Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
Resource
win10v2004-20231215-en
General
-
Target
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe
-
Size
965KB
-
MD5
ff36088c0ded85dbc225f0913cf67a7b
-
SHA1
c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db
-
SHA256
d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee
-
SHA512
473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6
-
SSDEEP
24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2672 Combines.pif -
Loads dropped DLL 5 IoCs
pid Process 2108 cmd.exe 2956 WerFault.exe 2956 WerFault.exe 2956 WerFault.exe 2956 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2956 2672 WerFault.exe 39 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2876 tasklist.exe 3016 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2132 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2672 Combines.pif 2672 Combines.pif 2672 Combines.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2876 tasklist.exe Token: SeDebugPrivilege 3016 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2672 Combines.pif 2672 Combines.pif 2672 Combines.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2672 Combines.pif 2672 Combines.pif 2672 Combines.pif -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2392 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 28 PID 1320 wrote to memory of 2392 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 28 PID 1320 wrote to memory of 2392 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 28 PID 1320 wrote to memory of 2392 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 28 PID 1320 wrote to memory of 2108 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 29 PID 1320 wrote to memory of 2108 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 29 PID 1320 wrote to memory of 2108 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 29 PID 1320 wrote to memory of 2108 1320 d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe 29 PID 2108 wrote to memory of 2876 2108 cmd.exe 31 PID 2108 wrote to memory of 2876 2108 cmd.exe 31 PID 2108 wrote to memory of 2876 2108 cmd.exe 31 PID 2108 wrote to memory of 2876 2108 cmd.exe 31 PID 2108 wrote to memory of 2880 2108 cmd.exe 32 PID 2108 wrote to memory of 2880 2108 cmd.exe 32 PID 2108 wrote to memory of 2880 2108 cmd.exe 32 PID 2108 wrote to memory of 2880 2108 cmd.exe 32 PID 2108 wrote to memory of 3016 2108 cmd.exe 34 PID 2108 wrote to memory of 3016 2108 cmd.exe 34 PID 2108 wrote to memory of 3016 2108 cmd.exe 34 PID 2108 wrote to memory of 3016 2108 cmd.exe 34 PID 2108 wrote to memory of 2120 2108 cmd.exe 35 PID 2108 wrote to memory of 2120 2108 cmd.exe 35 PID 2108 wrote to memory of 2120 2108 cmd.exe 35 PID 2108 wrote to memory of 2120 2108 cmd.exe 35 PID 2108 wrote to memory of 2788 2108 cmd.exe 36 PID 2108 wrote to memory of 2788 2108 cmd.exe 36 PID 2108 wrote to memory of 2788 2108 cmd.exe 36 PID 2108 wrote to memory of 2788 2108 cmd.exe 36 PID 2108 wrote to memory of 2944 2108 cmd.exe 37 PID 2108 wrote to memory of 2944 2108 cmd.exe 37 PID 2108 wrote to memory of 2944 2108 cmd.exe 37 PID 2108 wrote to memory of 2944 2108 cmd.exe 37 PID 2108 wrote to memory of 2780 2108 cmd.exe 38 PID 2108 wrote to memory of 2780 2108 cmd.exe 38 PID 2108 wrote to memory of 2780 2108 cmd.exe 38 PID 2108 wrote to memory of 2780 2108 cmd.exe 38 PID 2108 wrote to memory of 2672 2108 cmd.exe 39 PID 2108 wrote to memory of 2672 2108 cmd.exe 39 PID 2108 wrote to memory of 2672 2108 cmd.exe 39 PID 2108 wrote to memory of 2672 2108 cmd.exe 39 PID 2108 wrote to memory of 2132 2108 cmd.exe 40 PID 2108 wrote to memory of 2132 2108 cmd.exe 40 PID 2108 wrote to memory of 2132 2108 cmd.exe 40 PID 2108 wrote to memory of 2132 2108 cmd.exe 40 PID 2672 wrote to memory of 2956 2672 Combines.pif 41 PID 2672 wrote to memory of 2956 2672 Combines.pif 41 PID 2672 wrote to memory of 2956 2672 Combines.pif 41 PID 2672 wrote to memory of 2956 2672 Combines.pif 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe"C:\Users\Admin\AppData\Local\Temp\d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\TapiUnattend.exeTapiUnattend.exe2⤵PID:2392
-
-
C:\Windows\SysWOW64\cmd.execmd /k move Ward Ward.bat & Ward.bat & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:2880
