Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/04/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$INTERNET_CACHE/Engineering.ps1
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$INTERNET_CACHE/Engineering.ps1
Resource
win10v2004-20240412-en
General
-
Target
612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe
-
Size
1.6MB
-
MD5
04f5d1b6bda7ccc4db153d22e4e12bda
-
SHA1
a778abde72a988fbf72585d61a4561716df3b3ae
-
SHA256
612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8
-
SHA512
7c71158b19406b44ef30fa14588dcca1f4dac5ae8e4881274d8320d331641774b80cdbd880e19dac7576373d00462126dd557fcaba747a85103b0dfa837a39a5
-
SSDEEP
49152:Qc0wxLJlJfM3uX1P0LapiWJQudoa9ylQ5:Q3wxLK+XjJZye
Malware Config
Extracted
risepro
45.15.156.142:50500
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2584 created 1356 2584 Are.pif 21 -
Executes dropped EXE 2 IoCs
pid Process 2584 Are.pif 2304 Are.pif -
Loads dropped DLL 1 IoCs
pid Process 2376 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2584 set thread context of 2304 2584 Are.pif 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2112 tasklist.exe 2644 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2468 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2584 Are.pif 2584 Are.pif 2584 Are.pif 2584 Are.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 tasklist.exe Token: SeDebugPrivilege 2644 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2584 Are.pif 2584 Are.pif 2584 Are.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2584 Are.pif 2584 Are.pif 2584 Are.pif -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2376 2196 612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe 28 PID 2196 wrote to memory of 2376 2196 612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe 28 PID 2196 wrote to memory of 2376 2196 612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe 28 PID 2196 wrote to memory of 2376 2196 612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe 28 PID 2376 wrote to memory of 2112 2376 cmd.exe 30 PID 2376 wrote to memory of 2112 2376 cmd.exe 30 PID 2376 wrote to memory of 2112 2376 cmd.exe 30 PID 2376 wrote to memory of 2112 2376 cmd.exe 30 PID 2376 wrote to memory of 2124 2376 cmd.exe 31 PID 2376 wrote to memory of 2124 2376 cmd.exe 31 PID 2376 wrote to memory of 2124 2376 cmd.exe 31 PID 2376 wrote to memory of 2124 2376 cmd.exe 31 PID 2376 wrote to memory of 2644 2376 cmd.exe 33 PID 2376 wrote to memory of 2644 2376 cmd.exe 33 PID 2376 wrote to memory of 2644 2376 cmd.exe 33 PID 2376 wrote to memory of 2644 2376 cmd.exe 33 PID 2376 wrote to memory of 2700 2376 cmd.exe 34 PID 2376 wrote to memory of 2700 2376 cmd.exe 34 PID 2376 wrote to memory of 2700 2376 cmd.exe 34 PID 2376 wrote to memory of 2700 2376 cmd.exe 34 PID 2376 wrote to memory of 2880 2376 cmd.exe 35 PID 2376 wrote to memory of 2880 2376 cmd.exe 35 PID 2376 wrote to memory of 2880 2376 cmd.exe 35 PID 2376 wrote to memory of 2880 2376 cmd.exe 35 PID 2376 wrote to memory of 2712 2376 cmd.exe 36 PID 2376 wrote to memory of 2712 2376 cmd.exe 36 PID 2376 wrote to memory of 2712 2376 cmd.exe 36 PID 2376 wrote to memory of 2712 2376 cmd.exe 36 PID 2376 wrote to memory of 2580 2376 cmd.exe 37 PID 2376 wrote to memory of 2580 2376 cmd.exe 37 PID 2376 wrote to memory