wrote to memory of 1436	432	cmd.exe	PING.EXE
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	cmd.exe
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	cmd.exe
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	cmd.exe
PID 1244 wrote to memory of 1576	1244	Grandi.exe.pif	cmd.exe
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	schtasks.exe
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	schtasks.exe
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	schtasks.exe
PID 1244 wrote to memory of 728	1244	Grandi.exe.pif	schtasks.exe
PID 304 wrote to memory of 1736	304	cmd.exe	PING.EXE
PID 304 wrote to memory of 1736	304	cmd.exe	PING.EXE
PID 304 wrote to memory of 1736	304	cmd.exe	PING.EXE
PID 304 wrote to memory of 1736	304	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
"C:\Users\Admin\AppData\Local\Temp\315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
3⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Confusa.wp5 & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:1312

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NinSXkvlDSHtQcrcJOkLdmfruNxwOsNOWjYiRYKTwErNWmzxiFKRcYFhSxLpRxvjtToDvWDLrsKLcBiGxZToHVaYGKgvjBeGoRIrsPXkwZNrgTSshtPRAhFoApWMHinCftDESrfEeIiIifKMR$" Chiave.wp5
5⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif
Grandi.exe.pif X
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Mondo" /tr "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgTEuEwmXC\\KzmFiRkxPq.exe.com C:\\Users\\Admin\\AppData\\Local\\Temp\\hgTEuEwmXC\\k" /sc minute /mo 3 /F
6⤵
- Creates scheduled task(s)
PID:728

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\hgTEuEwmXC\XKQJgjogwBm.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url"
2⤵
- Drops startup file
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

1

T1057

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiave.wp5

Filesize
924KB

MD5
6e41cef95094d6cd62ccc384b49653b2

SHA1
990c782d8732d9b0e23d6de4f7bd2fa08ae571f3

SHA256
1efed630d1abb539b246eb664541c762e14dd676cdea4e2063328f6d832aedd2

SHA512
a9cc9e0ce439e60b1a56a3d9d574421676bedddf2da3b3a43844013ff7ab0c9068b29e9940584e2aa19f276f02daf0e960b9cd6a1a690bf93ed0efda5f7803c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Confusa.wp5

Filesize
10KB

MD5
18c08f8da42aa0e34cc45c6f03220edb

SHA1
e150d1eba02d4ea0c7800872f2c3922d6686b930

SHA256
424565ebfca0ab2935e345c4a6e13ad75bf55d11f0997c59e3f1f5eea11d97b8

SHA512
9cf3205af5d1b6cfbcc0e04fed7b7d0de192dddbdeb6dfa12d1cf05adc1fc251e53bfd5ba69cc95adf323dce6ed2fe7b91359f2cd3797a172c1ce6b44e155d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.wp5

Filesize
1.6MB

MD5
4b443bbcf2e9f1c5868c901618632df4

SHA1
ef2973033ce11862227e5fa65a6fc53c45858519

SHA256
c8d782aceefd0d425e97f5c580b54ee7c18550245330d37ab8dba62152818352

SHA512
f9ce3cee530bccb2225bf5de90645b04a152cb99b0876a33db5ec003d07bf16c74105c7367a3e64f55902d59af44b2b890e2647a68026f5e12786eb8e70ed7ae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads