d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
Size

965KB
MD5

ff36088c0ded85dbc225f0913cf67a7b
SHA1

c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db
SHA256

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
SHA512

473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6
SSDEEP

24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2572	Combines.pif

Loads dropped DLL 5 IoCs

pid	Process
2000	cmd.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe
2408	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2408	2572	WerFault.exe	40

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2700	tasklist.exe
1704	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2624	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2572	Combines.pif
2572	Combines.pif
2572	Combines.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2572	Combines.pif
2572	Combines.pif
2572	Combines.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2572	Combines.pif
2572	Combines.pif
2572	Combines.pif

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2652	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	18
PID 2224 wrote to memory of 2652	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	18
PID 2224 wrote to memory of 2652	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	18
PID 2224 wrote to memory of 2652	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	18
PID 2224 wrote to memory of 2000	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	21
PID 2224 wrote to memory of 2000	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	21
PID 2224 wrote to memory of 2000	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	21
PID 2224 wrote to memory of 2000	2224	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	21
PID 2000 wrote to memory of 2700	2000	cmd.exe	32
PID 2000 wrote to memory of 2700	2000	cmd.exe	32
PID 2000 wrote to memory of 2700	2000	cmd.exe	32
PID 2000 wrote to memory of 2700	2000	cmd.exe	32
PID 2000 wrote to memory of 2708	2000	cmd.exe	31
PID 2000 wrote to memory of 2708	2000	cmd.exe	31
PID 2000 wrote to memory of 2708	2000	cmd.exe	31
PID 2000 wrote to memory of 2708	2000	cmd.exe	31
PID 2000 wrote to memory of 1704	2000	cmd.exe	35
PID 2000 wrote to memory of 1704	2000	cmd.exe	35
PID 2000 wrote to memory of 1704	2000	cmd.exe	35
PID 2000 wrote to memory of 1704	2000	cmd.exe	35
PID 2000 wrote to memory of 2944	2000	cmd.exe	34
PID 2000 wrote to memory of 2944	2000	cmd.exe	34
PID 2000 wrote to memory of 2944	2000	cmd.exe	34
PID 2000 wrote to memory of 2944	2000	cmd.exe	34
PID 2000 wrote to memory of 2596	2000	cmd.exe	36
PID 2000 wrote to memory of 2596	2000	cmd.exe	36
PID 2000 wrote to memory of 2596	2000	cmd.exe	36
PID 2000 wrote to memory of 2596	2000	cmd.exe	36
PID 2000 wrote to memory of 2696	2000	cmd.exe	37
PID 2000 wrote to memory of 2696	2000	cmd.exe	37
PID 2000 wrote to memory of 2696	2000	cmd.exe	37
PID 2000 wrote to memory of 2696	2000	cmd.exe	37
PID 2000 wrote to memory of 2672	2000	cmd.exe	38
PID 2000 wrote to memory of 2672	2000	cmd.exe	38
PID 2000 wrote to memory of 2672	2000	cmd.exe	38
PID 2000 wrote to memory of 2672	2000	cmd.exe	38
PID 2000 wrote to memory of 2572	2000	cmd.exe	40
PID 2000 wrote to memory of 2572	2000	cmd.exe	40
PID 2000 wrote to memory of 2572	2000	cmd.exe	40
PID 2000 wrote to memory of 2572	2000	cmd.exe	40
PID 2000 wrote to memory of 2624	2000	cmd.exe	39
PID 2000 wrote to memory of 2624	2000	cmd.exe	39
PID 2000 wrote to memory of 2624	2000	cmd.exe	39
PID 2000 wrote to memory of 2624	2000	cmd.exe	39
PID 2572 wrote to memory of 2408	2572	Combines.pif	43
PID 2572 wrote to memory of 2408	2572	Combines.pif	43
PID 2572 wrote to memory of 2408	2572	Combines.pif	43
PID 2572 wrote to memory of 2408	2572	Combines.pif	43

