Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 16:01

General

  • Target

    Executor.exe

  • Size

    200.0MB

  • MD5

    e8c4b28ff455621e8722b30ce960d53f

  • SHA1

    79feff13fb183a97e0c12690f3df75affa4c9063

  • SHA256

    5d4a1d9250a57c5f889ee37a8262bd850bf7ac50e7bc82588b22d2ea3ac36166

  • SHA512

    8766dc59c0584cf78fa8f1d884d2ae575f39691b6a1641e2bf32aae713e7c365404c7b400842b24167b2d47503fe868b1e88d8c34e3331ea4204beb5c5cd894f

  • SSDEEP

    24576:FzO9QInrUh4tZvrF08jgLCZ3oIaozZ9G6BrgLCWK47m:gnhZv/jg2ZQolNrgL9K4K

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Executor.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy Metro Metro.cmd & Metro.cmd & exit
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:876
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa.exe opssvc.exe"
        3⤵
          PID:2144
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1916
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
          3⤵
            PID:2548
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 130825
            3⤵
              PID:2560
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V "InfectionIgnoreAssociateWearing" Rome
              3⤵
                PID:2524
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Sigma + Eos + Brands + Blow 130825\d
                3⤵
                  PID:2852
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif
                  130825\Privilege.pif 130825\d
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1196
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 5 127.0.0.1
                  3⤵
                  • Runs ping.exe
                  PID:2384
            • C:\Windows\explorer.exe
              "C:\Windows\explorer.exe"
              1⤵
                PID:2116

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\d

                Filesize

                473KB

                MD5

                5cbe1af51900d5ef5bfcb4fdb4ea1c4a

                SHA1

                36c2d18e732550e1f4b4f900d03d1e3054596d37

                SHA256

                f3c24ca299b0c9f88f55566a5f4cf1010ace547e63cecb2462eed471314d8cd5

                SHA512

                08e3363f4926bd14c3c7423aeeeb1220403372b501e1c709629d7308969adbe3fda58b414bfbc6c0e08461b592eb0018f9a98f6c51867fc5e2b572b709365e08

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Arm

                Filesize

                61KB

                MD5

                1a16c56400ede15690fc870e1053e223

                SHA1

                703362b886a1c6713a896cc5755d05e06311b91f

                SHA256

                dbdf08b64842d4f00367c25da43cca6bf85fab72a9c55b6d06cd0b0e5ec31faf

                SHA512

                0f35abf084a9a282819d841cb70be22560e903b05cbbdf9ef4aced9854a252c5b76a70dfa07af381a708da25b1d86f823d2697e71bd4ed9a490ca86d457abad1

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Birds

                Filesize

                57KB

                MD5

                061e6ab37aaeeefefe843608e4a83e07

                SHA1

                520ef9065524b92dc02018f1f691f1cf73f977a7

                SHA256

                d4c724c047ccc8ba8255461952a72ae9ccd32c3ea5a2212e630bcb53027de2fd

                SHA512

                eba212ebfe9938b290261b6065289c94c8b1028e20039b0f3b986d4398b9b6149e94965a824405f412d7d712e9263163862cba4d1504401e972af4b6a67ffe00

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Blow

                Filesize

                99KB

                MD5

                6e3ae77006b653af3b7acb1fa4fbd4a2

                SHA1

                a11c0a1bcba10e60ce20e54b01f88974979fe4b6

                SHA256

                130a1ad302d586e32ed226565b1972d65fff771141a41591c0a8c7d9e6dc7156

                SHA512

                d54b4becbae6d2fdc5334f9e6268d875b46938936ff474328034388d15821fc54984167b74bc8c61103691101b31c4322741087ed2f5c90446a6de1324c43a32

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Brands

                Filesize

                156KB

                MD5

                a28c5d0fd153e738bd7490d40a7f90aa

                SHA1

                7f90643dbe9b2299d6e5ad8ea8ce399fb17f2729

                SHA256

                11d60f1410e177bd60f74bedb9b9075753b01da04cc345592aa15a162d523645

                SHA512

                66c07d5ecb31dd499380a9387b8c99e985ba9a4c51f816ec6d22ce7792babc2f55a0c1c68038582f2bfdca8d229d0e48edeb58081a51d66a0c689b2c8dddd3c2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cnetcom

                Filesize

                14KB

                MD5

                34b02e5084dda63a75ae542c81fde8fc

                SHA1

                067316a417545e56bcef48a18590922f857e606e

                SHA256

                d477894f3d86ae890b109d5780038519e116704cc6395389fb4e8d9cb7c8a8b2

                SHA512

                4e2b9158f1d7b8af017ea05746086a1ba2097302dadb4e1e45e6d51553485f3f31cf20c6804e31c03b9b404670b71940918428e1e18e1573f52cfb80dc2ff14a

