15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe
Size

1.8MB
MD5

03fa96650130466d43c4b486c615294a
SHA1

88650e99ae745097810f096035a3272455e0b708
SHA256

15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4
SHA512

c0583e46f845e6a53a559ca4658d7203a921ff9fabb8a5cee20551e80f056d2def72c112921968435a3e30bb0dcd08bb824159f1bca1bcfa137bf3ee3263115f
SSDEEP

49152:gwsPtT+HW9zDL6axnzPmZ/lqTpv9Dasv3xzHM3kCJwf:gwMtSAXL68nzgITZBfxxCW

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2444 created 1212	2444	Enters.pif	21

Executes dropped EXE 2 IoCs

pid	Process
2444	Enters.pif
2252	Enters.pif

Loads dropped DLL 2 IoCs

pid	Process
2924	cmd.exe
2444	Enters.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2252	2444	Enters.pif	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2988	tasklist.exe
2244	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2928	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2444	Enters.pif
2444	Enters.pif
2444	Enters.pif
2444	Enters.pif
2252	Enters.pif
2252	Enters.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeDebugPrivilege	2244	tasklist.exe
Token: SeShutdownPrivilege	2252	Enters.pif

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2444	Enters.pif
2444	Enters.pif
2444	Enters.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2444	Enters.pif
2444	Enters.pif
2444	Enters.pif

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2924	1808	15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe	28
PID 1808 wrote to memory of 2924	1808	15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe	28
PID 1808 wrote to memory of 2924	1808	15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe	28
PID 1808 wrote to memory of 2924	1808	15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe	28
PID 2924 wrote to memory of 2988	2924	cmd.exe	30
PID 2924 wrote to memory of 2988	2924	cmd.exe	30
PID 2924 wrote to memory of 2988	2924	cmd.exe	30
PID 2924 wrote to memory of 2988	2924	cmd.exe	30
PID 2924 wrote to memory of 2920	2924	cmd.exe	31
PID 2924 wrote to memory of 2920	2924	cmd.exe	31
PID 2924 wrote to memory of 2920	2924	cmd.exe	31
PID 2924 wrote to memory of 2920	2924	cmd.exe	31
PID 2924 wrote to memory of 2244	2924	cmd.exe	33
PID 2924 wrote to memory of 2244	2924	cmd.exe	33
PID 2924 wrote to memory of 2244	2924	cmd.exe	33
PID 2924 wrote to memory of 2244	2924	cmd.exe	33
PID 2924 wrote to memory of 2540	2924	cmd.exe	34
PID 2924 wrote to memory of 2540	2924	cmd.exe	34
PID 2924 wrote to memory of 2540	2924	cmd.exe	34
PID 2924 wrote to memory of 2540	2924	cmd.exe	34
PID 2924 wrote to memory of 2764	2924	cmd.exe	35
PID 2924 wrote to memory of 2764	2924	cmd.exe	35
PID 2924 wrote to memory of 2764	2924	cmd.exe	35
PID 2924 wrote to memory of 2764	2924	cmd.exe	35
PID 2924 wrote to memory of 2596	2924	cmd.exe	36
PID 2924 wrote to memory of 2596	2924	cmd.exe	36
PID 2924 wrote to memory of 2596	2924	cmd.exe	36
PID 2924 wrote to memory of 2596	2924	cmd.exe	36
PID 2924 wrote to memory of 2692	2924	cmd.exe	37
PID 2924 wrote to memory of 2692	2924	cmd.exe	37
PID 2924 wrote to memory of 2692	2924	cmd.exe	37
PID 2924 wrote to memory of 2692	2924	cmd.exe	37
PID 2924 wrote to memory of 2444	2924	cmd.exe	38
PID 2924 wrote to memory of 2444	2924	cmd.exe	38
PID 2924 wrote to memory of 2444	2924	cmd.exe	38
PID 2924 wrote to memory of 2444	2924	cmd.exe	38
PID 2924 wrote to memory of 2928	2924	cmd.exe	39
PID 2924 wrote to memory of 2928	2924	cmd.exe	39
PID 2924 wrote to memory of 2928	2924	cmd.exe	39
PID 2924 wrote to memory of 2928	2924	cmd.exe	39
PID 2444 wrote to memory of 2252	2444	Enters.pif	40
PID 2444 wrote to memory of 2252	2444	Enters.pif	40
PID 2444 wrote to memory of 2252	2444	Enters.pif	40
PID 2444 wrote to memory of 2252	2444	Enters.pif	40
PID 2444 wrote to memory of 2252	2444	Enters.pif	40

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe
  "C:\Users\Admin\AppData\Local\Temp\15bf2e47fd14a3a676452ca26d5c2551a67140ed8e8d3f1ebce9e5fcb7aa3fb4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2988
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2920
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 27242
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond + Alot 27242\Enters.pif
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Disco 27242\r
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\27242\Enters.pif
      27242\Enters.pif 27242\r
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2444
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2928
- C:\Users\Admin\AppData\Local\Temp\27242\Enters.pif
  C:\Users\Admin\AppData\Local\Temp\27242\Enters.pif
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Alot

