4303bc84d53234350548049163ddef5af4d8b6153a34cabba801ae539fe01d4a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

827KB
MD5

a56d7d8ff2831932bbe64f971e88525d
SHA1

750ceae0722793c27163ac15bede44c0d9d9ffa6
SHA256

4303bc84d53234350548049163ddef5af4d8b6153a34cabba801ae539fe01d4a
SHA512

ac9773c0546bbf5b776ddb6e41d398000d1856aeb0fdc16b742eacf889cb77ef29b29a68f906470c6e850dba42e722ccb83fcd139444d112e7f86bb0e83ba6d2
SSDEEP

24576:4bJhAiQecjQ+bpL/YDhkDqkEt2yhT3oU3ml:y+k+18O1ST47

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Reset.pif

pid process

2868 Reset.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2904 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1440 tasklist.exe
2928 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2616 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Reset.pif

pid process

2868 Reset.pif
2868 Reset.pif
2868 Reset.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 1440 tasklist.exe
Token: SeDebugPrivilege 2928 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Reset.pif

pid process

2868 Reset.pif
2868 Reset.pif
2868 Reset.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Reset.pif

pid process

2868 Reset.pif
2868 Reset.pif
2868 Reset.pif

pid	process
2868	Reset.pif

pid	process
2904	cmd.exe

pid	process
1440	tasklist.exe
2928	tasklist.exe

pid	process
2616	PING.EXE

pid	process
2868	Reset.pif
2868	Reset.pif
2868	Reset.pif

description	pid	process
Token: SeDebugPrivilege	1440	tasklist.exe
Token: SeDebugPrivilege	2928	tasklist.exe

pid	process
2868	Reset.pif
2868	Reset.pif
2868	Reset.pif

pid	process
2868	Reset.pif
2868	Reset.pif
2868	Reset.pif

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 1512 wrote to memory of 2904	1512	tmp.exe	cmd.exe
PID 1512 wrote to memory of 2904	1512	tmp.exe	cmd.exe
PID 1512 wrote to memory of 2904	1512	tmp.exe	cmd.exe
PID 1512 wrote to memory of 2904	1512	tmp.exe	cmd.exe
PID 2904 wrote to memory of 1440	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 1440	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 1440	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 1440	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 1796	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 1796	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 1796	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 1796	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2928	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 2928	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 2928	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 2928	2904	cmd.exe	tasklist.exe
PID 2904 wrote to memory of 2604	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2604	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2604	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2604	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2168	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2168	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2168	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2168	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2576	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2576	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2576	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2576	2904	cmd.exe	findstr.exe
PID 2904 wrote to memory of 2744	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2744	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2744	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2744	2904	cmd.exe	cmd.exe
PID 2904 wrote to memory of 2868	2904	cmd.exe	Reset.pif
PID 2904 wrote to memory of 2868	2904	cmd.exe	Reset.pif
PID 2904 wrote to memory of 2868	2904	cmd.exe	Reset.pif
PID 2904 wrote to memory of 2868	2904	cmd.exe	Reset.pif
PID 2904 wrote to memory of 2616	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2616	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2616	2904	cmd.exe	PING.EXE
PID 2904 wrote to memory of 2616	2904	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c move Nurse Nurse.bat && Nurse.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 4487444
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "mappinglocatedsculpturebowling" Latino
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Eastern + Oils + Qualities 4487444\f
    3⤵
    PID:2744
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4487444\Reset.pif
    4487444\Reset.pif 4487444\f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2868
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4487444\f

Filesize
702KB

MD5
098cea08354cdeb20a7927ff43082166

SHA1
7942abf74675ac00eb5adbbe8c861dd23198e29f

SHA256
9b11d38693ca97f5d71d6df4a8329c77aeda192243c130d17305ecd472a4b1cf

SHA512
6b18f9a187248aa29a0c0a8c3746b665339c1e66b00d017f4eff3b1d22b6958e3c60aff70d8baf6fedf27c4d6b2e3d314c99d4821595a1b07cce8e44d9399008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Americans

Filesize
115KB

MD5
beaea41036064c129768d71926246d83

SHA1
c5fcb9f1f436b23010b0e9e978320a0ed57acd00

SHA256
3eea0dd21c2eed4e83c20d82b1f3d5dc4f893b11fd3943338bd66c0169a7f894

SHA512
f29bbae1fabad9397cdd33a0241f57a80dc7d547940fbd24362b15335728bbe5e4beae0906132ba8c9edb48f78eb9682662a5a37a5121fb4bd1e7ec76424997d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Christina

Filesize
86KB

MD5
49d8b413d191eecfed934401cb10ce48

SHA1
33001bd95d4b27590c99ec52b6aa347235af6114

SHA256
3de85d1bea10492fb15c84b1d770d37c5478e69f41160ab849cd0444fdb237e3

SHA512
0b25a07eeb8de3091b1092c833132f4b43a257e3a80958008f15c08d629522e794767e6040174e58dc0766900d7c2352e73a32060155a98bf2b8c5747089f894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Demands

Filesize
123KB

MD5
14ed942377305b17203710ea5f1a16a8

SHA1
5764a2981b74edc4b548d9ea9d0285fe9e353d15

SHA256
ee5b95aedc466efdd0a1c6a041de0142602989eab556f249c745cc2ed590c35f

SHA512
2995249b8891a7d0d3c1ecb64b2b8536f633aebdee8ab0052c07fc4a7bfb415a295cfee4a55baf817925af9fab90106f6aa2d22ab6ccb9fb369d25f736bed927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Eastern