C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
"C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\TapiUnattend.exe
  TapiUnattend.exe
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /k move Ward Ward.bat & Ward.bat & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 23807
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 23807\Combines.pif
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Forests + Baghdad + Disable 23807\p
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif
    23807\Combines.pif 23807\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 512
      4⤵
      Loads dropped DLL
      Program crash
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif

Filesize
171KB

MD5
bb96e770371805cb6fb8fd4a2c583ebb

SHA1
1f0147425abec7ebcb1086a3f9f6f998f338b249

SHA256
fcc7dcc5d1a81a5e44d47b50ca27e2c115be57bc4c4ebc7244e825b7f9cee6d1

SHA512
5f8a0303ccf8fbb3af81a2e5ab2f7ad14e3242e34715909fae1bd9dd0aacb5c065dd58251b9083c1673f768b6245f9c316661fd33912993887a40215fd821633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif

Filesize
143KB

MD5
61cc36eac8fb36fb243f5debd2e29041

SHA1
54b342330b9e599e1e27f85e1de27dcc5800008b

SHA256
ccb9d6e7530cb0216518aa4e452ca3947060c167cb50eb1a9527b0d8d74c4189

SHA512
9ed85956799552b08676e47a5a186afe1e99c5910a45688f33db9b744e2354ede8e6e37536f9d1991ed50e096a8b22ab4cffa794c55d327792b1119b56e97943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\p

Filesize
64KB

MD5
7052814ea3f984df336a58740fd5117b

SHA1
24526653da3acda8c8a2ac4ee810432efca7f996

SHA256
e673aa8cd477b78217d9a12f7643714457c798c778debde30969772ac2bae821

SHA512
1d71805afe7e4785e8e84cfd83588b45e3325bd2d471e9fd58cf35acab053bc3aa2884ad03092fe84c672e161c6033b3555a88bf2230ae1c9f119533558d9803

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Advance

Filesize
174KB

MD5
a0d348d48f9389555698870e0642645f

SHA1
39e60d06152c6966f50a57ae3f7fef9b991c710b

SHA256
3aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86

SHA512
3264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Baghdad

Filesize
220KB

MD5
d3955e0fa2214b2bc809741eb72fd7ca

SHA1
9b4f6fe3b98160d22db33c5e6de471a145477edf

SHA256
0071fe7ba11f01cff676291f3cd955918b2d51b466dfad5e15b958eb55efa2ad

SHA512
b3879a1ac1ddc515cc2be67be35f05d87376f5294015d1516f9fddf3287d312257a3988b246442a777e3ee96e8ad3208a7c79cd55da8f3106a35de4fa8707885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Covering

Filesize
131KB

MD5
56a6be0109f8e938f0fe3844b287e8a9

SHA1
d0206dfb0f5c59b1598417742688dfd626294297

SHA256
9c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524

SHA512
84d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Czech

Filesize
189KB

MD5
924c0ef6531aee94085f9a6d7c3754a0

SHA1
b899a1c7e37a902d2faa9993ec81572aca03a65f

SHA256
3829c300ed066f4a334748f3d7531a1f212080649a4eb3eb2fc1ecbf879b3cef

SHA512
77aaf61923ba72704ff69c3bc6f35529d95e3b69730c42c4af72642c47d921fab23dec97c035f43f9adca3577c9077edf4a4b89d888fbf9bf5fe87953c800c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disable

Filesize
109KB

MD5
be33c5093ba4023029850d234fda048c

SHA1
00374c84452c223c8926394eae37c0576eeb7cd4

SHA256
28cee3c0b1c79e25ba47a05821f0fe4d517416fdbd6435e702c2baf8a02de9b1

SHA512
31cefe867faf45083a9e515cfb142d0f065266516c98f368d113865b504dc59477df7f5a1077547724bd2da7818fa778a6911d6bf14ea516911110c1217ce1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forests