Filesize
45KB

MD5
0c257b9edbcc7f41af6e1027bc0713ee

SHA1
2149a7bb22476f85610c842c34628b2f22d8a549

SHA256
7ac226e081d090f2e3cb99104b4226fcd5e77cb83f7edb23081c1a2bd376533c

SHA512
f98b584e5112a81336ad4d7f2a1a4066028fc0c9d7a0b5b148172bd4c9a0485983ea868522a61999415837fdbd73401cb703138729e03831dc39bbe6c1f3f25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bathrooms

Filesize
13KB

MD5
a0d9b89b48e8fc49b82d019ee8500484

SHA1
5ca4d2e68d734e2314bc226f0bd6b5c04e0bdac3

SHA256
f231fe2acf36b89ade78b80eb336650de0e4a7e9bfee25e70bce55a93c77e02a

SHA512
1ac26f3815f4477a1ba6e73fe90587952fda18dd4da2ccd201bb5a36eebbe76270ace8b5f8764e279568ed394e5bdcf9ee10a429ad6c76f9b462c37043034fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compound

Filesize
161KB

MD5
da2be5607513a22a9d61d9538f5f0636

SHA1
e77975bb6f507b4089409a06ab2226a6d54bfefd

SHA256
640dd32f2764bdb5c0578093a02e828ff53e18d397512a1992bba583d1d2e648

SHA512
1f432b70928e2b41fe74427e086bca411c88710adba700c32bc6089d02684edd04859503269b95bfa64be7439ebbfd41d928d9a464717517db18e68bc3eb63f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disco

Filesize
2.8MB

MD5
8de31c24cb7fe99ff6348875de7cd146

SHA1
8e2afafc129d1ddfc6de010029bb867f1708c6f6

SHA256
dc30e0b588b256bd593502a28b6ce43f0da029b38fd70408b19b415d219066df

SHA512
6a20368a0cbc03e25fb699815f584727c050f4b583ff8ee467e4a03ce4123c29d2f90dc8a4745831f5bc860b7deaa68a2bc19364c46bfe136956d265539ac133

Download Submit
C:\Users\Admin\AppData\Local\Temp\Emotions

Filesize
261KB

MD5
8a83e45fdfd2f28ef8210428fecdef9c

SHA1
db669761c961b72e7771cd8317c582ef8e48ddd1

SHA256
7e9d688abe2dd7d1ac4796a62d9e816d8c3efe719f2de72ce6c49221e027d2a7

SHA512
74dff439e42139117e9d384cb6323039683aaf5c18ed71285eec65d215eb4bf4a4c3e284231f1e7da6af9147606e9ccf13f081fb84f7f311f4e444878a7ab1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injection

Filesize
194KB

MD5
4d21c2eec34495a74f67de9c7944bff3

SHA1
f9241a3fc121e397e23d6f3d07a3ee24b14137c2

SHA256
647a49b0eab7039c74d69e4142ed1be7f01afe9cbd6483d01039cf5b289973da

SHA512
8091201ebe4c08b105e558d2085aed1e90366ce289effa3e2d2a6b51d9364f1f68e3c1d8e54502931800a34d469152bb615e688d7563ac8b299de02c7161110c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Participants

Filesize
108KB

MD5
53c678fa488852a4533e20624a3f4ac2

SHA1
22af659f0f7b6f09e3780ecafa87dff857c29707

SHA256
33f67ac58e056d541e9ffc261620bb6069bc3bdc0690cf6b1b4402cf64476da4

SHA512
79f7f93f9bc6b731bed2a69868cf2451b4c255fda7500914e8a0580b0fa6a8d468b2a2ec27c01f9b007e0addf9b5bc1abd569edeea16496464461cb09cb71fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Richmond

Filesize
166KB

MD5
bc70f3222d729f92658b32a28c6d7375

SHA1
8591ee5231e1efcf3eadc507909ec98b2cf29614

SHA256
5f9ba61683e3b51ca21cb15674306b7c58b62ee68210d96ecf8fb00b1d396a2f

SHA512
10e7738f01e40321e305f89115df545c29a60bad47b91fca651cec8d1dcacb4551c72f838ac0a10f7d5739090d042ac429c85ebced5056809d0251d8c909f3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worm

Filesize
111KB

MD5
1624046c22d7d232e3ad77d456743551

SHA1
6ac978fe79d62baec9626ae3d18e2263ea91ede7

SHA256
0795d6a6fdc1bac55de379cd7f33e4440dc3645e748f91d2b3b4dddf38a8635a

SHA512
da89fc52fab7905d82fd1d9abb92ba53ec5f93f1ed296acab297aeeb8ce0b708052f8b519300926323001274d769b859778fbb7e736375f6e7c196f6287dcdc3

Download Submit
\Users\Admin\AppData\Local\Temp\27242\Enters.pif

Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
memory/2252-28-0x0000000000470000-0x000000000061C000-memory.dmp

Filesize
1.7MB

Download
memory/2252-29-0x0000000000470000-0x000000000061C000-memory.dmp

Filesize
1.7MB

Download
memory/2252-32-0x0000000000470000-0x000000000061C000-memory.dmp

Filesize
1.7MB

Download
memory/2252-33-0x0000000000470000-0x000000000061C000-memory.dmp

Filesize
1.7MB

Download
memory/2252-34-0x0000000000470000-0x000000000061C000-memory.dmp

Filesize
1.7MB

Download
memory/2444-25-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download