Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
lNV-2024-3626276279.cmd
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
lNV-2024-3626276279.cmd
Resource
win10v2004-20240508-en
General
-
Target
lNV-2024-3626276279.cmd
-
Size
4.2MB
-
MD5
55517abac6d9789ddcde10ce5ba82872
-
SHA1
dba9aeaf67ee05ca8a38ba5ffdb75607b8a2288d
-
SHA256
ecb54d88590475659fa26d0e65d0743d19e42441fe6311e38dec28026fc95945
-
SHA512
b951dd6e870d77250af92f4f8920f57622fbd2e58c555abeb704993d51cd0b052cc7b2ec5f98c4d91011f76117bab6717aa25fa775adf899c32d2c5d26453207
-
SSDEEP
49152:H0HI7tGDjsb7rA3kn2IU9svyG1qrN3Gbiu8HHKMi4F2652/0cN6g/BdKgJ:5
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exepid process 2252 alpha.exe 4840 alpha.exe 1920 kn.exe 1512 alpha.exe 1776 kn.exe 4388 Audio.pif 3172 alpha.exe 1108 alpha.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
Processes:
flow ioc 19 drive.google.com 20 drive.google.com 17 drive.google.com 10 drive.google.com 14 drive.google.com 18 drive.google.com 21 drive.google.com 22 drive.google.com 23 drive.google.com 4 drive.google.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exedescription pid process target process PID 3156 wrote to memory of 3996 3156 cmd.exe extrac32.exe PID 3156 wrote to memory of 3996 3156 cmd.exe extrac32.exe PID 3156 wrote to memory of 2252 3156 cmd.exe alpha.exe PID 3156 wrote to memory of 2252 3156 cmd.exe alpha.exe PID 2252 wrote to memory of 5084 2252 alpha.exe extrac32.exe PID 2252 wrote to memory of 5084 2252 alpha.exe extrac32.exe PID 3156 wrote to memory of 4840 3156 cmd.exe alpha.exe PID 3156 wrote to memory of 4840 3156 cmd.exe alpha.exe PID 4840 wrote to memory of 1920 4840 alpha.exe kn.exe PID 4840 wrote to memory of 1920 4840 alpha.exe kn.exe PID 3156 wrote to memory of 1512 3156 cmd.exe alpha.exe PID 3156 wrote to memory of 1512 3156 cmd.exe alpha.exe PID 1512 wrote to memory of 1776 1512 alpha.exe kn.exe PID 1512 wrote to memory of 1776 1512 alpha.exe kn.exe PID 3156 wrote to memory of 4388 3156 cmd.exe Audio.pif PID 3156 wrote to memory of 4388 3156 cmd.exe Audio.pif PID 3156 wrote to memory of 4388 3156 cmd.exe Audio.pif PID 3156 wrote to memory of 3172 3156 cmd.exe alpha.exe PID 3156 wrote to memory of 3172 3156 cmd.exe alpha.exe PID 3156 wrote to memory of 1108 3156 cmd.exe alpha.exe PID 3156 wrote to memory of 1108 3156 cmd.exe alpha.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Audio.mp4Filesize
3.0MB
MD58d6a6f7f28472f54780ace4be5e35f7f
SHA193e285f23ef6cb95d3be6c5c4ce3eddcdd0e4201
SHA256611fbe02cb707477addb2b98bbb193d77f981a4fc61be39b74543f3f43fc5cd1
SHA51287497486cc166f3c6c43dd05b9bc08c7947c97be03ea2a8edf962c59f3027cdccc1b57d99a55a072e26d7b83e678f67cedad1f54beaa7d3a352556db4fa78744
-
C:\Users\Public\Libraries\Audio.pifFilesize
1.5MB
MD53351922e54c2698b80f65bbe11894bb8
SHA16121c53dcb4f81a202e393281c53e95de2155219
SHA2566ad37e5e8fc00d1bb6538d409e3930882ac8bc1e3efdda551ead49edfdba2c42
SHA512d9ac69966e0ad0ff05fe137a08d0ba211c11dfe5303d032ff3fc337a5302cdab1bbfb9f7153567d8b11acff38c0c433d92dd48925f3bb7824cc572562014bfdc
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
memory/4388-28-0x0000000000400000-0x000000000058B000-memory.dmpFilesize
1.5MB