Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe
-
Size
965KB
-
MD5
ff36088c0ded85dbc225f0913cf67a7b
-
SHA1
c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db
-
SHA256
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
-
SHA512
473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6
-
SSDEEP
24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Combines.pifpid process 2636 Combines.pif -
Loads dropped DLL 5 IoCs
Processes:
cmd.exeWerFault.exepid process 2768 cmd.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe 2860 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.Malware-gen.5981.9189.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2860 2636 WerFault.exe Combines.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2688 tasklist.exe 2844 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Combines.pifpid process 2636 Combines.pif 2636 Combines.pif 2636 Combines.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2688 tasklist.exe Token: SeDebugPrivilege 2844 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Combines.pifpid process 2636 Combines.pif 2636 Combines.pif 2636 Combines.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Combines.pifpid process 2636 Combines.pif 2636 Combines.pif 2636 Combines.pif -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
SecuriteInfo.com.Win32.Malware-gen.5981.9189.execmd.exeCombines.pifdescription pid process target process PID 2292 wrote to memory of 2756 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe TapiUnattend.exe PID 2292 wrote to memory of 2756 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe TapiUnattend.exe PID 2292 wrote to memory of 2756 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe TapiUnattend.exe PID 2292 wrote to memory of 2756 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe TapiUnattend.exe PID 2292 wrote to memory of 2768 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe cmd.exe PID 2292 wrote to memory of 2768 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe cmd.exe PID 2292 wrote to memory of 2768 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe cmd.exe PID 2292 wrote to memory of 2768 2292 SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe cmd.exe PID 2768 wrote to memory of 2688 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2688 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2688 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2688 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2696 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2696 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2696 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2696 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2844 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2844 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2844 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2844 2768 cmd.exe tasklist.exe PID 2768 wrote to memory of 2744 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2744 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2744 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2744 2768 cmd.exe findstr.exe PID 2768 wrote to memory of 2700 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2700 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2700 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2700 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2212 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2212 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2212 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2212 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2556 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2556 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2556 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2556 2768 cmd.exe cmd.exe PID 2768 wrote to memory of 2636 2768 cmd.exe Combines.pif PID 2768 wrote to memory of 2636 2768 cmd.exe Combines.pif PID 2768 wrote to memory of 2636 2768 cmd.exe Combines.pif PID 2768 wrote to memory of 2636 2768 cmd.exe Combines.pif PID 2768 wrote to memory of 632 2768 cmd.exe PING.EXE PID 2768 wrote to memory of 632 2768 cmd.exe PING.EXE PID 2768 wrote to memory of 632 2768 cmd.exe PING.EXE PID 2768 wrote to memory of 632 2768 cmd.exe PING.EXE PID 2636 wrote to memory of 2860 2636 Combines.pif WerFault.exe PID 2636 wrote to memory of 2860 2636 Combines.pif WerFault.exe PID 2636 wrote to memory of 2860 2636 Combines.pif WerFault.exe PID 2636 wrote to memory of 2860 2636 Combines.pif WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\TapiUnattend.exeTapiUnattend.exe2⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd /k move Ward Ward.bat & Ward.bat & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:2696