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Constant

                Filesize

                55KB

                MD5

                38aa563b528925068c1f6d6b9af55d73

                SHA1

                e8f8741f0951a711c11242d18ad7539f5cd1d518

                SHA256

                c7ad37c1a3763ab5088d6669833e4385de3bf6a88e44df74fa1f557a3e5d1ed0

                SHA512

                c3dec23b493dff7d5f8858fc32e19329394c10f983d0821a71428b3f50f7c2efad0e7721a8bef23fa91173f99797aee6bf965b28d538e69ed5397bc8d19bcef2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Coordination

                Filesize

                15KB

                MD5

                892f570c0fc0e834a71dd9bb5e67606e

                SHA1

                41309f1a1ff910208ff14aa64fb2e1a542bd5c5b

                SHA256

                6ed06c1942381c70c72ec240d3903e14392e14b97a1222e4d4122de6a54038d7

                SHA512

                9dac0439df7ccec2924bb776ec534b57c113fb87c59b80011b3c492065f8cbf582130a0fb0095dd6a4a0e8adc4ba3e7b19041f857ef70a90e1fa7c9d783db372

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Director

                Filesize

                10KB

                MD5

                2bfd98e50bef1683cb5a0f353ed97d3e

                SHA1

                fc3c8acd8bf5da7068b0d6253d7ec9cc019dccd3

                SHA256

                dca382a4d289a0ec7588b117b2615636f1db5538bb2e4d9f26362af2577b9600

                SHA512

                283588b37a484acb53d511b21d2cc393131be40b3b0784c9cde0fa4e7f79c865a609e73ec1339bf91b5dce433e8235e1998f098e9311f48e01f2437f51c8bf59

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Em

                Filesize

                12KB

                MD5

                044674df6d2fb6c5395f795b52a5e8cd

                SHA1

                8c2103dbd136902dd623c6359494fffa2facc8ed

                SHA256

                b601e90d114dc793eae0dcfb1cdf6f60559d757306d3262daa9195536d0d7075

                SHA512

                b333d2a6fc8a11befe3d45c6d557713344fedaab513fd025022f5cf1b24131c02f8e9a1a5ccc99b70e17523d00eccabb68695a55cc26d613c367785d15d716f0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Eos

                Filesize

                141KB

                MD5

                323eed53c9441cad43c3b022f4c78a62

                SHA1

                7340809c3bf99b0c7c12855503d131fab56ff724

                SHA256

                eca98f09593aeb1e80faf85b1382b81b4d41505907895c3aa85014857d590bac

                SHA512

                894682d9104ab09e7412d27ff0c3accdb23439c3fc54aa4d1fa2eab1dfb74c46e1da0a7783491107dffb9fa5f8eace8fe7b43c36d40f4972b1271237e7107568

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Follows

                Filesize

                17KB

                MD5

                6d6e6ddd5cfee1050fee08f02749e7fc

                SHA1

                c03520e023c05c002e6eca1aebbc328d1fe18343

                SHA256

                7bc69d65942991ba08d04713989e50dfb777585428cd2eb735efc3c463a3fd8f

                SHA512

                b3073852962847847cd9b0a9f9faace556ebd83ac7499cf684e8328b8304e6eb8fd6aa48873ed395bd26c3fa9c9997050a68f3e796613742a0b6feada42e80cb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ghana

                Filesize

                57KB

                MD5

                1aa8c7aa85671acc44078621388c6aa4

                SHA1

                4c442a9fa86838025aca4a65cbdae3ec444175e5

                SHA256

                1cca146f78ec42806dcffcbc8d520d7c896363700db4b52421cf2fadbe738ade

                SHA512

                dcc1ab9febd25564696a38d5790b50afd6761a468417a41a049e252f738395fb0e0aa1ea309ca307c8b53f5dacb9442fa4ae89fb5923ea7f05eb554535617a17

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Inns

                Filesize

                30KB

                MD5

                d1e101e9f46d0b73a4b5511c4a80acd7

                SHA1

                f91f20bde323bf0bc707674013b3d8e1e00f2263

                SHA256

                482ec36107781521a60e9a87a5daa386743ead904c7afd85803f23b0b4e13f8a

                SHA512

                f38272d8d10052b959547c957f512c5f45610e0aeeb5978c34ec25527af1c6ad323fa30357c84d41017d0793330c6b1ddeaacff48edab3d62decd125c90c0345