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:2120
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 246493⤵PID:2788
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 24649\Combines.pif3⤵PID:2944
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Forests + Baghdad + Disable 24649\p3⤵PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\24649\Combines.pif24649\Combines.pif 24649\p3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 5084⤵
- Loads dropped DLL
- Program crash
PID:2956
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- Runs ping.exe
PID:2132
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
984KB
MD5c38e411ef1c293d7d6208cd934631d6c
SHA1e3a1423c352470ef40a6f1c4fbc1b063a78076cd
SHA2567eb87eda70ca90d9ff6535c26dd2a3330a5477c44125cca6549851f15673b185
SHA51287cd023483d919bb98e638a5080c7d3bb2d43cb0107356c34ef2f4707c893ae76152e47c6cebb02a03387de9aee9a2868f08d54f2eaae54a0a0ff3f35a3fdab6
-
Filesize
174KB
MD5a0d348d48f9389555698870e0642645f
SHA139e60d06152c6966f50a57ae3f7fef9b991c710b
SHA2563aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86
SHA5123264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7
-
Filesize
414KB
MD5ec0b3ec727520f56a6741f4569153b38
SHA17cb01894370bde7ce3a38a478370e3db79b30904
SHA256bc65c7156dc2b09677840833e64b99d28ac9ae770f6bb3b1f9c97bff23eb6ffc
SHA512622239e683f8fe2dafb4a901fdf82887635b7da1ee93cacbd274975218135f4e24da0e0eb017165208fcff0490c47e6108d12b88215d085526a8772055c54f65
-
Filesize
131KB
MD556a6be0109f8e938f0fe3844b287e8a9
SHA1d0206dfb0f5c59b1598417742688dfd626294297
SHA2569c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524
SHA51284d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08
-
Filesize
189KB
MD5924c0ef6531aee94085f9a6d7c3754a0
SHA1b899a1c7e37a902d2faa9993ec81572aca03a65f
SHA2563829c300ed066f4a334748f3d7531a1f212080649a4eb3eb2fc1ecbf879b3cef
SHA51277aaf61923ba72704ff69c3bc6f35529d95e3b69730c42c4af72642c47d921fab23dec97c035f43f9adca3577c9077edf4a4b89d888fbf9bf5fe87953c800c34
-
Filesize
126KB
MD5e720d78737442ee448864b760bfc2154
SHA13408f4c1b96dd8d6fa0555beed2b964f959304cb
SHA2561d74a63c10fedbe0026426c2aac7e9ee0cc3136252b336c9d7612a78b837fdce
SHA5125a57efabb77c25aec5901185330416702d8a38564789a99f18543ef3e7e5fc0a3b6e54d801af85d4a6bd0fd536829e64088507367d815e52400e596719db85d4
-
Filesize
444KB
MD5f5e00e25340ca759cfaaf113db301844
SHA198f72e6016addb30de59c6289b83b8262accdf4d
SHA256ba998c73e83d06a20a7fb6855db82193da9eade08bb68b4e23d4a1a19de1c38a
SHA512849def8b079a165918c2daedc366b03f4968997f3b463a3e6bbfc013520437ba3e1e6a267bae4eeb3cb7aae97da46041bf3fbd83563b57f5a3f6ab3f373332f8
-
Filesize
223KB
MD515cf524c35c79bfc7d14ef089aa36654
SHA1b5de7303b8392079a0e24381cb2db8c37c35c0d3
SHA2569207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d
SHA512be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6
-
Filesize
207KB
MD5ebdd5083135e6b0d4073cfccb7629476
SHA1f9a1246cecd3fb4b8d750b9eccef5c28a09f5c92
SHA256a4ead8a25f32722ddda970cfefdaf1b49fefb84f55336ebb8499fd63ef97bea3
SHA512b37519e90dc7b48dd99f41eea7a1aaadc8709fe4334531a3af08daed4c4d13e59e935572952458f599ce6f054609a1e316fee8a64b6ed2f38e90f8288a73f81d
-
Filesize
12KB
MD57bf45f9b27d16f94a4859ca0dab5cd90
SHA19dd76d9b5ba50f3f1915a3b01c54559c0abf3527
SHA2561b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5
SHA5125907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
640KB
MD5216c8668bd25cdf3595e81b6c2066184
SHA1af6e7c7724d65752d2633c0e226fa4901bf2fa71
SHA256d72fa8bc87379641139f1fc54bc4e3a350ddbfc98a98e6b57749f54795fe23f8
SHA512104be0d26a93ae5943bfad49df77e3710b336896615342840bcbcbb953d424b722bc59e1c3362ca4f36a3e12142888a62dabf97dca8556be1b1b2daa13d1a91e
-
Filesize
448KB
MD55829d346dd78197d6805ed8fcf94293d
SHA14dcf4a26d2724bba7f62becaff71f408a684b6fb
SHA2562bb7f3304af6f907f416e5421715cf3f7af0727cbe9df6e423802d76a1d5010b
SHA51217cfcb4151a8a1903eed530f94c10a56e2158a624bc2a90d9d2a065ab367cde2724a3a441c1bc54524a4d47fca8a79fdc89392a9d9145a684b6e412f28b5a5a6
-
Filesize
384KB
MD546488d423274072d7167312ea77f9142
SHA171e20d0737cfeb658ae89fe0b68da5d2755a2e24
SHA256be66ea55e0540e350e6ac6cbab0bb45ed0697d9ecc0e5974272b180c35f00e82
SHA512fe5d47a55f5673b075ff6fff9503490fb1fcf543115fbb4f0e4954e5fe2796876461fda1f770dfaab162c79e7fb189151e507a6965d999d25a197cf7b377fe18