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:2744
-
C:\Windows\SysWOW64\cmd.execmd /c md 168303⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 16830\Combines.pif3⤵PID:2212
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Forests + Baghdad + Disable 16830\p3⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\Combines.pif16830\Combines.pif 16830\p3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 5084⤵
- Loads dropped DLL
- Program crash
PID:2860 -
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD552fdcc6257df74b280ab474e2981b342
SHA1b0a1dad3915f04391c67faa762cab32df21b655c
SHA256a7e7eaf50bcf21cf726aac26d318a74e6b4ef7366ed0cad0e499c3c2eb112c43
SHA512c2ddaeeac1cb3c82d270a2a936bb247ca0fbe01b25b0e429be11adceabbaac0e571375fe53197dfaa110c17c001980266fb3bc4c0ecaa2408116430588e35639
-
Filesize
85KB
MD51b64e9ae3b5dc4ae2dff869bbf712185
SHA11d6ceea76c55b72f243f04521066e4682e302703
SHA256e19b61729426639082cbab4b01bb57a147c2f5351766c0279daf04756c98a7c9
SHA512b534f7a51bead489fb792cd79052cbe7b1fd1500ba72c5e3e74b19881b7ec3f44e3a6d9f3422bb2c14d3be8544fcee4515fd6b1e62487fc4898953d479103d95
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
174KB
MD5a0d348d48f9389555698870e0642645f
SHA139e60d06152c6966f50a57ae3f7fef9b991c710b
SHA2563aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86
SHA5123264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7
-
Filesize
414KB
MD5ec0b3ec727520f56a6741f4569153b38
SHA17cb01894370bde7ce3a38a478370e3db79b30904
SHA256bc65c7156dc2b09677840833e64b99d28ac9ae770f6bb3b1f9c97bff23eb6ffc
SHA512622239e683f8fe2dafb4a901fdf82887635b7da1ee93cacbd274975218135f4e24da0e0eb017165208fcff0490c47e6108d12b88215d085526a8772055c54f65
-
Filesize
131KB
MD556a6be0109f8e938f0fe3844b287e8a9
SHA1d0206dfb0f5c59b1598417742688dfd626294297
SHA2569c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524
SHA51284d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08
-
Filesize
189KB
MD5924c0ef6531aee94085f9a6d7c3754a0
SHA1b899a1c7e37a902d2faa9993ec81572aca03a65f
SHA2563829c300ed066f4a334748f3d7531a1f212080649a4eb3eb2fc1ecbf879b3cef
SHA51277aaf61923ba72704ff69c3bc6f35529d95e3b69730c42c4af72642c47d921fab23dec97c035f43f9adca3577c9077edf4a4b89d888fbf9bf5fe87953c800c34
-
Filesize
126KB
MD5e720d78737442ee448864b760bfc2154
SHA13408f4c1b96dd8d6fa0555beed2b964f959304cb
SHA2561d74a63c10fedbe0026426c2aac7e9ee0cc3136252b336c9d7612a78b837fdce
SHA5125a57efabb77c25aec5901185330416702d8a38564789a99f18543ef3e7e5fc0a3b6e54d801af85d4a6bd0fd536829e64088507367d815e52400e596719db85d4
-
Filesize
444KB
MD5f5e00e25340ca759cfaaf113db301844
SHA198f72e6016addb30de59c6289b83b8262accdf4d
SHA256ba998c73e83d06a20a7fb6855db82193da9eade08bb68b4e23d4a1a19de1c38a
SHA512849def8b079a165918c2daedc366b03f4968997f3b463a3e6bbfc013520437ba3e1e6a267bae4eeb3cb7aae97da46041bf3fbd83563b57f5a3f6ab3f373332f8
-
Filesize
223KB
MD515cf524c35c79bfc7d14ef089aa36654
SHA1b5de7303b8392079a0e24381cb2db8c37c35c0d3
SHA2569207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d
SHA512be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6
-
Filesize
207KB
MD5ebdd5083135e6b0d4073cfccb7629476
SHA1f9a1246cecd3fb4b8d750b9eccef5c28a09f5c92
SHA256a4ead8a25f32722ddda970cfefdaf1b49fefb84f55336ebb8499fd63ef97bea3
SHA512b37519e90dc7b48dd99f41eea7a1aaadc8709fe4334531a3af08daed4c4d13e59e935572952458f599ce6f054609a1e316fee8a64b6ed2f38e90f8288a73f81d
-
Filesize
12KB
MD57bf45f9b27d16f94a4859ca0dab5cd90
SHA19dd76d9b5ba50f3f1915a3b01c54559c0abf3527
SHA2561b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5
SHA5125907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f
-
Filesize
704KB
MD58efc4aee8e540db06f606436952dd044
SHA19fdfda79a7c95f35357823fc37a9b82ec794a5c1
SHA2561ac2794cc5654800f21886b0f73094faa7ce160f2b5ef49cbacf3c4cc278e98c
SHA512b5d22a229960a7d1a19679f74bdf5fcb7e52e182e95ec312766f5937b8840c60c2f4b605a12cffaf53a08eb460e6b057cd0ebaa3247561e3c15af0261f782ad1
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a