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jesse

                Filesize

                53KB

                MD5

                cf276a25adaf52a56d239fe985490455

                SHA1

                fc15727354542eca8cd996113a981385f9ecded0

                SHA256

                0b58d77540928e63d40b86fa1e19e8c855cfbc3a6e4909b501106571711c00d4

                SHA512

                386673fc22f56e169c4142fcf8f55df469d84dea527d42bf8020bcd87018f1a7d6109ccaa2dd428222c5b1c50474c5a8717b1e2e9ef15bed30ec09cf21468e07

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Laid

                Filesize

                38KB

                MD5

                67f0dc55bcc26b8dc34558f23fecb60b

                SHA1

                af768a87d1cea6a9b00891fe57c0e82ded54cdc5

                SHA256

                28f973112d9b1103c7fbc01ff733477af543b0cb4946fa7fa526ffb96bf1a39b

                SHA512

                d513196240c2f1dd7a5bc15f27efbe8f84a3e1f589aa8345ac55b07ae0536e71099c35ecdc30e7075d746410fe47bc2c997c11dfbe46941544c6080a50cc3dea

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Metro

                Filesize

                17KB

                MD5

                529318b4637822bb81772a455bea46c7

                SHA1

                3b7848e175f78066c4fd2f8be16360c6d2b91900

                SHA256

                4f135f7ce8dfcddd12a5cb395dc0b5960d07da0b8e2be9190387f30e4465f580

                SHA512

                7311284add8ce333274cb8d6dffe008741acc72edca661e8793af62d11a0250fe6c28ad2ef17a89c42a76f1b067d359eea7dfd29456e4f89f58d8da17ae880f4

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Prison

                Filesize

                20KB

                MD5

                66ffc62dbafb938f66464610d6511b11

                SHA1

                dc1744680db6152b0881ebd0a262916a63bed0ae

                SHA256

                8932b1f713a396fdd5324100dacf7d0051b9b5b3d323b0493b0c0d7f252acf90

                SHA512

                844bc2a3c037cba10655298d972497693e3cf24f3a95757c97130705570a50e29dc40ecc5f8b51ed4b8e95d1f4fd67e5dcaba8ea1f1de34ed2a99ad263e2dcac

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Providence

                Filesize

                29KB

                MD5

                decd26014fbd5abe6ed80b7583dc527a

                SHA1

                aa91f6cbdada247440efff25949babf848170129

                SHA256

                e9f3ad3b58e254dc9de4e5b86b7d5b46757929586ac2944a7ba5202513b26ab3

                SHA512

                d5f83539ffe74ddb6eefa32275d64f39ba137705f0ee84f87f17da0a208de67dfca2da53df09f08c014e138753d22e6c8433c9e820fa43f2775a2e6fb5a98aff

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Quite

                Filesize

                67KB

                MD5

                71006ce34e715137a7610d11e852fbe6

                SHA1

                296282c5858f258e11ab9bf05fd552a37c9e2aaa

                SHA256

                3f663d70bbbb50e83a21d0e92c3cdf6c435c76c81f796a095f4647acfc89de52

                SHA512

                220c38efbffcfdb682911e3dda7c14a547dea1b9eb4682e2011b3e9a9e2c18308dc77ec85b25a60a179953ecc2319be6ed3aa4e511bd3fa83541b11b2c5b1411

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rome

                Filesize

                87B

                MD5

                a81b50587fffe8e1b1cfc3a36cefa803

                SHA1

                93ea5dd986f8874c276b8577834ce50c6657464c

                SHA256

                b0d6c11a0d73a8b097a1d1ed0243aeecc551dc9560689c832ebf1d4663ab0a49

                SHA512

                980eb2c3cd5ef1c936f4dfbb44395867346e0e3647610c8069ee70f07be5b7d2e974bf29ea38a77804fad77272aef9e26170353c6d1a88a43ec75aa843f82197

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sharon

                Filesize

                52KB

                MD5

                2b05aabcaf790eadde849a6d4b54253d

                SHA1

                742162373e4d0a9c575f5985f12c32da4c65c176

                SHA256

                feb7374a70e68a1cc672b06d9c0cd0fdebcd4c4efb48a689044f60b17d13495a

                SHA512

                3429903cf1aec713b25d266d6c76f9707dc3c6bb07c31fc336d967606205875d0e3781e719f106a0145e6b9e6914a558dbbc98d0dabe87723d98853a6a44146f

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Showers

                Filesize

                66KB

                MD5

                d2d5406873838230085ddf08c7479678

                SHA1

                f9d5e93bad73173b1c455671a5c83f3768b94e74

                SHA256

                33cfaac76dc8fad958a8822cd776fb40a2abee77a497b018b4907e01dc530866

                SHA512

                8930d62670a7ac69b965477fe45135058a531817d7bc3ebf937390f7ca20cc11e58585824395ee4f324595ff807fbf76463a101a43ee2b3bedb5e02bf94a88d7

