ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182

Analysis

max time kernel
118s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
Size

768KB
MD5

ad27c002c314717f78cadab27bf049cf
SHA1

8467513920df45cc742760f05fef909b54a95261
SHA256

ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182
SHA512

a691790f69341f28173e6a83200480af952ca35af0724d670d8b4a52264c991cfb61ee6cc513615414a2864071244753b84122d493a67f2f73d47a2395e5255e
SSDEEP

24576:gbGdMU29P/8RLgad7P3BeJlDff4WGVF9kkzB:qG+xsZgg7fMJlDIVFTzB

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2900 created 1252	2900	Victoria.pif	21

Executes dropped EXE 2 IoCs

pid	Process
2900	Victoria.pif
2072	Victoria.pif

Loads dropped DLL 2 IoCs

pid	Process
2648	cmd.exe
2900	Victoria.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2072	2900	Victoria.pif	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2412	tasklist.exe
2544	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2868	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2900	Victoria.pif
2900	Victoria.pif
2900	Victoria.pif
2900	Victoria.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	2544	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2900	Victoria.pif
2900	Victoria.pif
2900	Victoria.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2900	Victoria.pif
2900	Victoria.pif
2900	Victoria.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2648	2740	ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe	27
PID 2740 wrote to memory of 2648	2740	ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe	27
PID 2740 wrote to memory of 2648	2740	ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe	27
PID 2740 wrote to memory of 2648	2740	ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe	27
PID 2648 wrote to memory of 2412	2648	cmd.exe	29
PID 2648 wrote to memory of 2412	2648	cmd.exe	29
PID 2648 wrote to memory of 2412	2648	cmd.exe	29
PID 2648 wrote to memory of 2412	2648	cmd.exe	29
PID 2648 wrote to memory of 2680	2648	cmd.exe	30
PID 2648 wrote to memory of 2680	2648	cmd.exe	30
PID 2648 wrote to memory of 2680	2648	cmd.exe	30
PID 2648 wrote to memory of 2680	2648	cmd.exe	30
PID 2648 wrote to memory of 2544	2648	cmd.exe	32
PID 2648 wrote to memory of 2544	2648	cmd.exe	32
PID 2648 wrote to memory of 2544	2648	cmd.exe	32
PID 2648 wrote to memory of 2544	2648	cmd.exe	32
PID 2648 wrote to memory of 2576	2648	cmd.exe	33
PID 2648 wrote to memory of 2576	2648	cmd.exe	33
PID 2648 wrote to memory of 2576	2648	cmd.exe	33
PID 2648 wrote to memory of 2576	2648	cmd.exe	33
PID 2648 wrote to memory of 2408	2648	cmd.exe	34
PID 2648 wrote to memory of 2408	2648	cmd.exe	34
PID 2648 wrote to memory of 2408	2648	cmd.exe	34
PID 2648 wrote to memory of 2408	2648	cmd.exe	34
PID 2648 wrote to memory of 2416	2648	cmd.exe	35
PID 2648 wrote to memory of 2416	2648	cmd.exe	35
PID 2648 wrote to memory of 2416	2648	cmd.exe	35
PID 2648 wrote to memory of 2416	2648	cmd.exe	35
PID 2648 wrote to memory of 2484	2648	cmd.exe	36
PID 2648 wrote to memory of 2484	2648	cmd.exe	36
PID 2648 wrote to memory of 2484	2648	cmd.exe	36
PID 2648 wrote to memory of 2484	2648	cmd.exe	36
PID 2648 wrote to memory of 2900	2648	cmd.exe	37
PID 2648 wrote to memory of 2900	2648	cmd.exe	37
PID 2648 wrote to memory of 2900	2648	cmd.exe	37
PID 2648 wrote to memory of 2900	2648	cmd.exe	37
PID 2648 wrote to memory of 2868	2648	cmd.exe	38
PID 2648 wrote to memory of 2868	2648	cmd.exe	38
PID 2648 wrote to memory of 2868	2648	cmd.exe	38
PID 2648 wrote to memory of 2868	2648	cmd.exe	38
PID 2900 wrote to memory of 2072	2900	Victoria.pif	41
PID 2900 wrote to memory of 2072	2900	Victoria.pif	41
PID 2900 wrote to memory of 2072	2900	Victoria.pif	41
PID 2900 wrote to memory of 2072	2900	Victoria.pif	41
PID 2900 wrote to memory of 2072	2900	Victoria.pif	41
PID 2900 wrote to memory of 2072	2900	Victoria.pif	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe
  "C:\Users\Admin\AppData\Local\Temp\ceb6b3d9b2ae0430495caaecedbdd494ff5cd44cb24780cbbb2863efa9386182.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Latter Latter.bat & Latter.bat & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 24882
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Prev + Objectives + Publishing + Planning + Eight 24882\Victoria.pif
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Designation + Chorus + Place 24882\B
      4⤵
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\24882\Victoria.pif
      24882\Victoria.pif 24882\B
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2900
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2868
- C:\Users\Admin\AppData\Local\Temp\24882\Victoria.pif
  C:\Users\Admin\AppData\Local\Temp\24882\Victoria.pif
  2⤵
  - Executes dropped EXE
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24882\B