Filesize
235KB

MD5
db915f9172f4763a66ff03d5f2999176

SHA1
5b1bae6901a035db753955aec0444f4b7a45c0ad

SHA256
6db8c34c18b8e7e96147b6bb3a0248f7ead62fa45ac5b1047f86ce85d9911a16

SHA512
d3ebad55b7a7bd3bc56227787931364ffc8084c8001081ad38c68250f6bc5c61778cb010000b8ddb9180667c2aa49a163a3be4e042487d6d92e0d4978ee7ced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Emerging

Filesize
176KB

MD5
ef89e89f82a0314e11c203cdde4e147c

SHA1
23dd53831f495a6cad481162e5e878caedf9a18c

SHA256
ac736a62c00ecef6dca08c58228d84df98c32cc62c5183b28b5583180dbf1c63

SHA512
af808048ae5bc0dc7435a6deca21bb53f952937a3f49b671abc8df0e272eac8204a10e828a0730c0092f9e9664aa83444da52f26b0bdd5d3be3a8bddf6e025dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Latino

Filesize
157B

MD5
83989a9e4766e58d66fd810485136467

SHA1
704c14e2a264279fda06def5e46bab7e9206c122

SHA256
6bfb4e0db30b5ac4583bfb608ffaa1e97d8b3e21df584c9ba362917fc45f20cf

SHA512
bff6abef580f6765f06a724217c4c7fc4c4a3ffe92c870bd53b8d94061e48b74c1ce3637c6190b188b5e78fd627c4de45627ce61e6fa4cab69cb28d846b870e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nurse

Filesize
17KB

MD5
10e8580d5f0f48b832f3301bdf914b4e

SHA1
4bd3b93f2d8d3ef65be29209456a6f72b66a9b7d

SHA256
6dbe21af09f8ac6344196ac9b91f96a7dff62324191be1ec94473c142730065a

SHA512
5cb5e7eccf52258ac3b0f4abf41574e46addfbc4e071f84dfe767f3e4bb0132bd3b3fbe4182f72eed1e2a1bfb64ba9aa210a6f1d1bae3ddc76f78fe7eba47f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Oils

Filesize
277KB

MD5
1e61751bb438e48bf871de45fe8306e4

SHA1
d8d50a1159637450cc04e6063829a21d270a82cc

SHA256
d6e19e8559f6cd9cebbb40802ad4e7530519159b560ea1e50e4eb4473d959523

SHA512
0f88fe858804eb8bf968aac11d7ba9fe4a21f2f1b5f01f9063b178ed8c9991bc6d309b5d633703b52447377d094993293def48b7b924fe77d0f84276130e7d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pearl

Filesize
23KB

MD5
941a05556f4eebfaa2ed05861d5c7e87

SHA1
9b91b8a9197d60180a5ca667dd124a7f42e4931f

SHA256
c0dbe96e107ad11a88124376825d74328ca811df1ccd753155546e5e0c40ce18

SHA512
171d97b74d20575c57ee6f383c79dac1cd6ac79f502ca78293160de9dd53152e1e3cad676a8a98d0092c12dd535a75540d98342e67d5aeb24c6515d8b9946a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Purchases

Filesize
137KB

MD5
d953c4d0b58b3a8bcec5e2f02419c317

SHA1
30ee2e8914cc9423b7e2f1e3152133a86e157b95

SHA256
6cba1a322bc32469e9034295f475daa533efd51a4197aac39d3acc9588f0baa4

SHA512
438540e51ca58174635092cd1694003a5c9b99c76b5c558985a864886140fd354c26182ee2d008ad0ff4f544d0808dbf20592d3608ee892f92905d2507a1d4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Qualities

Filesize
190KB

MD5
9620ec1fcc5f92cd26f36b5bb5e08e5e

SHA1
ba4d73ba7cc3d635c37427f81044a9e41b27e4a2

SHA256
59489758a2e0159e15723be23265e39ff75def6ff43eb38040c721c99816878c

SHA512
2017d2057ce547ebfbf8be00f6054fdcdb2ee23d7b2be42ac102ad10bbb52a47047958bf522f707fb89525590e638f8fa76126bfac7ad469f95acac15d3e63e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Walt

Filesize
212KB

MD5
3ad11443bd9aacc674aaf212116d0077

SHA1
44c0ed1d8ef85764459d3e349a41c6081ad46338

SHA256
27d59f8d465442f373f33a0652f5eb285ab8a11ee5b79b0477f32eb9873b6134

SHA512
7bff725c4f81d63a078105414448576ecf54c52af25c19e2c6a7be66ec23a6b7408041b877e52606bf02d96024b9f73532170723d702aa3257ea00ee8d0e37a6

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\4487444\Reset.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/2868-34-0x0000000003A90000-0x0000000003ADF000-memory.dmp

Filesize
316KB

Download
memory/2868-33-0x00000000779C0000-0x0000000077A96000-memory.dmp

Filesize
856KB

Download
memory/2868-35-0x0000000003A90000-0x0000000003ADF000-memory.dmp

Filesize
316KB

Download
memory/2868-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2868-37-0x0000000003A90000-0x0000000003ADF000-memory.dmp

Filesize
316KB

Download
memory/2868-38-0x0000000003A90000-0x0000000003ADF000-memory.dmp

Filesize
316KB

Download
memory/2868-39-0x0000000003A90000-0x0000000003ADF000-memory.dmp

Filesize
316KB

Download
memory/2868-40-0x0000000003A90000-0x0000000003ADF000-memory.dmp

Filesize
316KB

Download