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sigma

                Filesize

                77KB

                MD5

                99bb55b842811deda1364bd60cccc858

                SHA1

                3f4f212b2be26f708f97455703bb0cd339c2bb1d

                SHA256

                a5261b273662aa0beddcd849073c64493d0c9a3e2b9645ffa0caedc0f76b27ac

                SHA512

                a5ccd3b853d608f010e57246aebb064356a69466a4508ae7b27aa70f5e7a77262e93f6bce69b5dd654583f03616d7299669f4ef4c208ae9c81f2dba69ab723ac

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Singh

                Filesize

                15KB

                MD5

                fe625ed79aeef81fcd7d06ad55e0a64e

                SHA1

                595c78b50c735fcd6052df9545aa279f1b6c5d2c

                SHA256

                2e2756802e58e5cce0f5c54dbe1cd75ca0e04f77bf745f5615f1ff002a95c8fb

                SHA512

                1e70fa190f19aee7068a3eb0931364ac3e06b7a06aad44c713db888879872a7bbf6cb2adbd1f97237f7a68bbdd04038aa5ecc2739a3f7c5ffc1aa8c2df2443ca

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Smtp

                Filesize

                35KB

                MD5

                2f32c58d36254a94c201b6c9e91ece87

                SHA1

                4ecb74faa65bef9d83a104a6c61b18ffd695d447

                SHA256

                50000c49e90d5d64e12267bcd640a927f879aab6e3ca8983b2134652de889b15

                SHA512

                3321d89cc96e2f9ff16b3a7c5363363f24987fa9ce5a328988cdfc834ce2313affb095d9276afc263179edc4f5d6e6b40ec7017a7e2a3b6395ee9b952f9cb0f9

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Submission

                Filesize

                65KB

                MD5

                c1d093c050669eb14404d62e217756e9

                SHA1

                10175077e7e90e406979e0bd59a24ceb577b41df

                SHA256

                500482c1f24463a3b6a5a44eea28173f68278433efde17471e69ca4f64ffa616

                SHA512

                78ef0c1319b255b4444cce8fdd9adadfcaecade22d67231bf8c2d9813d93b7d9b594e61481a64a7f306d6c35603dd62e25e437bd8e5ac14b5014250a303f5d2d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Task

                Filesize

                50KB

                MD5

                5ee3af1803c12416a3ec9244d9fda5f9

                SHA1

                109b43cfcd6ffbddb2c96f76e3586c91f38d9d45

                SHA256

                9d0e1fa7ed2c3905b372db6154a19f734025f3a2e977d5f4b9f76070cc8589db

                SHA512

                99fdda1a014e7eb100d992475350c581d2ca0024c4f6c2dbcc7ee09df3bb1395797cd17b7f59ae2b9dc6b829a02e749d60ba595e9d29d248fd2f84cb5616e038

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Viagra

                Filesize

                41KB

                MD5

                7b6fb0ecb28ea334f6a76912da366dfc

                SHA1

                2447a7bccf099779c2eee1b4d344c75cd8dff49d

                SHA256

                ea7cb8ac2eb3fdd83853edefdaa2024abef510c9a25154498c3427cab75d8779

                SHA512

                c72b731086f4d0e5dc86ff12795f09275611908f4cc543106a78f62b6068d39ae7454ae00e71dffdeb723ba1c97c628476e0c347d3f646ebb169ccd905bd4f66

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Viruses

                Filesize

                56KB

                MD5

                37bff008c6fe8861842a0a3e36b7f746

                SHA1

                4fae05e6690e0069bdc8c8348f69446b1cd89aca

                SHA256

                ccfb6cc405f8d43769669941e99813ce9e5d55c850abe192b2a69c5984fcc9d0

                SHA512

                b3f335e9dcfdd3b39f28e9a57bcfc85a25cead5c9c2b684c9791a6af28496230514b23f8c580995d561d57b898796b47615c1d6cb1511bd755a3ef2bb8e638a8

              • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\130825\Privilege.pif

                Filesize

                915KB

                MD5

                b06e67f9767e5023892d9698703ad098

                SHA1

                acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                SHA256

                8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                SHA512

                7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

              • memory/1196-466-0x00000000035B0000-0x0000000003605000-memory.dmp

                Filesize

                340KB

              • memory/1196-467-0x00000000035B0000-0x0000000003605000-memory.dmp

                Filesize

                340KB

              • memory/1196-468-0x00000000035B0000-0x0000000003605000-memory.dmp

                Filesize

                340KB

              • memory/1196-469-0x00000000035B0000-0x0000000003605000-memory.dmp

                Filesize

                340KB

              • memory/1196-470-0x00000000035B0000-0x0000000003605000-memory.dmp

                Filesize

                340KB