d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
Size

965KB
MD5

ff36088c0ded85dbc225f0913cf67a7b
SHA1

c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db
SHA256

d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
SHA512

473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6
SSDEEP

24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3428	Combines.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1304	tasklist.exe
4180	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3012	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3428	Combines.pif
3428	Combines.pif
3428	Combines.pif
3428	Combines.pif
3428	Combines.pif
3428	Combines.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	tasklist.exe
Token: SeDebugPrivilege	4180	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3428	Combines.pif
3428	Combines.pif
3428	Combines.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3428	Combines.pif
3428	Combines.pif
3428	Combines.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1804	1720	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	40
PID 1720 wrote to memory of 1804	1720	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	40
PID 1720 wrote to memory of 1804	1720	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	40
PID 1720 wrote to memory of 1512	1720	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	44
PID 1720 wrote to memory of 1512	1720	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	44
PID 1720 wrote to memory of 1512	1720	d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe	44
PID 1512 wrote to memory of 1304	1512	cmd.exe	88
PID 1512 wrote to memory of 1304	1512	cmd.exe	88
PID 1512 wrote to memory of 1304	1512	cmd.exe	88
PID 1512 wrote to memory of 456	1512	cmd.exe	89
PID 1512 wrote to memory of 456	1512	cmd.exe	89
PID 1512 wrote to memory of 456	1512	cmd.exe	89
PID 1512 wrote to memory of 4180	1512	cmd.exe	91
PID 1512 wrote to memory of 4180	1512	cmd.exe	91
PID 1512 wrote to memory of 4180	1512	cmd.exe	91
PID 1512 wrote to memory of 2612	1512	cmd.exe	92
PID 1512 wrote to memory of 2612	1512	cmd.exe	92
PID 1512 wrote to memory of 2612	1512	cmd.exe	92
PID 1512 wrote to memory of 532	1512	cmd.exe	93
PID 1512 wrote to memory of 532	1512	cmd.exe	93
PID 1512 wrote to memory of 532	1512	cmd.exe	93
PID 1512 wrote to memory of 212	1512	cmd.exe	94
PID 1512 wrote to memory of 212	1512	cmd.exe	94
PID 1512 wrote to memory of 212	1512	cmd.exe	94
PID 1512 wrote to memory of 2172	1512	cmd.exe	96
PID 1512 wrote to memory of 2172	1512	cmd.exe	96
PID 1512 wrote to memory of 2172	1512	cmd.exe	96
PID 1512 wrote to memory of 3428	1512	cmd.exe	95
PID 1512 wrote to memory of 3428	1512	cmd.exe	95
PID 1512 wrote to memory of 3428	1512	cmd.exe	95
PID 1512 wrote to memory of 3012	1512	cmd.exe	97
PID 1512 wrote to memory of 3012	1512	cmd.exe	97
PID 1512 wrote to memory of 3012	1512	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
"C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\TapiUnattend.exe
  TapiUnattend.exe
  2⤵
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  cmd /k move Ward Ward.bat & Ward.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1304
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 23918
    3⤵
    PID:532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 23918\Combines.pif
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23918\Combines.pif
    23918\Combines.pif 23918\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Forests + Baghdad + Disable 23918\p
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23918\Combines.pif

Filesize
116KB

MD5
75f9efed8148b83c398caef9b28b6fcc

SHA1
ff9b20a4bc6e82c8fafa30619a128cd011b45474

SHA256
acd175c127b1eb619fd3bc9426e696797acc59049817442db7ce525517fa9a90

SHA512
af03119c0be3486bc72bfe39f8b644c102fb5b7b03c7bf539c02b6cc0698e6165ae97b336602f8274ef8d3f97f5aa12024dfc49f2be17bfbe29159c58fa218be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23918\Combines.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\23918\p

Filesize
984KB

MD5
c38e411ef1c293d7d6208cd934631d6c

SHA1
e3a1423c352470ef40a6f1c4fbc1b063a78076cd

SHA256
7eb87eda70ca90d9ff6535c26dd2a3330a5477c44125cca6549851f15673b185

SHA512
87cd023483d919bb98e638a5080c7d3bb2d43cb0107356c34ef2f4707c893ae76152e47c6cebb02a03387de9aee9a2868f08d54f2eaae54a0a0ff3f35a3fdab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Advance

