6dee81e04ac37e2ffa5d9bb0c22d782f010ebd72c249ccb4ad4bdaea24d36067

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b1dabfd79624a6c314e84e9223f1382.exe
Size

1.8MB
MD5

5b1dabfd79624a6c314e84e9223f1382
SHA1

015a0f9f8340060ee49d1f824f82cd37981f6217
SHA256

6dee81e04ac37e2ffa5d9bb0c22d782f010ebd72c249ccb4ad4bdaea24d36067
SHA512

99e4efac827c6b79ea15846e683ba0580baef4c7bbf87813ff17956b0caf47631ee76d5e0522ed4be299f419993729a66e06391ec9b2eee26e4ba1e6d339ecdf
SSDEEP

49152:NAvv2Q9GenxPXe/h6iXlQsPtT+0T5ehipEJ94J:Nw1GeRyh1lxtS0Fpo94J

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2440 created 1264	2440	Peers.pif	21

Executes dropped EXE 2 IoCs

pid	Process
2440	Peers.pif
1276	Peers.pif

Loads dropped DLL 3 IoCs

pid	Process
2224	5b1dabfd79624a6c314e84e9223f1382.exe
2960	cmd.exe
2440	Peers.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 1276	2440	Peers.pif	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2572	tasklist.exe
2632	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2476	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2440	Peers.pif
2440	Peers.pif
2440	Peers.pif
2440	Peers.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2440	Peers.pif
2440	Peers.pif
2440	Peers.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2440	Peers.pif
2440	Peers.pif
2440	Peers.pif

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2960	2224	5b1dabfd79624a6c314e84e9223f1382.exe	28
PID 2224 wrote to memory of 2960	2224	5b1dabfd79624a6c314e84e9223f1382.exe	28
PID 2224 wrote to memory of 2960	2224	5b1dabfd79624a6c314e84e9223f1382.exe	28
PID 2224 wrote to memory of 2960	2224	5b1dabfd79624a6c314e84e9223f1382.exe	28
PID 2960 wrote to memory of 2572	2960	cmd.exe	30
PID 2960 wrote to memory of 2572	2960	cmd.exe	30
PID 2960 wrote to memory of 2572	2960	cmd.exe	30
PID 2960 wrote to memory of 2572	2960	cmd.exe	30
PID 2960 wrote to memory of 2636	2960	cmd.exe	31
PID 2960 wrote to memory of 2636	2960	cmd.exe	31
PID 2960 wrote to memory of 2636	2960	cmd.exe	31
PID 2960 wrote to memory of 2636	2960	cmd.exe	31
PID 2960 wrote to memory of 2632	2960	cmd.exe	33
PID 2960 wrote to memory of 2632	2960	cmd.exe	33
PID 2960 wrote to memory of 2632	2960	cmd.exe	33
PID 2960 wrote to memory of 2632	2960	cmd.exe	33
PID 2960 wrote to memory of 2432	2960	cmd.exe	34
PID 2960 wrote to memory of 2432	2960	cmd.exe	34
PID 2960 wrote to memory of 2432	2960	cmd.exe	34
PID 2960 wrote to memory of 2432	2960	cmd.exe	34
PID 2960 wrote to memory of 2460	2960	cmd.exe	35
PID 2960 wrote to memory of 2460	2960	cmd.exe	35
PID 2960 wrote to memory of 2460	2960	cmd.exe	35
PID 2960 wrote to memory of 2460	2960	cmd.exe	35
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2744	2960	cmd.exe	36
PID 2960 wrote to memory of 2596	2960	cmd.exe	37
PID 2960 wrote to memory of 2596	2960	cmd.exe	37
PID 2960 wrote to memory of 2596	2960	cmd.exe	37
PID 2960 wrote to memory of 2596	2960	cmd.exe	37
PID 2960 wrote to memory of 2440	2960	cmd.exe	38
PID 2960 wrote to memory of 2440	2960	cmd.exe	38
PID 2960 wrote to memory of 2440	2960	cmd.exe	38
PID 2960 wrote to memory of 2440	2960	cmd.exe	38
PID 2960 wrote to memory of 2476	2960	cmd.exe	39
PID 2960 wrote to memory of 2476	2960	cmd.exe	39
PID 2960 wrote to memory of 2476	2960	cmd.exe	39
PID 2960 wrote to memory of 2476	2960	cmd.exe	39
PID 2440 wrote to memory of 1276	2440	Peers.pif	42
PID 2440 wrote to memory of 1276	2440	Peers.pif	42
PID 2440 wrote to memory of 1276	2440	Peers.pif	42
PID 2440 wrote to memory of 1276	2440	Peers.pif	42
PID 2440 wrote to memory of 1276	2440	Peers.pif	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\5b1dabfd79624a6c314e84e9223f1382.exe
  "C:\Users\Admin\AppData\Local\Temp\5b1dabfd79624a6c314e84e9223f1382.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Moments Moments.bat & Moments.bat & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 4625
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Closing + Search + Going + Situated + Proper 4625\Peers.pif
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Utils + Www + Types + Preferences + Latex + Judge + Struct + Ibm + Knew + Council + Smell 4625\R
      4⤵
      PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\4625\Peers.pif
      4625\Peers.pif 4625\R
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2476
- C:\Users\Admin\AppData\Local\Temp\4625\Peers.pif
  C:\Users\Admin\AppData\Local\Temp\4625\Peers.pif
  2⤵
  - Executes dropped EXE
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4625\Peers.pif

