621b28440d4dc9ea07cf3a81589b36edc971232d40a03569cfef5f4e2293d321

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e876c02af84b153315d9328d032cbf.exe
Size

1.0MB
MD5

66e876c02af84b153315d9328d032cbf
SHA1

796bdd4a6789d2bbd1f70f26f3ff7dbfc11770f8
SHA256

621b28440d4dc9ea07cf3a81589b36edc971232d40a03569cfef5f4e2293d321
SHA512

9dabbe12c8fef6a6822ee93891bbe51800047c2563a177562ffd203a0da7bbc858af6395a3cc2730ae7f43cac8d3d3c8c5408a9a2c307fe317a21e3b16f8f1e0
SSDEEP

24576:zLgk1ZgKHLy5k33Pra5mlVrk4l6Bsfi9gE721wCc8xQuMdIFtWatp:Pp1ZgKHWwjy+B6yfi+Ey1/bxmdop

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
49	1828	WScript.exe
53	1828	WScript.exe
55	1828	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	All.exe.com

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	qoit.exe

Executes dropped EXE 5 IoCs

pid	Process
1732	qoit.exe
5040	retook.exe
4856	All.exe.com
2884	All.exe.com
1520	SmartClock.exe

Loads dropped DLL 1 IoCs

pid	Process
4672	66e876c02af84b153315d9328d032cbf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	retook.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	66e876c02af84b153315d9328d032cbf.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	66e876c02af84b153315d9328d032cbf.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	66e876c02af84b153315d9328d032cbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2016	1732	WerFault.exe	87
3444	1732	WerFault.exe	87
1920	1732	WerFault.exe	87
3996	1520	WerFault.exe	109
4092	1520	WerFault.exe	109

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	All.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	All.exe.com

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	All.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2540	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1520	SmartClock.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4856	All.exe.com
4856	All.exe.com
4856	All.exe.com
2884	All.exe.com
2884	All.exe.com
2884	All.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4856	All.exe.com
4856	All.exe.com
4856	All.exe.com
2884	All.exe.com
2884	All.exe.com
2884	All.exe.com

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 1732	4672	66e876c02af84b153315d9328d032cbf.exe	87
PID 4672 wrote to memory of 1732	4672	66e876c02af84b153315d9328d032cbf.exe	87
PID 4672 wrote to memory of 1732	4672	66e876c02af84b153315d9328d032cbf.exe	87
PID 4672 wrote to memory of 5040	4672	66e876c02af84b153315d9328d032cbf.exe	88
PID 4672 wrote to memory of 5040	4672	66e876c02af84b153315d9328d032cbf.exe	88
PID 4672 wrote to memory of 5040	4672	66e876c02af84b153315d9328d032cbf.exe	88
PID 5040 wrote to memory of 4496	5040	retook.exe	89
PID 5040 wrote to memory of 4496	5040	retook.exe	89
PID 5040 wrote to memory of 4496	5040	retook.exe	89
PID 5040 wrote to memory of 1528	5040	retook.exe	90
PID 5040 wrote to memory of 1528	5040	retook.exe	90
PID 5040 wrote to memory of 1528	5040	retook.exe	90
PID 1528 wrote to memory of 3388	1528	cmd.exe	92
PID 1528 wrote to memory of 3388	1528	cmd.exe	92
PID 1528 wrote to memory of 3388	1528	cmd.exe	92
PID 3388 wrote to memory of 4408	3388	cmd.exe	93
PID 3388 wrote to memory of 4408	3388	cmd.exe	93
PID 3388 wrote to memory of 4408	3388	cmd.exe	93
PID 3388 wrote to memory of 4856	3388	cmd.exe	94
PID 3388 wrote to memory of 4856	3388	cmd.exe	94
PID 3388 wrote to memory of 4856	3388	cmd.exe	94
PID 3388 wrote to memory of 2540	3388	cmd.exe	95
PID 3388 wrote to memory of 2540	3388	cmd.exe	95
PID 3388 wrote to memory of 2540	3388	cmd.exe	95
PID 4856 wrote to memory of 2884	4856	All.exe.com	96
PID 4856 wrote to memory of 2884	4856	All.exe.com	96
PID 4856 wrote to memory of 2884	4856	All.exe.com	96
PID 1732 wrote to memory of 1520	1732	qoit.exe	109
PID 1732 wrote to memory of 1520	1732	qoit.exe	109
PID 1732 wrote to memory of 1520	1732	qoit.exe	109
PID 2884 wrote to memory of 1828	2884	All.exe.com	115
PID 2884 wrote to memory of 1828	2884	All.exe.com	115
PID 2884 wrote to memory of 1828	2884	All.exe.com	115

C:\Users\Admin\AppData\Local\Temp\66e876c02af84b153315d9328d032cbf.exe
"C:\Users\Admin\AppData\Local\Temp\66e876c02af84b153315d9328d032cbf.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\ventil\qoit.exe
  "C:\Users\Admin\AppData\Local\Temp\ventil\qoit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 652
    3⤵
    - Program crash
    PID:2016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 844
    3⤵
    - Program crash
    PID:3444
- - C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 556
      4⤵
      Program crash
      PID:3996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 600
      4⤵
      Program crash
      PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 968
    3⤵
    - Program crash
    PID:1920
- C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe
  "C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\dllhost.exe
    dllhost.exe
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Molta.wbk
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^yNmEqrPOypxBlVnuFemmfzGnSPBDoxoqgOjuQxEteLTSbEtnlUplDSaMuqLlBkGLqxjvJsflnxbEmOwhKrzgkYbccmZQIzCQyoReaIOSFYMocOhaZnAnSameXQqpsn$" Bel.wbk
        5⤵
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
        