of 2580 2376 cmd.exe 37 PID 2376 wrote to memory of 2580 2376 cmd.exe 37 PID 2376 wrote to memory of 2584 2376 cmd.exe 38 PID 2376 wrote to memory of 2584 2376 cmd.exe 38 PID 2376 wrote to memory of 2584 2376 cmd.exe 38 PID 2376 wrote to memory of 2584 2376 cmd.exe 38 PID 2376 wrote to memory of 2468 2376 cmd.exe 39 PID 2376 wrote to memory of 2468 2376 cmd.exe 39 PID 2376 wrote to memory of 2468 2376 cmd.exe 39 PID 2376 wrote to memory of 2468 2376 cmd.exe 39 PID 2584 wrote to memory of 2304 2584 Are.pif 40 PID 2584 wrote to memory of 2304 2584 Are.pif 40 PID 2584 wrote to memory of 2304 2584 Are.pif 40 PID 2584 wrote to memory of 2304 2584 Are.pif 40 PID 2584 wrote to memory of 2304 2584 Are.pif 40 PID 2584 wrote to memory of 2304 2584 Are.pif 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe"C:\Users\Admin\AppData\Local\Temp\612d46d700db7c8fba70499dac9c8ea85f5a783083f5debcc1d8268bedd28df8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Watson Watson.bat && Watson.bat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2124
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2700
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 227124⤵PID:2880
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "UpsMerryPavilionElected" Geometry4⤵PID:2712
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Engineering + Higher + Do + Whole + Manager + Vids + Cave + Andrews + Richards 22712\k4⤵PID:2580
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif22712\Are.pif 22712\k4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2468
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22712\Are.pif"2⤵
- Executes dropped EXE
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
2.1MB
MD57aff03968f04c63aa0a5e4b3fd47b5b6
SHA1ba625615d5be477662f626b103ee34c40eba3bf7
SHA2563d4f2b05b900dce5d893d9df515de8de6bb47628cbe38b76cba9c1f7c4982a75
SHA512376694c5c53dd42a5c386ecb3a314bb61c866f04b356f2f9e6be9e66261db004e2d06752bfeee65abb34dd8e9d1db09984445912a5c2ebb8098abeef012c4a28
-
Filesize
262KB
MD5a8ac7622745def45ef221b8bb2d2216f
SHA1827f37204bfcd81d94e51a718729e17b3da56d79
SHA2566df83a63fbf68d11f7ed7f5a5ba71c3e90afa1768d32e210842057d50bcffcb8
SHA512a534e8b056d41de9b5f4095a0876078cf7cbcd348cc4968da55f7c5681e41442020daa8aea5c0674fc770870586dfaa3f7598fecd9c29713b9a989f1a91253cb
-
Filesize
214KB
MD51230bde8dde6c5e68125f6e2288454a3
SHA1ba9e6ed3346c56eddd63a094c6c23a4201e689aa
SHA256418588155f1eb77a144994d287f624dd2d3438f3d5b802c2248a8e076bea832a
SHA512fe7a4c11f1a2146a471e80ccea4a4a29894a6918639ef5e23bef5f1f5a0a550cc847cb11ccb1c698a1033602d4f729963de9cc2390c4db0415abdf5b7b7e3209
-
Filesize
213KB
MD5103c3651412ed3a6860a5e047c339b1d
SHA14ed01c03f2c44dc741a5a9ae570858111f5e6f46
SHA25628b3d124a0a07f85b50a904fec992b189c55bae695feb0cf2754a67cda880858
SHA5124d02530e92539f855802b09fa1a17dc421ea3d36294559fe50fa251208aced0cabc76ccc447a5f871b91461ab79aef49acd182a05594e6bd8dfbb9d0dd7763b2
-
Filesize
232KB
MD59d29cb7d7d1e7bbed6fdc1a2555c2115
SHA13c89a6ac7fd3f7f57a92ce155045dc3791553588
SHA25641a7a8b80ef25cd12ce9241a8b03d919f966adc14cbef163ca0747dc01c7a9bf
SHA512b218c24f5e23e02de9d79e74d3c1f0d4cae797a25f544a5d792c0505de74011e7d8b5e15d6abbcfb55316c86a4116a82989d490959fd8fcb037e6fc9ca7e38bf
-
Filesize
299KB
MD5f802e07cff596069adb7aa7b480cfe1a