Filesize
350KB

MD5
13933572948c1ef9c5dcafb0428821ff

SHA1
c115042df03f8fd79ac207ea25be80d7bee2be09

SHA256
d00e2fa24391b1ca6f06d48b049f2e486a6f394052bfca08aacf34651ee3c083

SHA512
cd475bc68863f2bbcd2e0419b650177bcaf61a50aa41b5feb1a399cfc62d2649aa02c5d97b385a7612be8995ffcf138e25585c24b5964ba1732151340f08527a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4625\R

Filesize
2.8MB

MD5
54811de6978cd530405fd0ecc3485675

SHA1
965afbe3b3d343b5c2f46150081334e6640e5828

SHA256
903a8ea88b0dd1a993da4c6fcb8160323035492c69873776d226bd04775a415f

SHA512
7147d2926426f8970d194db76acb827a9edac2916e3841b136a6c4730545ab2be6eff8b9e127cf827922530154395f4a8d7b3567f1978757a87c025186d11767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Closing

Filesize
172KB

MD5
1d9bc84b0dde55ab1d8741d23aa57baf

SHA1
30e8bae07f6b631282b9aaeec5ac807a467b0c4a

SHA256
333bbe23c6f8faeaa0cda9ddcc92cc88bc8d5368d8519b1f9481454b4129dbfa

SHA512
11efcb1d9c48217e818c81225993502b8b036485405cf698dfe30aad10641c8c0d679c935a5a5666f90bbdbaa81d2af40a280eeb1cdffc1c01da9b85b867818f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Council

Filesize
263KB

MD5
72b6aa8531c4940075e60750f8cfd809

SHA1
50c5b0cf838ef9445d19ed885df5dfc74fe68b3c

SHA256
ca87806f294e69e84974a008843dfec6ee7c8117a3c170586807fc83ca163390

SHA512
af84ca943f93a929dd6595cefbc34a13b7df43119867575c6cf3b3c653598a36ef51fc03e78cf284b5f4eae247f54f1fcd4246022d88642a0fdef559d713a6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Going

Filesize
249KB

MD5
6ef119c776de09a07df1a6d5156a5310

SHA1
950ee78637aa18167900a17e565568c66a53c2be

SHA256
dbc84392ba3d259d8d290565b07d6ff8e44f791c3b0ad70901dc323ce5a2c017

SHA512
e7645323d19a6b417baece6912ee7b177be519949b957a6b6ef680b3917a9e54932f9dbded2bbcf77e64554264053920f1cf3a792abe0a5d3b1a33dff33415c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ibm