        All.exe.com g
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com g
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vlvmwqmhyb.vbs"
        7⤵
        Blocklisted process makes network request
        
        PID:1828
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping NUPNSVML
        5⤵
        Runs ping.exe
        
        PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1732 -ip 1732
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1732 -ip 1732
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1732 -ip 1732
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1520 -ip 1520
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1520 -ip 1520
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\687A.tmp

Filesize
313B

MD5
bee55e52500f967c3d9402e05dd57f65

SHA1
d8dc65ec97c6288e1fd10b8c4f8502e5a8a5bbf6

SHA256
b90eae4b05d321efc4519963349c1775dcea8e3b0ae53b50285545380b6539c0

SHA512
b8624a934fb74760f5b231ca97e89074b227ad9fe3bb08b01a81cf35760f06b346f395cf6683df5881dc429ae77af0d0a07cfeb9c9ec127e4e917191bf8c91da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\All.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.wbk

Filesize
872KB

MD5
1e682e599f4aee63bc7a6594c7a36d99

SHA1
5b41ba7adf84b3a67d4195510ab1c8ff8d10bfc0

SHA256
619566d38849874a55c135ef9280cdce0df5eb05e32e576c03bf35c01241687c

SHA512
51f4ce897f065b21712b5f4f92f24013d0877f1b3c39dfd7ef9802c1875401daedbfc44841fa7f58a6e688b803bcbd85c8eee4b629516eee07f6842ab00c12be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Molta.wbk

Filesize
466B

MD5
5c8a283903791aa4630e516bade66942

SHA1
757539d1ff447dd52394504342ac4362b68d3196

SHA256
fea27f988519d41f6dd26187176a859f471ec4ea2c2441d8e1dfc614535cece1

SHA512
95b990630d6568259b0102a6ae7b654a43eee84388a2122556841a02e5a420ec3d625d296682511ca864efae89e620733a0ce1464f8d361baa4391b291044f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorridente.wbk

Filesize
728KB

MD5
3724b076bf6b9eebc2631078bb834f25

SHA1
37d11b1d24a2b4b142429b0bd30cc3dab6ee77d1

SHA256
17dd3ff72ea87c9c9b9979e4b3aa9590d0b55ef75a82b7377aeef5cdda9dddec

SHA512
7df150f4a05b10ed04aac02575c4b504ca3a564cf1bba93ff901a2fee1feb49bbd9378cee26e9eba2ffa9259a5d78a6252d350f276b494b6174e16d8b3915432

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl147E.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventil\qoit.exe

Filesize
197KB

MD5
4a5f97f2d4ba48afb818f4cf45815c7d

SHA1
eea689be8c284615b6a5e68627963392f93f508a

SHA256
086489a8a319c510fcd611d9d5adf08b5b42f977424f6740e968ad33085bfe68

SHA512
b51d93f3925abc7dbfa36f63b1103c9035f2f0e85e7d5ec6817c9b12702d92dd39d26e0a6ec545c4f8bfe4c7c2465e48d62372a725d96d17130d737dcc8f2c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventil\retook.exe

Filesize
922KB

MD5
c81501a4fd4475596ea7af32f4912f72

SHA1
e3a9bd5bc49515f574fc8b66ef2990354aba033b

SHA256
f132a441aa9375dfef0765646f60934d2b95feeb929246272df2beba61787008

SHA512
aaad0a4f28e6a19ff0a201f86f889ad1462304288ff0b0fda29a54c0b28f2a67e1ae733118cff51d39a68cbf3513938918cdd80c4f88e8bc0ae6da1fe9c9b5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlvmwqmhyb.vbs

Filesize
145B

MD5
35265e963af6f28b5da5745224700ab5

SHA1
dfab66a670259acc9ee1b13df714be142c9bd932

SHA256
91753bbf36b9a2878d307dbf7a2c0e13df9a0d32fa0ebab5840bf1d18336c22c

SHA512
b5d865a71695747067bfa11ebafd57ffca1d151c1c45f4dbaf108cad73ce1457c26856456b1130d0efa9c2a05950f8e2dd7489fe4e72d1522f2b310640d4f648

Download Submit
memory/1520-81-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/1520-66-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/1520-65-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/1732-60-0x0000000002F50000-0x0000000002F76000-memory.dmp

Filesize
152KB

Download
memory/1732-43-0x0000000002FB0000-0x00000000030B0000-memory.dmp

Filesize
1024KB

Download
memory/1732-44-0x0000000002F50000-0x0000000002F76000-memory.dmp

Filesize
152KB

Download
memory/1732-47-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/1732-59-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/2884-45-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-42-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-41-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-40-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-39-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-71-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-38-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download
memory/2884-37-0x0000000003E20000-0x0000000003E47000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads