Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
8b535835648e9b123abe3bc278419349.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b535835648e9b123abe3bc278419349.exe
Resource
win10v2004-20231222-en
General
-
Target
8b535835648e9b123abe3bc278419349.exe
-
Size
1.2MB
-
MD5
8b535835648e9b123abe3bc278419349
-
SHA1
0650bacf01e9f3e41be961f2ee9b4eb661e064a0
-
SHA256
f148ce48975a10fab19af13adbaadb5a8dc6b737fe3c13a5a5e2d8b53f59b72f
-
SHA512
023892b6b4fff0f6ce23a42132e37dc624d445417d31d307fba3e8f92f4f047fbfb2c77d59260a16136bed2e5d19ee87e5142a1c98515c1bd622272f7225e54f
-
SSDEEP
24576:aQCxw3cNf8dX1B5GhIviV81pTXSg/vVDlIBPWjlryy7zcivN:aQi5f8dlLGC6G/TXJli4jlh7zzl
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Executes dropped EXE 3 IoCs
Processes:
Tu.comTu.comTu.compid process 4816 Tu.com 3292 Tu.com 380 Tu.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8b535835648e9b123abe3bc278419349.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8b535835648e9b123abe3bc278419349.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Tu.comdescription pid process target process PID 3292 set thread context of 380 3292 Tu.com Tu.com -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2784 380 WerFault.exe Tu.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8b535835648e9b123abe3bc278419349.execmd.execmd.exeTu.comTu.comdescription pid process target process PID 1688 wrote to memory of 2012 1688 8b535835648e9b123abe3bc278419349.exe cmd.exe PID 1688 wrote to memory of 2012 1688 8b535835648e9b123abe3bc278419349.exe cmd.exe PID 1688 wrote to memory of 2012 1688 8b535835648e9b123abe3bc278419349.exe cmd.exe PID 1688 wrote to memory of 2020 1688 8b535835648e9b123abe3bc278419349.exe cmd.exe PID 1688 wrote to memory of 2020 1688 8b535835648e9b123abe3bc278419349.exe cmd.exe PID 1688 wrote to memory of 2020 1688 8b535835648e9b123abe3bc278419349.exe cmd.exe PID 2020 wrote to memory of 3736 2020 cmd.exe certutil.exe PID 2020 wrote to memory of 3736 2020 cmd.exe certutil.exe PID 2020 wrote to memory of 3736 2020 cmd.exe certutil.exe PID 2020 wrote to memory of 4136 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 4136 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 4136 2020 cmd.exe cmd.exe PID 4136 wrote to memory of 2268 4136 cmd.exe findstr.exe PID 4136 wrote to memory of 2268 4136 cmd.exe findstr.exe PID 4136 wrote to memory of 2268 4136 cmd.exe findstr.exe PID 4136 wrote to memory of 556 4136 cmd.exe certutil.exe PID 4136 wrote to memory of 556 4136 cmd.exe certutil.exe PID 4136 wrote to memory of 556 4136 cmd.exe certutil.exe PID 4136 wrote to memory of 4816 4136 cmd.exe Tu.com PID 4136 wrote to memory of 4816 4136 cmd.exe Tu.com PID 4136 wrote to memory of 4816 4136 cmd.exe Tu.com PID 4136 wrote to memory of 4024 4136 cmd.exe PING.EXE PID 4136 wrote to memory of 4024 4136 cmd.exe PING.EXE PID 4136 wrote to memory of 4024 4136 cmd.exe PING.EXE PID 4816 wrote to memory of 3292 4816 Tu.com Tu.com PID 4816 wrote to memory of 3292 4816 Tu.com Tu.com PID 4816 wrote to memory of 3292 4816 Tu.com Tu.com PID 3292 wrote to memory of 380 3292 Tu.com Tu.com PID 3292 wrote to memory of 380 3292 Tu.com Tu.com PID 3292 wrote to memory of 380 3292 Tu.com Tu.com PID 3292 wrote to memory of 380 3292 Tu.com Tu.com PID 3292 wrote to memory of 380 3292 Tu.com Tu.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe"C:\Users\Admin\AppData\Local\Temp\8b535835648e9b123abe3bc278419349.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c izXS2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode Popolato.swf Illusione.xps & cmd < Illusione.xps2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode Popolato.swf Illusione.xps3⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^UOpoEgaVehXLEkHGsAIAKQwrPZk$" Dai.vstm4⤵
