7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd14a25c3f6e6687a4de687d9d1a2b2a.exe
Size

1.2MB
MD5

bd14a25c3f6e6687a4de687d9d1a2b2a
SHA1

17b9cc38282e6e69e6525a8bb7184c0e80e9f148
SHA256

7c4f084abd9f7229ca5225a304a86f48d7dddf7ebce402f1200726ac77b5e292
SHA512

8329a3dd6b07c4ce60714335d947da65199ad796dc1f78ee5774ee4d90d26d7c125e3b4a76aa725b73fb8d11d7f06aaf20f8c0cc7c69b4196267f87b5554cc21
SSDEEP

24576:Y/B+Xb8N2E85odK3fTEpe0pFET+8A39c2fu:Ykrq7tbBpFZ8A62f

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Astronomy.pif

description pid process target process

PID 2764 created 1240 2764 Astronomy.pif Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

Astronomy.pifAstronomy.pif

pid process

2764 Astronomy.pif
1756 Astronomy.pif
Loads dropped DLL 2 IoCs

Processes:

cmd.exeAstronomy.pif

pid process

2408 cmd.exe
2764 Astronomy.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Astronomy.pif

description pid process target process

PID 2764 set thread context of 1756 2764 Astronomy.pif Astronomy.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2412 tasklist.exe
2688 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2860 PING.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Astronomy.pif

pid process

2764 Astronomy.pif
2764 Astronomy.pif
2764 Astronomy.pif
2764 Astronomy.pif
2764 Astronomy.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2412 tasklist.exe
Token: SeDebugPrivilege 2688 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Astronomy.pif

pid process

2764 Astronomy.pif
2764 Astronomy.pif
2764 Astronomy.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Astronomy.pif

pid process

2764 Astronomy.pif
2764 Astronomy.pif
2764 Astronomy.pif

description	pid	process	target process
PID 2764 created 1240	2764	Astronomy.pif	Explorer.EXE

pid	process
2764	Astronomy.pif
1756	Astronomy.pif

pid	process
2408	cmd.exe
2764	Astronomy.pif

description	pid	process	target process
PID 2764 set thread context of 1756	2764	Astronomy.pif	Astronomy.pif

pid	process
2412	tasklist.exe
2688	tasklist.exe

pid	process
2860	PING.EXE

pid	process
2764	Astronomy.pif
2764	Astronomy.pif
2764	Astronomy.pif
2764	Astronomy.pif
2764	Astronomy.pif

description	pid	process
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe

pid	process
2764	Astronomy.pif
2764	Astronomy.pif
2764	Astronomy.pif

pid	process
2764	Astronomy.pif
2764	Astronomy.pif
2764	Astronomy.pif

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

bd14a25c3f6e6687a4de687d9d1a2b2a.execmd.execmd.exeAstronomy.pif

description	pid	process	target process
PID 1120 wrote to memory of 2288	1120	bd14a25c3f6e6687a4de687d9d1a2b2a.exe	cmd.exe
PID 1120 wrote to memory of 2288	1120	bd14a25c3f6e6687a4de687d9d1a2b2a.exe	cmd.exe
PID 1120 wrote to memory of 2288	1120	bd14a25c3f6e6687a4de687d9d1a2b2a.exe	cmd.exe
PID 1120 wrote to memory of 2288	1120	bd14a25c3f6e6687a4de687d9d1a2b2a.exe	cmd.exe
PID 2288 wrote to memory of 2408	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2408	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2408	2288	cmd.exe	cmd.exe
PID 2288 wrote to memory of 2408	2288	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2412	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2412	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2412	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2412	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2440	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2440	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2440	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2440	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2688	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2688	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2688	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2688	2408	cmd.exe	tasklist.exe
PID 2408 wrote to memory of 2708	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2708	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2708	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2708	2408	cmd.exe	findstr.exe
PID 2408 wrote to memory of 2852	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2852	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2852	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2852	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2060	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2060	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2060	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2060	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2692	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2692	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2692	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2692	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 2764	2408	cmd.exe	Astronomy.pif
PID 2408 wrote to memory of 2764	2408	cmd.exe	Astronomy.pif
PID 2408 wrote to memory of 2764	2408	cmd.exe	Astronomy.pif
PID 2408 wrote to memory of 2764	2408	cmd.exe	Astronomy.pif
PID 2408 wrote to memory of 2860	2408	cmd.exe	PING.EXE
PID 2408 wrote to memory of 2860	2408	cmd.exe	PING.EXE
PID 2408 wrote to memory of 2860	2408	cmd.exe	PING.EXE
PID 2408 wrote to memory of 2860	2408	cmd.exe	PING.EXE
PID 2764 wrote to memory of 1756	2764	Astronomy.pif	Astronomy.pif
PID 2764 wrote to memory of 1756	2764	Astronomy.pif	Astronomy.pif
PID 2764 wrote to memory of 1756	2764	Astronomy.pif	Astronomy.pif
PID 2764 wrote to memory of 1756	2764	Astronomy.pif	Astronomy.pif
PID 2764 wrote to memory of 1756	2764	Astronomy.pif	Astronomy.pif
PID 2764 wrote to memory of 1756	2764	Astronomy.pif	Astronomy.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\bd14a25c3f6e6687a4de687d9d1a2b2a.exe
"C:\Users\Admin\AppData\Local\Temp\bd14a25c3f6e6687a4de687d9d1a2b2a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /k cmd < Junction & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
5⤵
PID:2440