Filesize
206KB

MD5
2c1717b377880f16a34b71497224efcb

SHA1
bbb222036446e704c1dc7d30e5f3aae44a361684

SHA256
c6becbd79392c02f1aaf16d05c07ae31003b066d7e6c2935c71174e867d8d050

SHA512
8c8dd47dd3f30cfbf7f18d23a9106333ce8ce3af99151070cacf3de95e340bc0ce4f3836cb0f4cdce36f40443cbb5370adccfe783c562746e8c76f5441f131b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Judge

Filesize
250KB

MD5
bd498c5599ef4dca950a8a7b082e19b6

SHA1
9518f0e9d23ab0e73fb7f19f29cf283a16b49db7

SHA256
51907c16986a7d0e0bdbaa0a5c9b4768de81d6e5821a7282161804b106f26f29

SHA512
ac84f87b63858d358fdf3dbbbcd695f6227eb730038dda279cb3ee416ca8485f8edff75ed361272812b9345d1b3c58d4e932cf115323e3e90d269a1a834ecd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knew

Filesize
294KB

MD5
8db963c83ef5b54de7da977447e77ca3

SHA1
59467349371678b6c8ccacb360b1cbcb625606a6

SHA256
471717f8412fa1da9097f4177b3d43c56b0da233b0f52c93592347a2018f88a3

SHA512
48d92026e49585242411bc7364e09910572b4f4e677ca27dd5ac8cceb746fcae8ff3c5893f382dd819909dc9f3d163a07845ecf2213d023282f5dbb5341b1bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latex

Filesize
292KB

MD5
5916cf7e8c1ecaa3756b09f080b2c9ad

SHA1
dc589233af21e1c437565490958203ec9ed2db9b

SHA256
2bca445bcf67afd6496014e1491c9374f4346cbe2d9bfe4f60bcf8db1d7e02ea

SHA512
35af8f08df82c738a38bb342e34d36fc1733642553ed4273559154f8275ec9288a7db80469935c1525302da1118e75cf7ba865c41edae43163b77d456fbbc594

Download Submit
C:\Users\Admin\AppData\Local\Temp\Moments

Filesize
12KB

MD5
a590da9fe5be91f5aa96600fd9453998

SHA1
3709e36d620a831b8768172df67cc16ae4b30f61

SHA256
d66d805489931df175fb616d5bdd0af02a83f45c3e72a3ab571c32f4b61acf03

SHA512
3cc19076fe049b7872473bb66165006c0a3a894aeb1ecd415aa654c0705d2022289cc72cf144d0ad4defb456c83c38f702df4b3e275b40c1557f415dc28de832

Download Submit
C:\Users\Admin\AppData\Local\Temp\Preferences

Filesize
244KB

MD5
c5c836ac086649ab7cbdd589568aaecf

SHA1
a3116702ff60cd0252be6f56122e80a6892b8860

SHA256
6a7fa07c762ea0ea171865326eb57c75e043b95811d625f4aae439012074823b

SHA512
8f7fa0edd69259257b33053676c96f133a5a9ee87de1166a7f455cad28aa3fa41513313197161c05825bfa0f8dfcdc88e59668e60af2182d75eaca1dfef5c9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proper

Filesize
293KB

MD5
10e2241ac2d4dfdc8cb9f545251d140c

SHA1
7d7c9a7757d3dd3be07d572b85dfa350819313e3

SHA256
a84089b96581c7bffb9d7f6f959d07d7a21422438bffb5dbe57c0a0835b696ba

SHA512
d190a6fdbd93ba4e46d5ac995aebe940477416548d1775fd654fba32d92731d6b0c68febf5d9ae0c6261196e398b26871b6aaa171a50a8fc158d2854fde00f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Search

Filesize
141KB

MD5
3b977b744bfd8f9cf50b3c421ec73d4f

SHA1
954a9df18ac85aafef0722a686a6d7ec150cd29e

SHA256
27e71c90564060997905448c2d7ea5afe2951ed36a5c347bc511289f663ed8fa

SHA512
daff3f50b5ebf3d188f96ea2ccaeec87fb6074b97c78cdb4e11cdb5d04694ba96159e1e5406dab1bf26fcebc789a3c826dc41a7fde7abbf8bd32b5741530d36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Situated

