fea2216981e8976a502c79405747b623b22f0492d0ea779eae026249f64ca908

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_order_PO1989404.cmd
Size

4.5MB
MD5

4f9b4171ee4728182a576b52c934da7d
SHA1

d58845c88d55aac067b919a5b4bde79d228cf5b6
SHA256

bd4ac830b43dc0f7f7ed19e1cb9b51783bfe36dfd8e58cc93a2e139fcce2c1e8
SHA512

7782a15c610d419935960f8f73243c9016441476f666c99bb71de4234f9006aa94bdc643ecda6f274187a8f41953796ea089abc20a001c771776d9b4d2355f0a
SSDEEP

24576:ajN3QGmU4n/+6JVT+avOgeF/ehZ2gCrxBJGhRCAQ:iFQGmdn/+GdRvOX9gCqQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
1864	alpha.exe
1632	alpha.exe
2128	kn.exe
2072	alpha.exe
2644	kn.exe
2712	sppsvc.pif
2724	alpha.exe
2668	alpha.exe

Loads dropped DLL 9 IoCs

pid	Process
1648	cmd.exe
1648	cmd.exe
1632	alpha.exe
1648	cmd.exe
2072	alpha.exe
1648	cmd.exe
1648	cmd.exe
1992	WerFault.exe
1992	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	2712	WerFault.exe	36

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2712	sppsvc.pif

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1928	1648	cmd.exe	29
PID 1648 wrote to memory of 1928	1648	cmd.exe	29
PID 1648 wrote to memory of 1928	1648	cmd.exe	29
PID 1648 wrote to memory of 1864	1648	cmd.exe	30
PID 1648 wrote to memory of 1864	1648	cmd.exe	30
PID 1648 wrote to memory of 1864	1648	cmd.exe	30
PID 1864 wrote to memory of 820	1864	alpha.exe	31
PID 1864 wrote to memory of 820	1864	alpha.exe	31
PID 1864 wrote to memory of 820	1864	alpha.exe	31
PID 1648 wrote to memory of 1632	1648	cmd.exe	32
PID 1648 wrote to memory of 1632	1648	cmd.exe	32
PID 1648 wrote to memory of 1632	1648	cmd.exe	32
PID 1632 wrote to memory of 2128	1632	alpha.exe	33
PID 1632 wrote to memory of 2128	1632	alpha.exe	33
PID 1632 wrote to memory of 2128	1632	alpha.exe	33
PID 1648 wrote to memory of 2072	1648	cmd.exe	34
PID 1648 wrote to memory of 2072	1648	cmd.exe	34
PID 1648 wrote to memory of 2072	1648	cmd.exe	34
PID 2072 wrote to memory of 2644	2072	alpha.exe	35
PID 2072 wrote to memory of 2644	2072	alpha.exe	35
PID 2072 wrote to memory of 2644	2072	alpha.exe	35
PID 1648 wrote to memory of 2712	1648	cmd.exe	36
PID 1648 wrote to memory of 2712	1648	cmd.exe	36
PID 1648 wrote to memory of 2712	1648	cmd.exe	36
PID 1648 wrote to memory of 2712	1648	cmd.exe	36
PID 1648 wrote to memory of 2724	1648	cmd.exe	37
PID 1648 wrote to memory of 2724	1648	cmd.exe	37
PID 1648 wrote to memory of 2724	1648	cmd.exe	37
PID 1648 wrote to memory of 2668	1648	cmd.exe	38
PID 1648 wrote to memory of 2668	1648	cmd.exe	38
PID 1648 wrote to memory of 2668	1648	cmd.exe	38
PID 2712 wrote to memory of 1992	2712	sppsvc.pif	39
PID 2712 wrote to memory of 1992	2712	sppsvc.pif	39
PID 2712 wrote to memory of 1992	2712	sppsvc.pif	39
PID 2712 wrote to memory of 1992	2712	sppsvc.pif	39

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
  2⤵
  PID:1928
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\extrac32.exe
    extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:820
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Purchase_order_PO1989404.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
    3⤵
    - Executes dropped EXE
    PID:2128
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
    3⤵
    - Executes dropped EXE
    PID:2644
- C:\Users\Public\Libraries\sppsvc.pif
  C:\Users\Public\Libraries\sppsvc.pif
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 708
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1992
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\sppsvc.pif

Filesize
1.6MB

MD5
c26c2acac8badfe751f8614f4ff978a0

SHA1
e7bddc0bf4cd8b3fe801bb3fc4d75a0bddf52dda

SHA256
190278e5db1ab39792859b7d7cbb4dfcf544bd4d6d52404bfc616b81e4e76196

SHA512
6ea022497945444c85434895f21629d5620729d587cfe04dc74d4b62487468a0deffedfd791978582292f00b85e0622a81fdff9a7204de3a185a3d3f765389cb

Download Submit
C:\Users\Public\sppsvc.rtf

Filesize
3.2MB

MD5
739d994938a47a060d86879b231f8e0a

SHA1
2f519f991592f576e5cabf599aebbd2ee8e76059

SHA256
a2c31a1b37d6ffb30d2767cd3fc8779e23f7e834da6e3846aeaefa8dacc20b99

SHA512
ada3f148c979fd8bbf87a14d524f9238aee70607c4a51ad7b75144cc86ec84514c091d2696d884adce59be804bce3535631f638455b5313c2a8fccb9b39a4e8c

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2712-34-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download