C:\Windows\SysWOW64\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
5⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 26948
5⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Psychiatry + Funk + Sacramento + Intervals + Enforcement 26948\Astronomy.pif
5⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Setting 26948\F
5⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif
26948\Astronomy.pif 26948\F
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:2860

C:\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif
C:\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif
2⤵
- Executes dropped EXE
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\26948\F

Filesize
449KB

MD5
ba83d38a0adf711cb94fcd4a45657d5f

SHA1
c6e6de677df75aed866125c7b93eadf2100d1936

SHA256
d97cc8b0653b88bc518bcc904685da59163c4fb17dc91ace555069836997a4ca

SHA512
7626d3fed28f2cc67c1a02d99eb6aa927eb66210027514f059d819446365e90e53635793d7402a55ffbf44d9eb2a6b0ff087367acd45f6c3f5199f003ae06259

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Enforcement

Filesize
44KB

MD5
8253c81be2a4864b7bae43c00b61f0f5

SHA1
373808f60b5e5896cc534ddfbb966d5f4980ba13

SHA256
173356977a8d83074515ea593956f84ff031556cdf170d5f552f71b75baefb5a

SHA512
e83a057f89a1f3c5fd9f2d4eb712fd36300f13ea8459ce015cdfdc24580b0fb84f26989c08d0cd01e973b8058cc08f6d8625d10c7a52ea9d2cb0c5ab70d33e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Funk

Filesize
226KB

MD5
5aa53cb218b6c28b3a3c4124771c8d78

SHA1
5332e9e34ef23a83c895c0b5a0dcd0a5ed18e79a

SHA256
a1b4eb62d932dd8a679ddccca026df42c00b6c91f7e8813c9f53c8a5a9478cf5

SHA512
a613069ddf591d7410809d3af519c54120e6fdc9faa4b0b55fcb58518f416dffe25c2207cfe2bc723107d68384299371189c2eeba030850803786071ec5f312a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Intervals

Filesize
271KB

MD5
7bfecdf8b563d37dfe71b9f144dc1993

SHA1
6ab106269d46cb4b0a18c8fa7dbf419592361e40

SHA256
b2de3ed1f54f0b1409275a4c8295f8b5110f23e4c2c475dfc7b77370c9f690a7

SHA512
2625ec7ad62d9d2ac1caf199e3ab20c81944598876eb71e211841d1489c6071e907628898f38ccae173eb0a9428dcd408a146dcd3013f7e61d791ed425786b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Junction

Filesize
13KB

MD5
01e93a141983abeb0734e580f8739042

SHA1
ec552847d63b07d05deffff5582d82a66710c96e

SHA256
0f635b7688b6f1a0ce764185fb9f4af16f7a5e23b4303687a0e097cb000c578b

SHA512
681c25307507c11a68ad7522b0dcff7c5f492a2eef1d148a283e7f103021bc3477b7d9380216b67e082dc5e822ddc3f958aaed2e64914a199701a11273a6abbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Psychiatry

Filesize
276KB

MD5
f447a9ddfcfa99aa8aa6ddc4cd7d98fd

SHA1
d98813565010c5ce4f8d8a7a33d2a4ea12a3c722

SHA256
811fe96663822b028e92c1873a8fe0c284933f505c5433819f0fa35834975981

SHA512
74230b3b43658d4a44245538831de03b46cf14de67fe64b7f011d788da6f01c987a6da9ef989f7bcf4e21f6c7354f022c7b0605bd853b71f4a9b24171137f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Sacramento

Filesize
107KB

MD5
19ec722f90e1d644d5757140e5107514

SHA1
c716168b370f6876afb001a6408993bb0de6904a

SHA256
b98ea4826075c94e8f372596551b3be7fee343994747587e29fbb32982774f8c

SHA512
6836bec9083d468cd867aca964f0e4799f46982b88c8eaff2676bced0f2e50d1f8b80b6e61b4bb4810bb545fd2bf81b21c173dcab8e73dca50fc2f09fbb05455

Download Submit
C:\Users\Admin\AppData\Local\Temp\17972\Setting

Filesize
449KB

MD5
ba83d38a0adf711cb94fcd4a45657d5f

SHA1
c6e6de677df75aed866125c7b93eadf2100d1936

SHA256
d97cc8b0653b88bc518bcc904685da59163c4fb17dc91ace555069836997a4ca

SHA512
7626d3fed28f2cc67c1a02d99eb6aa927eb66210027514f059d819446365e90e53635793d7402a55ffbf44d9eb2a6b0ff087367acd45f6c3f5199f003ae06259

Download Submit
\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\17972\26948\Astronomy.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/1120-22-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/1120-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2764-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download