Filesize
191KB

MD5
c405a1c430b65c164848af01294e973f

SHA1
bc0fecbc69892fb7002f818eb8d9236262ca4be4

SHA256
235db9e6cad7956467482bf5ed9db3166dbc1b97fb4acbcdfae6350ecc59d35a

SHA512
35dd4ba062c1a7a113cbb0e7b1f9af7f84541642f179772ed1f7da3562e7b6fa192f75f0afc2a47de155e7d767bcdd909883920c24a5295ac7b66ed8233fb576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smell

Filesize
209KB

MD5
8b3cd46a6655370a708cfa0a914cf105

SHA1
5ed6776dc5bbeb8438148fabd153b384ae3315e2

SHA256
d7f5aa1f5d21bfb8cdde838cc6283dca5f0c34fda850c7b4691c9952085db633

SHA512
316b4ce45c79390b17a06bf4ee9965d45e23cdf8e31591624545ef1a788cb627391ade720f84d1b0923a32536401352f279fb8c93780ed253d1ec1d7c187b4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Struct

Filesize
241KB

MD5
0584325aa6df41f6a13b90555db4dea0

SHA1
07bce59c1eebe18cab6e4443e921dcb2ba5486f8

SHA256
b869b900a59d0abcb88ea089cae3efbae14c65d5a5c0dbc0a0a963df233aaa9c

SHA512
08f7e23d48081fcf1130bf35c83db3b169d160305507f04c408542fecf905f32ca0be0ccd6c3c1e2367299eb95be21c37fb9cfc1589447f30c5c76c577751135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Types

Filesize
284KB

MD5
f9b559dc46a66365ffbb869d02dfb346

SHA1
07cb230058a56f43427eb1894f8a12a02fd2468a

SHA256
3f612b0ecf3bd5784530ea82f116400d55dd8b40bd913b73eb3941b4679aee73

SHA512
c1d8c3182284a8fdc2365dacc160ca42a99c3bf8b4870086837e03402d80083b861d72ab42df0816ff7acfd6a3b689e3df01d2bdd839440c0b8edd15b9d472c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utils

Filesize
279KB

MD5
5d7f52c07d9b20d4243147c5820a8fef

SHA1
163e00f6fa91b620c5c1a8b1e1efdd2b43a3cbfb

SHA256
9f6f8d5dbae73bd584f4a6e104fbffba22a42d3ae67bbcae8b0e13d014449283

SHA512
b591e5dd032643d066247c1807f62668fad461429afcd2e4e0641a7d56d6bebaf07f086e5eeb0d429232338665ae6374f5871994f363f51408955f7eda2a92eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Www

Filesize
263KB

MD5
ea37c821d1b156f038cfd3db724b9bcc

SHA1
91076b5e5ee8632bafc2056d469cae883ef80408

SHA256
4ff090b36e166df1c7ae0c62a03180bdd658238af5490de032390fd28df61a49

SHA512
c598833c8893faf093328afb69278562cc8eae76ef9f2af2269e8c773f0500f057e200a27332e33df2fc69a299fbcdaf85f7052040bbdcf7329a139b258287bc

Download Submit
\Users\Admin\AppData\Local\Temp\4625\Peers.pif

Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
\Users\Admin\AppData\Local\Temp\4625\Peers.pif

Filesize
659KB

MD5
a3668f860ae3f56e03a60e0fc6176e7e

SHA1
61ffe40ac43641e68dd05471ce038fd4ac6b9d85

SHA256
40327240235acb54e672b241d45053d6420587db72cdea4a3fe55b66f9626233

SHA512
1fb0dea8988e863bc0346e2265c26a5589840d2e7cd57c6123d859245a092decf35a1f51c59b6c1db551fe61739722a668495af52dfabbe565d6493cedab8ec2

Download Submit
\Users\Admin\AppData\Local\Temp\nst98F6.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/1276-50-0x0000000000460000-0x000000000060C000-memory.dmp

Filesize
1.7MB

Download
memory/1276-51-0x0000000000460000-0x000000000060C000-memory.dmp

Filesize
1.7MB

Download
memory/1276-53-0x0000000000460000-0x000000000060C000-memory.dmp

Filesize
1.7MB

Download
memory/1276-54-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1276-55-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2440-47-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download