Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04-08-2024 18:37

General

  • Target

    Potrditev.cmd

  • Size

    2.8MB

  • MD5

    306e6e3743666b8f5fedb0127b041883

  • SHA1

    53ac1756ee69296be5f5c99ee18b1d1cb70369d4

  • SHA256

    20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc

  • SHA512

    233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1

  • SSDEEP

    24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 11 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:2084
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:2696
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 9
            3⤵
            • Executes dropped EXE
            PID:2956
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12
            3⤵
            • Executes dropped EXE
            PID:2420
        • C:\Users\Public\Libraries\CLEAN.COM
          C:\Users\Public\Libraries\CLEAN.COM
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 700
            3⤵
            • Loads dropped DLL
            • Program crash
            PID:1308
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
          2⤵
          • Executes dropped EXE
          PID:1352
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
          2⤵
          • Executes dropped EXE
          PID:2636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\CLEAN.GIF

        Filesize

        1.9MB

        MD5

        523ccf257ca222401cd3915ac086f986

        SHA1

        d9dcb0b165fbf6b5e085d7a70009f3924a7968e4

        SHA256

        e52726ecfc11680f894efff7398e244424efffd0b8fb222a7a4c1afa7c7a20f8

        SHA512

        1fa4acc83444c7eacfc6295bb5b24be779f986ae726a76da2cd8f0c27dfaee6c639684efa45e4515f91bdbb027025d40275a0f425344bf9fc21558807b8f544f

      • C:\Users\Public\Libraries\CLEAN.COM

        Filesize

        957KB

        MD5

        aa4820620a6d753208dbd180c8ddc87a

        SHA1

        d687b79b4eb4359d7c310681e978c1be1ff46109

        SHA256

        ae5740d23ffac06e5bda5dd0acfa6023df3c7951ca0c97bd3dc4b1dd22a34525

        SHA512

        1994729cd2458ca85ca4add2ace7e1f636c941b0aef4dd1d2ecbe80324463705697387b1aaf4d7413011fef3d87415bcf0d0e3e2088e18e18c5925e06688f8a6

      • C:\Users\Public\alpha.exe

        Filesize

        337KB

        MD5

        5746bd7e255dd6a8afa06f7c42c1ba41

        SHA1

        0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

        SHA256

        db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

        SHA512

        3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

      • \Users\Public\kn.exe

        Filesize

        1.1MB

        MD5

        ec1fd3050dbc40ec7e87ab99c7ca0b03

        SHA1

        ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

        SHA256

        1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

        SHA512

        4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

      • memory/2664-33-0x0000000000400000-0x00000000004F9000-memory.dmp

        Filesize

        996KB