Filesize
521KB

MD5
2ea6936964f3396a440d6fcd1d0e6a40

SHA1
c1b605042274a26061f9b3acf6e3e3c84d0dd27d

SHA256
ee33bc9748fc3f2799d43df04ead1df383764f6a00e85cb6865a456b1023bf27

SHA512
8e3c462a5ab1f47e834ebbe64a320d68d7e98dc5a50a3d21127d9731c168dcd64a1ed77a33c514d2cbe56daa981073942eb878504e58cffd864f28c68facbba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\24882\Victoria.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chorus

Filesize
296KB

MD5
6289f0044be469e5cc5d78425de1ecd2

SHA1
1633cbe5c9c79ff74cef4ef8d44221d16dc7c674

SHA256
68c92d709cd12a0decce387d841e41519f68979ff305aff68738a81e538c2434

SHA512
256d3016d615d47f71f762b339ef842d1da613323aa8beb3b67afbb3271b5a5001e470d9331039fbf5600b87e49d40fe41af29dd96cdaef8af37dfee37c83f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Designation

Filesize
209KB

MD5
c1cc1aa18b9007c18d77d379897ca025

SHA1
64c85a49243812f66e0dd819129cb99ee10ef763

SHA256
5ff84c86bbb50331fb0a8dda84591ff259d236aa54fb1c7e14e420e916d340cc

SHA512
791c7cdc14c4947460327d9cb4b9a524dcf948ece3f96446a0d8da8cd938922dcb5695a16b011ab7910581341ca1b0088dc1df7f45712dfdcb78a2058d56c310

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eight

Filesize
76KB

MD5
521f2aed387524bdd7052bb4f23c0018

SHA1
7c57b9c934705f1ba9418840afef2f0af8e69168

SHA256
d38464b74940765c78bf06478029f2366bfbca7c9b965c164efb2886e98c3d6a

SHA512
73366414419bb41c192a74f56a94c867d50187c24e07cc9ac33f4dbab31ea756671dc879a9bf78735596f8c96976fd595dd987702daadd9b8b25ea543a12c474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latter

Filesize
12KB

MD5
202cd0ed4d5a42ef36c223e2e041bae9

SHA1
814d8e675a6c57811052f1f116e51605f11c5c7a

SHA256
dfab3a6b7e63339e8a23e9270cbbd49fa5d9efe42512339e1a7a915bd04d7b10

SHA512
e66ab9d35dbc6cb593f90b31d739fd361bb2426f8137121b6f297663b970ba8e2ffd0e53e72d3137ce705ebee3f254646fc6d350b0fcb432276761b664f7cb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Objectives

Filesize
109KB

MD5
93fc6d378cf9f3e4bd856b24e758032b

SHA1
23509fad0ad1dc5cead9b4f8e0efe2b1a52c2536

SHA256
21cc51aee34eef0c66dbc4c633bedc390dba87482289b7a31e15806b9dfb60ad

SHA512
e8304645ae862af43af2d8596626764420a4c6acaa4cb1a4a1eacab231a0351a04b1130609c34e8b2c58e13b97f048af5f97bcbcee8ace3eef9955228b57285e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Place

Filesize
16KB

MD5
9ea9a13f6966bda0647d6f83f6d257fb

SHA1
36d5c6d95368508c5878bf08e2a2bc753aaf7aec

SHA256
5db649df3c48e3e7e47f9bfa222fc229b4a000dadd9d12b83fde569ed2ee81a3

SHA512
4c3a3359777a16c190973eefd001e166f76dee32482493b0da2c635b90a143aef35a36101ff66daa1b60eeaec945c3d93a8d82b51cc8a70e48bc6b9c3199db2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Planning

Filesize
284KB

MD5
9bb02422262416ba9e804e520ab576be

SHA1
3d6b62a8f9d8d846c8e05495819b5320ada507c6

SHA256
fb7337b18c69464c4c84b9ecb69d62f6f693460c86d0e5ab3586c315c59cac97

SHA512
febc9d3221329aa1150dc3b1b81afe858634bb3a096939ae5cbef87d9c7dc3613265baf1e40befac34798ac186802d17437f04cadff4b3ade71332647ece10e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prev

Filesize
173KB

MD5
8d019b45973901b4854eec33096d05c0

SHA1
1dfb37a78659ba3917c6479ead9c9f645bbb8331

SHA256
d4dce3c852197709b13ad7a426d2e515d3d7d0d52d79d4b1de7f3c8e5f881ff3

SHA512
9e23a4d76c707476e0c342dc6468c153571a5e1a106397d80c8ade95682119bd3bfe45ba803521327d61d926c14bcb3b61fd1869de4881956453a53183e98af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Publishing

Filesize
282KB

MD5
5c3dd15e00b94c2d9b169d10e4f89144

SHA1
32f0c00bcf18cc51ed0ff7bcab2cb6b62ff08620

SHA256
d2ad4b17ef916f37ba03c3a7f5c3e3733a7b63bc18eda759f0e8744d682af9c4

SHA512
1f4c9bc47efe1c5644042daa5575dd2fbfc92de604b1af7c70fb77070f5b1d2928811d84e47ddabae08b4bf7248a23c66690413d6a75cb1b683e3c893068c4eb

Download Submit
memory/2900-24-0x0000000077860000-0x0000000077936000-memory.dmp

Filesize
856KB

Download
memory/2900-26-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download