b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42

Analysis

max time kernel
143s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Додатки 1. Запит інформації щодо платежів.pdf.exe
Size

1.1MB
MD5

fe92fd358fb079b60a6a38bf212e8b76
SHA1

f26e19331f124564c89d091733267ac261265c69
SHA256

b756f04d1cd713bb11d5ae1032f8e8580d7cb11ad9e58f0219c9a9fb02c20d42
SHA512

642f979d05c4c099f0322de6d6d086153d174ec875714e99063fec6f316c95e3f6731c1225ff1487d58dd35b723a4609905341da9c25a2277c1fb834e44f4588
SSDEEP

24576:qxCiG4tPQ1OgCwH1Wz3rhbNyeAjykZUDwHob0mtI:0CiGL1Og23rhxyeAOkun0mtI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	Immigrants.pif

Loads dropped DLL 5 IoCs

pid	Process
2880	cmd.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe
2808	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2808	2836	WerFault.exe	38

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2928	tasklist.exe
2736	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3024	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2836	Immigrants.pif
2836	Immigrants.pif
2836	Immigrants.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2836	Immigrants.pif
2836	Immigrants.pif
2836	Immigrants.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2836	Immigrants.pif
2836	Immigrants.pif
2836	Immigrants.pif

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2880	2656	Додатки 1. Запит інформації щодо платежів.pdf.exe	30
PID 2656 wrote to memory of 2880	2656	Додатки 1. Запит інформації щодо платежів.pdf.exe	30
PID 2656 wrote to memory of 2880	2656	Додатки 1. Запит інформації щодо платежів.pdf.exe	30
PID 2656 wrote to memory of 2880	2656	Додатки 1. Запит інформації щодо платежів.pdf.exe	30
PID 2880 wrote to memory of 2928	2880	cmd.exe	32
PID 2880 wrote to memory of 2928	2880	cmd.exe	32
PID 2880 wrote to memory of 2928	2880	cmd.exe	32
PID 2880 wrote to memory of 2928	2880	cmd.exe	32
PID 2880 wrote to memory of 2680	2880	cmd.exe	31
PID 2880 wrote to memory of 2680	2880	cmd.exe	31
PID 2880 wrote to memory of 2680	2880	cmd.exe	31
PID 2880 wrote to memory of 2680	2880	cmd.exe	31
PID 2880 wrote to memory of 2736	2880	cmd.exe	36
PID 2880 wrote to memory of 2736	2880	cmd.exe	36
PID 2880 wrote to memory of 2736	2880	cmd.exe	36
PID 2880 wrote to memory of 2736	2880	cmd.exe	36
PID 2880 wrote to memory of 2160	2880	cmd.exe	34
PID 2880 wrote to memory of 2160	2880	cmd.exe	34
PID 2880 wrote to memory of 2160	2880	cmd.exe	34
PID 2880 wrote to memory of 2160	2880	cmd.exe	34
PID 2880 wrote to memory of 2560	2880	cmd.exe	35
PID 2880 wrote to memory of 2560	2880	cmd.exe	35
PID 2880 wrote to memory of 2560	2880	cmd.exe	35
PID 2880 wrote to memory of 2560	2880	cmd.exe	35
PID 2880 wrote to memory of 2580	2880	cmd.exe	40
PID 2880 wrote to memory of 2580	2880	cmd.exe	40
PID 2880 wrote to memory of 2580	2880	cmd.exe	40
PID 2880 wrote to memory of 2580	2880	cmd.exe	40
PID 2880 wrote to memory of 2684	2880	cmd.exe	37
PID 2880 wrote to memory of 2684	2880	cmd.exe	37
PID 2880 wrote to memory of 2684	2880	cmd.exe	37
PID 2880 wrote to memory of 2684	2880	cmd.exe	37
PID 2880 wrote to memory of 2836	2880	cmd.exe	38
PID 2880 wrote to memory of 2836	2880	cmd.exe	38
PID 2880 wrote to memory of 2836	2880	cmd.exe	38
PID 2880 wrote to memory of 2836	2880	cmd.exe	38
PID 2880 wrote to memory of 3024	2880	cmd.exe	39
PID 2880 wrote to memory of 3024	2880	cmd.exe	39
PID 2880 wrote to memory of 3024	2880	cmd.exe	39
PID 2880 wrote to memory of 3024	2880	cmd.exe	39
PID 2836 wrote to memory of 2808	2836	Immigrants.pif	41
PID 2836 wrote to memory of 2808	2836	Immigrants.pif	41
PID 2836 wrote to memory of 2808	2836	Immigrants.pif	41
PID 2836 wrote to memory of 2808	2836	Immigrants.pif	41

C:\Users\Admin\AppData\Local\Temp\Додатки 1. Запит інформації щодо платежів.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Додатки 1. Запит інформації щодо платежів.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Guest Guest.bat & Guest.bat & exit
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 15198
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Viking + Chaos + Participated 15198\Z
    3⤵
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\15198\Immigrants.pif
    15198\Immigrants.pif 15198\Z
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 508
      4⤵
      Loads dropped DLL
      Program crash
      PID:2808
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Earn + Program + Asset + Reserve + Slowly 15198\Immigrants.pif
    3⤵
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\15198\Immigrants.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\15198\Z

Filesize
1011KB

MD5
86f54ba6ed2e65a34276922a62cf04e6

SHA1
7c66874ba8bad12836d18672b31b856be6ebe4dd

SHA256
a388bbf5baf8b3fb09340031dac1c88edc8929a630586af3dcbb37cfe580e26a

SHA512
17993fa53a01cce1f6518afa3e5d9922232e072314b47083434ea4ea9bcb04875c10ed8b4d271d8193a928fe5352b3274c7842a11fb37d1ec2deb3c91528bc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Asset

