d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe
Size

965KB
MD5

ff36088c0ded85dbc225f0913cf67a7b
SHA1

c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db
SHA256

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
SHA512

473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6
SSDEEP

24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Combines.pif

pid process

2636 Combines.pif
Loads dropped DLL 5 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2768 cmd.exe
2860 WerFault.exe
2860 WerFault.exe
2860 WerFault.exe
2860 WerFault.exe

pid	process
2636	Combines.pif

pid	process
2768	cmd.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2860 2636 WerFault.exe Combines.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2688 tasklist.exe
2844 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

632 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Combines.pif

pid process

2636 Combines.pif
2636 Combines.pif
2636 Combines.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2688 tasklist.exe
Token: SeDebugPrivilege 2844 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Combines.pif

pid process

2636 Combines.pif
2636 Combines.pif
2636 Combines.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Combines.pif

pid process

2636 Combines.pif
2636 Combines.pif
2636 Combines.pif

pid	pid_target	process	target process
2860	2636	WerFault.exe	Combines.pif

pid	process
2688	tasklist.exe
2844	tasklist.exe

pid	process
632	PING.EXE

pid	process
2636	Combines.pif
2636	Combines.pif
2636	Combines.pif

description	pid	process
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	2844	tasklist.exe

pid	process
2636	Combines.pif
2636	Combines.pif
2636	Combines.pif

pid	process
2636	Combines.pif
2636	Combines.pif
2636	Combines.pif

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

SecuriteInfo.com.Win32.Malware-gen.5981.9189.execmd.exeCombines.pif

description	pid	process	target process
PID 2292 wrote to memory of 2756	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	TapiUnattend.exe
PID 2292 wrote to memory of 2756	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	TapiUnattend.exe
PID 2292 wrote to memory of 2756	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	TapiUnattend.exe
PID 2292 wrote to memory of 2756	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	TapiUnattend.exe
PID 2292 wrote to memory of 2768	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	cmd.exe
PID 2292 wrote to memory of 2768	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	cmd.exe
PID 2292 wrote to memory of 2768	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	cmd.exe
PID 2292 wrote to memory of 2768	2292	SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe	cmd.exe
PID 2768 wrote to memory of 2688	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2688	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2688	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2688	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2696	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2844	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2844	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2844	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2844	2768	cmd.exe	tasklist.exe
PID 2768 wrote to memory of 2744	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2744	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2744	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2744	2768	cmd.exe	findstr.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2212	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2212	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2212	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2212	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2556	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2556	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2556	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2556	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 2636	2768	cmd.exe	Combines.pif
PID 2768 wrote to memory of 2636	2768	cmd.exe	Combines.pif
PID 2768 wrote to memory of 2636	2768	cmd.exe	Combines.pif
PID 2768 wrote to memory of 2636	2768	cmd.exe	Combines.pif
PID 2768 wrote to memory of 632	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 632	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 632	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 632	2768	cmd.exe	PING.EXE
PID 2636 wrote to memory of 2860	2636	Combines.pif	WerFault.exe
PID 2636 wrote to memory of 2860	2636	Combines.pif	WerFault.exe
PID 2636 wrote to memory of 2860	2636	Combines.pif	WerFault.exe
PID 2636 wrote to memory of 2860	2636	Combines.pif	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend.exe
2⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /k move Ward Ward.bat & Ward.bat & exit
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:2696

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd /c md 16830
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 16830\Combines.pif
3⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Forests + Baghdad + Disable 16830\p
3⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\Combines.pif
16830\Combines.pif 16830\p
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 508
4⤵
- Loads dropped DLL
- Program crash
PID:2860

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\Combines.pif

Filesize
352KB

MD5
52fdcc6257df74b280ab474e2981b342

SHA1
b0a1dad3915f04391c67faa762cab32df21b655c

SHA256
a7e7eaf50bcf21cf726aac26d318a74e6b4ef7366ed0cad0e499c3c2eb112c43

SHA512
c2ddaeeac1cb3c82d270a2a936bb247ca0fbe01b25b0e429be11adceabbaac0e571375fe53197dfaa110c17c001980266fb3bc4c0ecaa2408116430588e35639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\Combines.pif

Filesize
85KB

MD5
1b64e9ae3b5dc4ae2dff869bbf712185

SHA1
1d6ceea76c55b72f243f04521066e4682e302703

SHA256
e19b61729426639082cbab4b01bb57a147c2f5351766c0279daf04756c98a7c9

SHA512
b534f7a51bead489fb792cd79052cbe7b1fd1500ba72c5e3e74b19881b7ec3f44e3a6d9f3422bb2c14d3be8544fcee4515fd6b1e62487fc4898953d479103d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\p

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Advance

Filesize
174KB

MD5
a0d348d48f9389555698870e0642645f

SHA1
39e60d06152c6966f50a57ae3f7fef9b991c710b

SHA256
3aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86

SHA512
3264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Baghdad

Filesize
414KB

MD5
ec0b3ec727520f56a6741f4569153b38

SHA1
7cb01894370bde7ce3a38a478370e3db79b30904

SHA256
bc65c7156dc2b09677840833e64b99d28ac9ae770f6bb3b1f9c97bff23eb6ffc

SHA512
622239e683f8fe2dafb4a901fdf82887635b7da1ee93cacbd274975218135f4e24da0e0eb017165208fcff0490c47e6108d12b88215d085526a8772055c54f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Covering

Filesize
131KB

MD5
56a6be0109f8e938f0fe3844b287e8a9

SHA1
d0206dfb0f5c59b1598417742688dfd626294297

SHA256
9c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524

SHA512
84d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Czech

Filesize
189KB

MD5
924c0ef6531aee94085f9a6d7c3754a0

SHA1
b899a1c7e37a902d2faa9993ec81572aca03a65f

SHA256
3829c300ed066f4a334748f3d7531a1f212080649a4eb3eb2fc1ecbf879b3cef

SHA512
77aaf61923ba72704ff69c3bc6f35529d95e3b69730c42c4af72642c47d921fab23dec97c035f43f9adca3577c9077edf4a4b89d888fbf9bf5fe87953c800c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disable

Filesize
126KB

MD5
e720d78737442ee448864b760bfc2154

SHA1
3408f4c1b96dd8d6fa0555beed2b964f959304cb

SHA256
1d74a63c10fedbe0026426c2aac7e9ee0cc3136252b336c9d7612a78b837fdce

SHA512
5a57efabb77c25aec5901185330416702d8a38564789a99f18543ef3e7e5fc0a3b6e54d801af85d4a6bd0fd536829e64088507367d815e52400e596719db85d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forests

Filesize
444KB

MD5
f5e00e25340ca759cfaaf113db301844

SHA1
98f72e6016addb30de59c6289b83b8262accdf4d

SHA256
ba998c73e83d06a20a7fb6855db82193da9eade08bb68b4e23d4a1a19de1c38a

SHA512
849def8b079a165918c2daedc366b03f4968997f3b463a3e6bbfc013520437ba3e1e6a267bae4eeb3cb7aae97da46041bf3fbd83563b57f5a3f6ab3f373332f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Initiated

Filesize
223KB

MD5
15cf524c35c79bfc7d14ef089aa36654

SHA1
b5de7303b8392079a0e24381cb2db8c37c35c0d3

SHA256
9207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d

SHA512
be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Introduces

Filesize
207KB

MD5
ebdd5083135e6b0d4073cfccb7629476

SHA1
f9a1246cecd3fb4b8d750b9eccef5c28a09f5c92

SHA256
a4ead8a25f32722ddda970cfefdaf1b49fefb84f55336ebb8499fd63ef97bea3

SHA512
b37519e90dc7b48dd99f41eea7a1aaadc8709fe4334531a3af08daed4c4d13e59e935572952458f599ce6f054609a1e316fee8a64b6ed2f38e90f8288a73f81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ward

Filesize
12KB

MD5
7bf45f9b27d16f94a4859ca0dab5cd90

SHA1
9dd76d9b5ba50f3f1915a3b01c54559c0abf3527

SHA256
1b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5

SHA512
5907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\Combines.pif

Filesize
704KB

MD5
8efc4aee8e540db06f606436952dd044

SHA1
9fdfda79a7c95f35357823fc37a9b82ec794a5c1

SHA256
1ac2794cc5654800f21886b0f73094faa7ce160f2b5ef49cbacf3c4cc278e98c

SHA512
b5d22a229960a7d1a19679f74bdf5fcb7e52e182e95ec312766f5937b8840c60c2f4b605a12cffaf53a08eb460e6b057cd0ebaa3247561e3c15af0261f782ad1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\16830\Combines.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/2636-35-0x0000000003B60000-0x0000000003BD9000-memory.dmp

Filesize
484KB

Download
memory/2636-34-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2636-36-0x0000000003B60000-0x0000000003BD9000-memory.dmp

Filesize
484KB

Download
memory/2636-37-0x0000000003B60000-0x0000000003BD9000-memory.dmp

Filesize
484KB

Download
memory/2636-38-0x0000000003B60000-0x0000000003BD9000-memory.dmp

Filesize
484KB

Download
memory/2636-39-0x0000000003B60000-0x0000000003BD9000-memory.dmp

Filesize
484KB

Download
memory/2636-40-0x0000000003B60000-0x0000000003BD9000-memory.dmp

Filesize
484KB

Download
memory/2636-41-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2636-33-0x0000000077310000-0x00000000773E6000-memory.dmp

Filesize
856KB

Download