dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe
Size

1.4MB
MD5

04367a86c2d056e9ae73ab1c36555b44
SHA1

2c86756bc416f82919f6797d42977331ee44c5e9
SHA256

dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0
SHA512

f77b69fcc463a10573e3e2630a9707f8f856038b3763f192e607f71b9eb4555fa309b86e4bbd7ed0e15552b234c5513c964811be030ad80d17d86f12cbe27d49
SSDEEP

24576:sc8766GIxzD/8s0ZmzE3akj+qspLp2mmJWIB+mytyrmeIybBC:sc8gazDks0043spLp2mQsHmDNC

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 592 created 1212	592	Dealtime.pif	21

Executes dropped EXE 2 IoCs

pid	Process
592	Dealtime.pif
2468	Dealtime.pif

Loads dropped DLL 2 IoCs

pid	Process
1116	cmd.exe
592	Dealtime.pif

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x0000000000563000-memory.dmp	upx
behavioral1/memory/2236-25-0x0000000000400000-0x0000000000563000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 592 set thread context of 2468	592	Dealtime.pif	44

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1620	tasklist.exe
948	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
704	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
592	Dealtime.pif
592	Dealtime.pif
592	Dealtime.pif
592	Dealtime.pif
592	Dealtime.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	948	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
592	Dealtime.pif
592	Dealtime.pif
592	Dealtime.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
592	Dealtime.pif
592	Dealtime.pif
592	Dealtime.pif

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2364	2236	dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe	31
PID 2236 wrote to memory of 2364	2236	dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe	31
PID 2236 wrote to memory of 2364	2236	dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe	31
PID 2236 wrote to memory of 2364	2236	dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe	31
PID 2364 wrote to memory of 1116	2364	cmd.exe	33
PID 2364 wrote to memory of 1116	2364	cmd.exe	33
PID 2364 wrote to memory of 1116	2364	cmd.exe	33
PID 2364 wrote to memory of 1116	2364	cmd.exe	33
PID 1116 wrote to memory of 1620	1116	cmd.exe	34
PID 1116 wrote to memory of 1620	1116	cmd.exe	34
PID 1116 wrote to memory of 1620	1116	cmd.exe	34
PID 1116 wrote to memory of 1620	1116	cmd.exe	34
PID 1116 wrote to memory of 1124	1116	cmd.exe	35
PID 1116 wrote to memory of 1124	1116	cmd.exe	35
PID 1116 wrote to memory of 1124	1116	cmd.exe	35
PID 1116 wrote to memory of 1124	1116	cmd.exe	35
PID 1116 wrote to memory of 948	1116	cmd.exe	37
PID 1116 wrote to memory of 948	1116	cmd.exe	37
PID 1116 wrote to memory of 948	1116	cmd.exe	37
PID 1116 wrote to memory of 948	1116	cmd.exe	37
PID 1116 wrote to memory of 2248	1116	cmd.exe	38
PID 1116 wrote to memory of 2248	1116	cmd.exe	38
PID 1116 wrote to memory of 2248	1116	cmd.exe	38
PID 1116 wrote to memory of 2248	1116	cmd.exe	38
PID 1116 wrote to memory of 1992	1116	cmd.exe	39
PID 1116 wrote to memory of 1992	1116	cmd.exe	39
PID 1116 wrote to memory of 1992	1116	cmd.exe	39
PID 1116 wrote to memory of 1992	1116	cmd.exe	39
PID 1116 wrote to memory of 2024	1116	cmd.exe	40
PID 1116 wrote to memory of 2024	1116	cmd.exe	40
PID 1116 wrote to memory of 2024	1116	cmd.exe	40
PID 1116 wrote to memory of 2024	1116	cmd.exe	40
PID 1116 wrote to memory of 872	1116	cmd.exe	41
PID 1116 wrote to memory of 872	1116	cmd.exe	41
PID 1116 wrote to memory of 872	1116	cmd.exe	41
PID 1116 wrote to memory of 872	1116	cmd.exe	41
PID 1116 wrote to memory of 592	1116	cmd.exe	42
PID 1116 wrote to memory of 592	1116	cmd.exe	42
PID 1116 wrote to memory of 592	1116	cmd.exe	42
PID 1116 wrote to memory of 592	1116	cmd.exe	42
PID 1116 wrote to memory of 704	1116	cmd.exe	43
PID 1116 wrote to memory of 704	1116	cmd.exe	43
PID 1116 wrote to memory of 704	1116	cmd.exe	43
PID 1116 wrote to memory of 704	1116	cmd.exe	43
PID 592 wrote to memory of 2468	592	Dealtime.pif	44
PID 592 wrote to memory of 2468	592	Dealtime.pif	44
PID 592 wrote to memory of 2468	592	Dealtime.pif	44
PID 592 wrote to memory of 2468	592	Dealtime.pif	44
PID 592 wrote to memory of 2468	592	Dealtime.pif	44
PID 592 wrote to memory of 2468	592	Dealtime.pif	44