Filesize
149KB

MD5
8ac1baefdc2ded378686004cb4fff9e1

SHA1
d0a34045d2cfa3b7cac9e89cbcaeb93a5f84d01a

SHA256
5249e4b2628e7d35a52bd49445883b5e0b11efde03c508aa6c026c87cf6b2ac8

SHA512
2a3dba0bf40c27174a9958496b5fd8f7221763f6e9b44fc4282fd7ae720c313289048f419e0ffbd4ed74831bd201c7658c14649f9a1ff00869efa7f448286dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chaos

Filesize
470KB

MD5
1236736fe0a02c2cd4bfe15deb893827

SHA1
c3af0c3e0b07d3500e91c6ad27b4ea236a42dbc2

SHA256
3cb67c9178de85ddfd478c85ddea7b3d1e9d8ae1a5512a3bb7e10b7efcac7939

SHA512
605a2ed66c72569f0253516f7e94ad0112ec69f7c87fcd48f5d283089abc9996a654429675dcdb3e111db415d326d7afa8c17a60a8fee935a65c0003b1a1d2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Earn

Filesize
12KB

MD5
9291982b1b682a3f7f13a4f35a5fbffa

SHA1
323326d42d020c7e344f50fcad3990ebde93254f

SHA256
dcbe779a534af0997652b12961b5d90991441b1c2928c1dbce2e4d9ce0f7c963

SHA512
93901d88460717f3ce4b57f2f6cd70113b170a7f1ad7c028298c3b8b85e7e9279afbe5f43602af1944069f9cf59779fcb048e3a1282b6d8e0a80aaad964f675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Guest

Filesize
12KB

MD5
501aca372cb3df2ad5581521fd1e67d5

SHA1
f63c4e28c7acded78b9d29d55cee98bb7b869229

SHA256
a8ed85ff54eaf2817cde494e8260069c14366edfc42358f057df6382a77da0f1

SHA512
696ae629e0ed5a353fdba3521a45e33b013ffb12d274e90ea96ce271e8c6e660280eb437140f5eec1e617cdb41be220d1a1cb39b476bbba229857cd42fb8242a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Participated

Filesize
108KB

MD5
70e099c6462c8ef9dbec213f5ce0496f

SHA1
f9fed8482e75329372eda0ec5ef5d9b228a7ffd5

SHA256
b84d99acccf17a6ca04803a2a3d8f115b610b6ee3ddf86353b79fc88748c037c

SHA512
e8176abb52afb32d962eca35ee756c99eef3592fcda2f3f3853392e8f6258ec027a20f48e8a1ca23e22494369efc091de6bf8ad636fdccd39a1eefa58acf611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Program

Filesize
176KB

MD5
0b6b9db466bb6f816784ee7380ea9572

SHA1
fa236a7c914ece18bce4e9538f7497df17a214ed

SHA256
ba01cc5b82a5ccb4087e3e430c6ede046c336a071e768300ccd976422da83847

SHA512
670ee24b2b98dbe8eda5bac654de21d759786f4eb797bda9ac5848102f2a652463c45a518ca92adf3351e0efd5e0c4947226effeb164fdc10306584781267507

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Reserve

Filesize
183KB

MD5
6145b2986f61b8dd11c301bc6b0279db

SHA1
d2142316774e6e920ec594071de22b48ca30630c

SHA256
e8ac10eda692a57273edcdecd449fdd8f37d6fea1f17829811ba46148ae3dc49

SHA512
4ee8a582c7a334063703393fb690fd48fef12eb631de2643efe4a7fde6b5a599de754043159bf0f42dca4235b4a0d68f38cf0a9f34ea3c6232c78662d3a0daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Slowly

Filesize
174KB

MD5
7cef207172cbdf6768101f8a2602f787

SHA1
20e50bd7257e773fab11928da0a6500693fbad11

SHA256
6c3482c9f62da91208f4f67fe2a41211f8a2a7929bfda4841495d20d29bf1e9c

SHA512
42e38ae3e936cadbb6b4d0eb013977bcbe3c80a9a44fd22f49ec1ba593625a4146122941e3b90f3a4c20680eb50d074607086cc1f52a851f4e5ae2eaf0ce44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Viking

Filesize
433KB

MD5
d2241c8bced7ee96287bc6e8b0deb59d

SHA1
e8c360585688cea64381f827950d302b6faebc94

SHA256
f11bbadb34467256d62f93ffc984813a7360dd52598937078916f9f1e8c10aa2

SHA512
50e7116a121ab71ec008229a9ddfa5b95092909c791575385c5db2a465a457ca83e77acc03107f8d9e3bc6a0e998d15a03705c5f890b680efe50cd3d89d3f5d3

Download Submit
memory/2836-36-0x0000000003C30000-0x0000000003CAB000-memory.dmp

Filesize
492KB

Download
memory/2836-34-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2836-33-0x0000000077C40000-0x0000000077D16000-memory.dmp

Filesize
856KB

Download
memory/2836-35-0x0000000003C30000-0x0000000003CAB000-memory.dmp

Filesize
492KB

Download
memory/2836-37-0x0000000003C30000-0x0000000003CAB000-memory.dmp

Filesize
492KB

Download
memory/2836-38-0x0000000003C30000-0x0000000003CAB000-memory.dmp

Filesize
492KB

Download
memory/2836-39-0x0000000003C30000-0x0000000003CAB000-memory.dmp

Filesize
492KB

Download
memory/2836-40-0x0000000003C30000-0x0000000003CAB000-memory.dmp

Filesize
492KB

Download
memory/2836-41-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download