SHA14ef8653ed9236f1462a07418b3c6bda288f8040e
SHA25684481313e393fff2d1523bd10af35fe074f29d05095a82cc42b162a1166b0fb6
SHA51208426b2914a3543d27ad269e357bf3a75e815dbf2654ca94333d0cca24e03a5462d0b49836254aaa4bd257e3792c95408490440f1e8b2c56bd29958d121f58fa
-
Filesize
212B
MD549769aeba86d06178b4a55963cf73d10
SHA1bc741a05dc78836c5004ac0eb7ec49d393d2ef5e
SHA2563078b5699f3e1d4a01950050d81a5be4895cd3253411227ffe8642831cd57f4b
SHA51215610513128457f3f25b06dea475bce9720d2e59457a3605d5602b6183dc6d0f3d32e32e21eae50c44ffce3da18f1f0af2fcc52dd954a463fa474b754cbc17f2
-
Filesize
246KB
MD53f454ed94b01c7edbd6bb020d89a9c99
SHA18e0e71ecad2ec8917dd922b4442cf53083db6292
SHA256abbfbf7a3430591ab663450f96bd6c318c108519264df7e828d52aebd33c87da
SHA512886a5b70a0ca7290645b430fd424fd03eb492a0b0e2acd8062369e8500ee18a0552886bb90f376b6ab2a8bea97b303f801c662ac44ce31a984dc3942dcd1e740
-
Filesize
220KB
MD5585145743429f81563517260cca04bf4
SHA1461294d65df7f6c989b9c4e15728a1f7e3d6f3a6
SHA256b25ac01ec1d48a1723af6caa4cc932fb9065e18dcb183b3ddb6fab154cf6e27c
SHA512587d3df8f47727b591b61f8ade781490ce231bcf0260ae672a5703ce356b829bc850742fba66e6334ed33e6f0fea1e1f4171fdd0694d588115354735a94dd848
-
Filesize
256KB
MD52f046067dda5d0afae42af46649cca7d
SHA1527b4e78a8725215b613db4583db5639bf42098d
SHA256144751aa216f372d6131735f3b5c4e661d056a5ced6b058edc488c2d9d403218
SHA5121fd2000c47b32432a7af263e875d568f928331777c6c33c10da4aa70206e536993b94c07fce8353ff598df638873069d655d26645196d898e52a8c2f89a0c5dc
-
Filesize
176KB
MD58ca6db36e13131806dc7313787919a1d
SHA121a6ec85e8f425a81ff3c6639f16da275a4ce0ee
SHA256a8b67101e121755dd4510412c450430d79f54f4f8c67974b4b79b72819010e73
SHA512889c4f4729f65605edaca4c5f110f026b18c5848645920b9b1490646a349d35123a60426dd899b97cab933ca6a751e5d6c3ee1ec3bf57e788fcb5a07fedf746f
-
Filesize
176KB
MD54a678da4ac2509fefd9253212b32b5ca
SHA12f500a45c82e338639c8f3a01e76a94c06c694b9
SHA25651494455f22b6d3a81591b1f6f629bc2bf7558a743bde42913f15c1c767e834f
SHA5120ba928c4efe3d104f4b62734f79d8b942478a19648b9d858c2d66e78c6178b90c93fe2c8c06e87ab857fa5fb5773c18936640a5073e266dea8e925109c1de469
-
Filesize
282KB
MD570ea9b81a0bb39c0d1c5a0ac6f01db31
SHA1e4ece851673f68aa004642192e0f493c9b81d8df
SHA2564616371a40c96b2de845d9eabc66631e29f2b4027ab50d009dc9fcb154a616c9
SHA5128a07c9fec0bf8f0086fc98c98ab1de59736a91450106c96ed2572038e0879cf614ffb7c9c6e532b5ca74faaf4fe6669da1c6ee397f761482e69c7b697b13fc36
-
Filesize
178KB
MD54eb0b8b5e2eb55522366e571357b935a
SHA1dee7d930b3fecf4bdcbba43e1b896f8f183fe58c
SHA256ae1171c721da3f34b3872cb2a41cb1bdb22990954e0c5b66363a39c46893dc3f
SHA51260710c4b93fcb3e1eddc7d833ab596db44d38d11ad35cd6bf96150336b47195e394c807ffa4aa466e4d5ce57134c3bb58c75168073a5d96a33cc9c223ae7471a
-
Filesize
7KB
MD515cfefdcc97b72ec322261b1a2a0967c
SHA10fbc98d6228af405a1fd99eac72fa1b33dc0ccd8
SHA256b862b742cb351910daebb8538b82d4e477bbd9f72e295f5bba892b4fbd7ea356
SHA5121b02391503ae106cd88a5e99d26bf372b441a2bffa72b98f6ad5403ddde649702a2834db01e80d1a6725fb5ee797d4aecc2290536b4742e17e1c3a6f43d1d7cb
-
Filesize
233KB
MD514f4fc52032cb1b7000be168937d2dfe
SHA1f494731bc3774f5d208125cb7ad3d199d18aa831
SHA2563bf06f37c5295e41f3d16524fb4c1ea4bd596bea35d1cdf281852b4db8c323a3
SHA512701e90ae497f92a42bc0b17709ae93dbd2b23fd65750a44f5fa918ae29b6af6e100e8a78221d51fc25517ac765bcb86a78eb0bcc2a4829af3fdf707eccd009a7