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe
  "C:\Users\Admin\AppData\Local\Temp\dfebde9ad6b1591c0044fcfbf6336cb9a9088409179055e4d438cd95b4d7bda0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Prerequisite & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1116
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 2066
        5⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Foot + Opportunities + Aids + West + Intention + Impacts 2066\Dealtime.pif
        5⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Classifieds 2066\k
        5⤵
        
        PID:872
    - - C:\Users\Admin\AppData\Local\Temp\24197\2066\Dealtime.pif
        
        2066\Dealtime.pif 2066\k
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:592
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:704
- C:\Users\Admin\AppData\Local\Temp\24197\2066\Dealtime.pif
  C:\Users\Admin\AppData\Local\Temp\24197\2066\Dealtime.pif
  2⤵
  - Executes dropped EXE
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24197\Aids

Filesize
125KB

MD5
c31925d66d33f86b34eec8c339f25405

SHA1
7587de4e12737072904dc5e989b9fceb7e9286d1

SHA256
2ede2200ba9c420994842e64d7f1507fb35964fce83f387df13a8fd3051fd8c6

SHA512
127cc2601082177d2853f041a4022a31cedba1191a9fd948c1eac3935a66d1f37b7c4857ebd00f853ffb46aae44b50b1d5d4356c23a690cf05e0a569bbfd5840

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\Classifieds

Filesize
458KB

MD5
86ab0cf5d57633056da8955c7851abd0

SHA1
80f5bb720a6445db65688298c405bc939c20a59c

SHA256
e81a41e9a3dd657f3f3274be30d40702619844fff903a5f2c12f9df05f4a1b0e

SHA512
a362f73161f18f9c6ec25d18b6998840423628b6c94647ac574ef072c63d3fe84408275d1ce29de06a1b0450eba5f99d204ffc3552aa1497d12e9a5b0deb289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\Foot

Filesize
185KB

MD5
decef1a175da2397c2c359b162e32a97

SHA1
8113f75d8e912d2e5e85d9aa4f9a274b0d8e2d08

SHA256
ff82d71c64fc6a01a6baa05520639510673a620b1a9bc21f6c14b8c7268eea90

SHA512
2990ddadc97285f636b69129a8f1bffa1b5386f0c70cd6e575fa4b420469d882974eff2743378555bb4323dd9549e6a75a04e660dad3ed94398fd0759f434468

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\Impacts

Filesize
28KB

MD5
cdf46d64c7054696fd041dc1bb29b3e8

SHA1
1616df10d5c4ca71c9eb077f362538856f9565ff

SHA256
98362c89475d31186a4cd51f36ac1fcfec83250f933a02c823aae6f596f10887

SHA512
75b338d5b22de9ecd1501c0c8871c4f0b0a79f26dc92ef7becfc59186268a9ee6fa1edb5d8001f281ea27bd15dbcc1bcd6b89e81170ec5640dd0289923d7a01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\Intention

Filesize
104KB

MD5
43c5fa2339c0fa550267d521df79a092

SHA1
f0844cdf8cc9a02ba9e1f87e53dd8180de1386fb

SHA256
38bced2f289f04cd630371dec49e15a40ea24324b0c99392814f0ec573c3d648

SHA512
450602dd1218d0db428aaf606af3c9cfb266e724577b3d214120a7473e3a7b41f29d6d518cd6deb6d70d1a32841ad3cae37a72c2eb4a1f67f3d4c6ef9fcd67a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\Opportunities

Filesize
236KB

MD5
70c4aa4346c4a7c4d06ed9776d7f15d1

SHA1
d1e74b760e0cb746842d1d610cd7914889a72938

SHA256
9ba3db16a3b01ba6cdc6b02a2b5b00a707c68d334fd16f3fe9a7fe50b491ad0b

SHA512
bf91e86f8215dc823fd60c71f29860752118212f355afbda5195726674b629f63ba8c9a6ed4614da0a18cdece240988e9e9013e92c359279a61d874c002bc39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\Prerequisite

Filesize
13KB

MD5
df9742168012e61ae8f6227bf3bdd8fa

SHA1
72ff92c9c050fa2ecc8adde2cc11c5827c97c13b

SHA256
efbf5c350834f2f1ebdab7d88ad3afccc9e0ad8941d215b02d13df612d97e6c9

SHA512
b0edd5d5002af43e4444f47c0e54427e0ca1262d6e0be3f3fcce4be92bec9fbbf92b449e606fcb43c1e9ced2b9de3abe7707826de338bbeef94674f3c5093d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\24197\West

Filesize
246KB

MD5
4010b0a0789d6dfdfea84dd8debc5d2f

SHA1
22dd28e8536942bddd71154e262eb39dfbddfef9

SHA256
29c39cf81b78124145a6af1718326aef5860804b90c79ab1ed3e20789a8ed391

SHA512
f6030e772fce2ebca4fe46c35ed66bf3b8aeb247d3e245cbed2b32255c7cc27ed144fb6cb4bfb03fdd238be1f58ef1a00f411d85f73877b622a8393e0f324fb0

Download Submit
\Users\Admin\AppData\Local\Temp\24197\2066\Dealtime.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/592-27-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2236-25-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download