Filesize
174KB

MD5
a0d348d48f9389555698870e0642645f

SHA1
39e60d06152c6966f50a57ae3f7fef9b991c710b

SHA256
3aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86

SHA512
3264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Baghdad

Filesize
151KB

MD5
7a195733d8ad31b8809a82e0f817b691

SHA1
127b5cada8d84b5d80529d4a54574d3bfa09b723

SHA256
5cf745d0f22583e2de615496a966be44879be1a95c850eca19559a3c4e570bbc

SHA512
3854a77d27f1229ef5cf315dda5475fa51bb5c25a241643566004f00494b7db2b4d2c47d4c397d3e7854bdc9538fb158d60083317bb0080e9f683fe8852cf6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Covering

Filesize
131KB

MD5
56a6be0109f8e938f0fe3844b287e8a9

SHA1
d0206dfb0f5c59b1598417742688dfd626294297

SHA256
9c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524

SHA512
84d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Czech

Filesize
153KB

MD5
82a7d2f697c83aa9f65130593796390b

SHA1
bc664536c189990e9ecdd5db5fffa36f9537ef5e

SHA256
502b67aa3f98051d7197fa88105ea3ecbb4a8e62a2874acc62507c9f111b1320

SHA512
53097a4ad7bbf2e1f039684917686d8a3e71612179717c7ce58de391979bfe0738322494980acd727125b2056ffbfd47b79065ea588e8f28bbe9afd6ff02923b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disable

Filesize
126KB

MD5
e720d78737442ee448864b760bfc2154

SHA1
3408f4c1b96dd8d6fa0555beed2b964f959304cb

SHA256
1d74a63c10fedbe0026426c2aac7e9ee0cc3136252b336c9d7612a78b837fdce

SHA512
5a57efabb77c25aec5901185330416702d8a38564789a99f18543ef3e7e5fc0a3b6e54d801af85d4a6bd0fd536829e64088507367d815e52400e596719db85d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forests

Filesize
165KB

MD5
6e7003e0980584623a9a00dceb6c30dc

SHA1
c220524caa6173feb7dceda9eea968c375f10636

SHA256
2de480c4a343ac828b8a31fafad183412547e49180d3cbf0cda3e53e02a30277

SHA512
b69da005a5e73f2505d6317cb20267abc1272dc4f95a066e72fd65d71b793b8d00c3e1ae5cd3ebca0c90a1062a823f46be39c45998a5dc5ef6986f6c3a4f6b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Initiated

Filesize
223KB

MD5
15cf524c35c79bfc7d14ef089aa36654

SHA1
b5de7303b8392079a0e24381cb2db8c37c35c0d3

SHA256
9207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d

SHA512
be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Introduces

Filesize
198KB

MD5
63d6042772b7b05c9b693616d005260e

SHA1
0fc97f46aa93b91ad6b97e148c46ca12d9bd6ecb

SHA256
0b29a7da600cd0ab82f1d6e0008971b6e53a40c0a3995d9c78e4abdf12788e42

SHA512
d30dccecc7727be9c4d49aadc0f8c0a700192f0507737bc8d402fe09a5f72d52e9b5ca4acb2c0c8c9c063a9a21356e5810e35748fc000aef01b77234e94568b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ward

Filesize
12KB

MD5
7bf45f9b27d16f94a4859ca0dab5cd90

SHA1
9dd76d9b5ba50f3f1915a3b01c54559c0abf3527

SHA256
1b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5

SHA512
5907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f

Download Submit
memory/3428-34-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/3428-32-0x0000000077361000-0x0000000077481000-memory.dmp

Filesize
1.1MB

Download
memory/3428-36-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-35-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-37-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-38-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-39-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-40-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-41-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download
memory/3428-42-0x0000000004DC0000-0x0000000004E39000-memory.dmp

Filesize
484KB

Download