Filesize
90KB

MD5
6273eb155e1f7b6bc96a3432b8c82335

SHA1
4f5e12c79e5e7396782a602396482cbb0cc4b4d5

SHA256
3231695ed96a4aadaede778793267058be0ba2009c594c3f5fbfd80b8ce9e212

SHA512
aa6b260a93245961658a14fb895b7f8bfd9b4559329e019592ab5da47b80ae96379688a7df2843988baf0094a7f51d92429d5ac8e69acaa80c0b4c38fb3fed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Initiated

Filesize
223KB

MD5
15cf524c35c79bfc7d14ef089aa36654

SHA1
b5de7303b8392079a0e24381cb2db8c37c35c0d3

SHA256
9207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d

SHA512
be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Introduces

Filesize
178KB

MD5
e3651a5f919ceee5454ec0752d77be40

SHA1
cffdfd653fc4ee2cee62720b652555aeb81e05fb

SHA256
9e56d1908cdeb623a25e593e16c5c8819bd1ee68424b2e2438f57f7d201f3d19

SHA512
b1df52b6e90db3ebd41402ee8dce5acd651cf857c2b41db135e6f2622b44abd55b696230e1af87f9a949260a1b3f6e2587c73b14b9acd4da1e3fc6f039b7845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ward

Filesize
12KB

MD5
7bf45f9b27d16f94a4859ca0dab5cd90

SHA1
9dd76d9b5ba50f3f1915a3b01c54559c0abf3527

SHA256
1b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5

SHA512
5907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif

Filesize
289KB

MD5
98096a36dcd793c0daf5a11b11d0a772

SHA1
38fd313be913c00626dc4da370707dfa3df2c0c4

SHA256
252beece036a11628eb253cfce22e8d6ca7f4ace33d6e5f8b71fbbb3b754c9f3

SHA512
da82f8c3698ba7dde44d63ca5b4223dd98e14b65c7d52815a23128dbd203a04b8c3461ebeec5506a87ec2bfc02ebe70fdff750a6f53b1df2e4554e1ddf3bf76a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif

Filesize
531KB

MD5
55bfb7a61ac54101397705e83d6fa943

SHA1
d8b8dd44193be4dc1be5b4563a5e4ffe14cfed92

SHA256
309f8bbc499d81eb01f5efcc1d40f3282214e7c7242b26a3f44194620ca0092b

SHA512
9c00cd7ae95c6bcfc4453ea53f62787c3e1d56e61dede3619c1304d6bcdbfc7f2955b03ad90f822a972f77fe6ce92bf6ce0187a65097ce5c581d825cead0dac4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\23807\Combines.pif

Filesize
618KB

MD5
d07872b9374159994424ec87c18733aa

SHA1
eb67d2a49cb41693065424e30f3e06a4d8bf694d

SHA256
248d2a310cc3ff72b2d0d28bd0aec0361878e885da7ddfc40af3d4a181548084

SHA512
f3b4f56b78e55f11de13d2d81c8e946fd309b037c2c303f969fcb6a305d091f6efe43d4a11a3063d31cac0e72ccffdfcb55e1efaa7f858f5a76e65a235c5d01b

Download Submit
memory/2572-33-0x0000000077930000-0x0000000077A06000-memory.dmp

Filesize
856KB

Download
memory/2572-34-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2572-37-0x0000000004480000-0x00000000044F9000-memory.dmp

Filesize
484KB

Download
memory/2572-36-0x0000000004480000-0x00000000044F9000-memory.dmp

Filesize
484KB

Download
memory/2572-35-0x0000000004480000-0x00000000044F9000-memory.dmp

Filesize
484KB

Download
memory/2572-38-0x0000000004480000-0x00000000044F9000-memory.dmp

Filesize
484KB

Download
memory/2572-39-0x0000000004480000-0x00000000044F9000-memory.dmp

Filesize
484KB

Download
memory/2572-41-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2572-40-0x0000000004480000-0x00000000044F9000-memory.dmp

Filesize
484KB

Download