-
C:\Windows\SysWOW64\certutil.execertutil -decode Turba.csv W4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.comTu.com W4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com W5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.com6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 127⤵
- Program crash
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 380 -ip 3801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dai.vstmFilesize
921KB
MD535fde30343a8651ad541e796d764a052
SHA166b2c2b29f3f666ed4b290e7e48650cb4b20e303
SHA2560ece2aec545f79a310010bf1b36dad830944f8f089afee9141cd260f95c36b59
SHA5123aa2f31d1525867ccedb7161a9647c9d275fc61f58cd31599e05ae2dda0643f3b5b7234c61f260d583a74b17eaecbceb2e3e4b6a6a386b164c9bbf1d2b9a38b4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.xpsFilesize
27KB
MD52b7d94cc6c10c0bdf0a6680991672fa7
SHA10929b3d2134cc6abe27b32fa08eb3a80c7200cb3
SHA256d09840fa762fcaf5c48eec88bc04bcfa974613402cd43493e7d516438a0cc5bd
SHA512931dca24d63521a427c0f30fcf97c32a72244b09ac8d4ca5a949ff1e85280f685381ab273fdc2d6413869044a2590930b7b166752a352513a7da7f9ff02448b2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Infinita.flvFilesize
235KB
MD5c4e07c0bfe2859c8ff06a483545792e6
SHA11456bbcd34f0e912106a80bdffc61c5a4f6dc50f
SHA2568cee33a6f40743340b93c2f175f4beed55f878f1e9fb00b7478ee0b1e73528df
SHA51215d30aecdb96fd4510fec7b7d93d967bef7ad7ea1ee3094b7d80e6ce7476a1591afb32d7fb6328bee3aa8db4d36c3f118a96f1716697647cc7d6bad31a02067b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Popolato.swfFilesize
38KB
MD5617289b98bf0f2b52f3b16654dc2c568
SHA10b59918c027484c0ad4263ccccde302eb6d656fd
SHA256842b71b2a95c233fed224119e4dc66eed3f03c2ea35e90e8a90617529c04806e
SHA5127dec44be174fbd5114d557f62600dc1522bc1ee6e036fc163b6bed9ef665ea83b6bff6725617eedb344966a6b390dfff3958e63866016cc14fbfdf0374368f63
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tu.comFilesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turba.csvFilesize
910KB
MD55d61882d714cd3e72f6b2ca2d88a456f
SHA185315e2ad09edb0051062c929c7d966589ac8340
SHA256fa783d9734141a1a55d08299f3a92e5b75645b2ad979ec005df47730f53ff50a
SHA5129c4450a04526990455850f94bc140aafd439657f3acecaefd826cdc579e47bad91e00c64dba7ca5f8726a36195579489283bfdd6f7e9fc0ff9fd40ef88731291
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WFilesize
661KB
MD50e10494978a9abfb9c454abf2a8b48b7
SHA104c1c65e8f3a5b8b21beee53f87e661ee4d7f4fa
SHA2560cb9656846770fa2f1c6c279d762e3b5a2dd68c18d972982c2ee075d6d7f62b1
SHA512742b8a3a01ef8a3299d72e049f2f8556b7e89ec8ca71298293e52f5b9bb21cfc4d06fc083db7dc49f6df930d50121ac7f28c288c2673aef5fc95348f29d21acf
-
memory/380-24-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/380-28-0x00000000003D0000-0x00000000003D0000-memory.dmp
-
memory/3292-23-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB