d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
Size

965KB
MD5

ff36088c0ded85dbc225f0913cf67a7b
SHA1

c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db
SHA256

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
SHA512

473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6
SSDEEP

24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	Combines.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1180	tasklist.exe
2316	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1432	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2824	Combines.pif
2824	Combines.pif
2824	Combines.pif
2824	Combines.pif
2824	Combines.pif
2824	Combines.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	tasklist.exe
Token: SeDebugPrivilege	2316	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2824	Combines.pif
2824	Combines.pif
2824	Combines.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2824	Combines.pif
2824	Combines.pif
2824	Combines.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 5084	4936	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	28
PID 4936 wrote to memory of 5084	4936	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	28
PID 4936 wrote to memory of 5084	4936	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	28
PID 4936 wrote to memory of 4972	4936	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	27
PID 4936 wrote to memory of 4972	4936	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	27
PID 4936 wrote to memory of 4972	4936	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	27
PID 4972 wrote to memory of 1180	4972	cmd.exe	39
PID 4972 wrote to memory of 1180	4972	cmd.exe	39
PID 4972 wrote to memory of 1180	4972	cmd.exe	39
PID 4972 wrote to memory of 1520	4972	cmd.exe	38
PID 4972 wrote to memory of 1520	4972	cmd.exe	38
PID 4972 wrote to memory of 1520	4972	cmd.exe	38
PID 4972 wrote to memory of 2316	4972	cmd.exe	47
PID 4972 wrote to memory of 2316	4972	cmd.exe	47
PID 4972 wrote to memory of 2316	4972	cmd.exe	47
PID 4972 wrote to memory of 4692	4972	cmd.exe	46
PID 4972 wrote to memory of 4692	4972	cmd.exe	46
PID 4972 wrote to memory of 4692	4972	cmd.exe	46
PID 4972 wrote to memory of 5068	4972	cmd.exe	54
PID 4972 wrote to memory of 5068	4972	cmd.exe	54
PID 4972 wrote to memory of 5068	4972	cmd.exe	54
PID 4972 wrote to memory of 5064	4972	cmd.exe	53
PID 4972 wrote to memory of 5064	4972	cmd.exe	53
PID 4972 wrote to memory of 5064	4972	cmd.exe	53
PID 4972 wrote to memory of 1784	4972	cmd.exe	52
PID 4972 wrote to memory of 1784	4972	cmd.exe	52
PID 4972 wrote to memory of 1784	4972	cmd.exe	52
PID 4972 wrote to memory of 2824	4972	cmd.exe	51
PID 4972 wrote to memory of 2824	4972	cmd.exe	51
PID 4972 wrote to memory of 2824	4972	cmd.exe	51
PID 4972 wrote to memory of 1432	4972	cmd.exe	50
PID 4972 wrote to memory of 1432	4972	cmd.exe	50
PID 4972 wrote to memory of 1432	4972	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
"C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\cmd.exe
  cmd /k move Ward Ward.bat & Ward.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23856\Combines.pif
    23856\Combines.pif 23856\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Forests + Baghdad + Disable 23856\p
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 23856\Combines.pif
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 23856
    3⤵
    PID:5068
- C:\Windows\SysWOW64\TapiUnattend.exe
  TapiUnattend.exe
  2⤵
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23856\Combines.pif

Filesize
570KB

MD5
f1e81c377b276536559e76dfe04f726d

SHA1
175ec28865ac895c1eb0959c767be810bdadac95

SHA256
abcc658c4b7554c75e9726900d764bcf38993e33edfbcf6b6122c72a72f8c621

SHA512
a0c0bfbed6d5f401c4bbda2aed3889e460f012d0b49c2557c18c19189b3092da7cd6f2da81ede7bdb4a8bd24894a580c0654d855f2241df2bbebf449a1a04d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23856\Combines.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23856\p

Filesize
984KB

MD5
c38e411ef1c293d7d6208cd934631d6c

SHA1
e3a1423c352470ef40a6f1c4fbc1b063a78076cd

SHA256
7eb87eda70ca90d9ff6535c26dd2a3330a5477c44125cca6549851f15673b185

SHA512
87cd023483d919bb98e638a5080c7d3bb2d43cb0107356c34ef2f4707c893ae76152e47c6cebb02a03387de9aee9a2868f08d54f2eaae54a0a0ff3f35a3fdab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Advance

Filesize
174KB

MD5
a0d348d48f9389555698870e0642645f

SHA1
39e60d06152c6966f50a57ae3f7fef9b991c710b

SHA256
3aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86

SHA512
3264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Baghdad

Filesize
414KB

MD5
ec0b3ec727520f56a6741f4569153b38

SHA1
7cb01894370bde7ce3a38a478370e3db79b30904

SHA256
bc65c7156dc2b09677840833e64b99d28ac9ae770f6bb3b1f9c97bff23eb6ffc

SHA512
622239e683f8fe2dafb4a901fdf82887635b7da1ee93cacbd274975218135f4e24da0e0eb017165208fcff0490c47e6108d12b88215d085526a8772055c54f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Covering

Filesize
131KB

MD5
56a6be0109f8e938f0fe3844b287e8a9

SHA1
d0206dfb0f5c59b1598417742688dfd626294297

SHA256
9c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524

SHA512
84d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Czech

Filesize
189KB

MD5
924c0ef6531aee94085f9a6d7c3754a0

SHA1
b899a1c7e37a902d2faa9993ec81572aca03a65f

SHA256
3829c300ed066f4a334748f3d7531a1f212080649a4eb3eb2fc1ecbf879b3cef

SHA512
77aaf61923ba72704ff69c3bc6f35529d95e3b69730c42c4af72642c47d921fab23dec97c035f43f9adca3577c9077edf4a4b89d888fbf9bf5fe87953c800c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disable

Filesize
126KB

MD5
e720d78737442ee448864b760bfc2154

SHA1
3408f4c1b96dd8d6fa0555beed2b964f959304cb

SHA256
1d74a63c10fedbe0026426c2aac7e9ee0cc3136252b336c9d7612a78b837fdce

SHA512
5a57efabb77c25aec5901185330416702d8a38564789a99f18543ef3e7e5fc0a3b6e54d801af85d4a6bd0fd536829e64088507367d815e52400e596719db85d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forests

Filesize
444KB

MD5
f5e00e25340ca759cfaaf113db301844

SHA1
98f72e6016addb30de59c6289b83b8262accdf4d

SHA256
ba998c73e83d06a20a7fb6855db82193da9eade08bb68b4e23d4a1a19de1c38a

SHA512
849def8b079a165918c2daedc366b03f4968997f3b463a3e6bbfc013520437ba3e1e6a267bae4eeb3cb7aae97da46041bf3fbd83563b57f5a3f6ab3f373332f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Initiated

Filesize
223KB

MD5
15cf524c35c79bfc7d14ef089aa36654

SHA1
b5de7303b8392079a0e24381cb2db8c37c35c0d3

SHA256
9207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d

SHA512
be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Introduces

Filesize
207KB

MD5
ebdd5083135e6b0d4073cfccb7629476

SHA1
f9a1246cecd3fb4b8d750b9eccef5c28a09f5c92

SHA256
a4ead8a25f32722ddda970cfefdaf1b49fefb84f55336ebb8499fd63ef97bea3

SHA512
b37519e90dc7b48dd99f41eea7a1aaadc8709fe4334531a3af08daed4c4d13e59e935572952458f599ce6f054609a1e316fee8a64b6ed2f38e90f8288a73f81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ward

Filesize
12KB

MD5
7bf45f9b27d16f94a4859ca0dab5cd90

SHA1
9dd76d9b5ba50f3f1915a3b01c54559c0abf3527

SHA256
1b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5

SHA512
5907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f

Download Submit
memory/2824-35-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download
memory/2824-34-0x0000000001880000-0x0000000001881000-memory.dmp

Filesize
4KB

Download
memory/2824-32-0x0000000077301000-0x0000000077421000-memory.dmp

Filesize
1.1MB

Download
memory/2824-36-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download
memory/2824-37-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download
memory/2824-38-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download
memory/2824-39-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download
memory/2824-40-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download
memory/2824-41-0x0000000001970000-0x0000000001971000-memory.dmp

Filesize
4KB

Download
memory/2824-42-0x0000000001970000-0x0000000001971000-memory.dmp

Filesize
4KB

Download
memory/2824-43-0x0000000004E40000-0x0000000004EB9000-memory.dmp

Filesize
484KB

Download