Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-10-2024 09:59
Static task
static1
Behavioral task
behavioral1
Sample
8432070440b9827f88a75bef7e65dd60.exe
Resource
win7-20240903-en
General
-
Target
8432070440b9827f88a75bef7e65dd60.exe
-
Size
854KB
-
MD5
8432070440b9827f88a75bef7e65dd60
-
SHA1
6c7a2124b7076383f577eb0042f9ea917b2b4066
-
SHA256
459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1
-
SHA512
50d8ca74f51257b03678fcb9e98b8ad3eb412403d3b87efdba1dbf09af207aba6e21f849fe811600467e4d5803188ed8e521c407e8942adf0a002c1d937bbf61
-
SSDEEP
24576:ZY/1EAAfF8FU1lqbrkSqdKHYiJfLYkoDhsYPWLiK:8VAt8FU1lekSq0c68FK
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
Faced.pifpid process 2740 Faced.pif -
Executes dropped EXE 2 IoCs
Processes:
Faced.pifRegAsm.exepid process 2740 Faced.pif 2532 RegAsm.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeFaced.pifpid process 2820 cmd.exe 2740 Faced.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2712 tasklist.exe 2832 tasklist.exe -
Drops file in Windows directory 5 IoCs
Processes:
8432070440b9827f88a75bef7e65dd60.exedescription ioc process File opened for modification C:\Windows\CiscoHarder 8432070440b9827f88a75bef7e65dd60.exe File opened for modification C:\Windows\BasedBrakes 8432070440b9827f88a75bef7e65dd60.exe File opened for modification C:\Windows\ChapelSpoken 8432070440b9827f88a75bef7e65dd60.exe File opened for modification C:\Windows\TypesCroatia 8432070440b9827f88a75bef7e65dd60.exe File opened for modification C:\Windows\MotherboardLooking 8432070440b9827f88a75bef7e65dd60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
findstr.execmd.exechoice.execmd.exefindstr.exetasklist.execmd.exe8432070440b9827f88a75bef7e65dd60.exetasklist.exefindstr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8432070440b9827f88a75bef7e65dd60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Faced.pifpid process 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2832 tasklist.exe Token: SeDebugPrivilege 2712 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Faced.pifpid process 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Faced.pifpid process 2740 Faced.pif 2740 Faced.pif 2740 Faced.pif -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
8432070440b9827f88a75bef7e65dd60.execmd.exeFaced.pifdescription pid process target process PID 3020 wrote to memory of 2820 3020 8432070440b9827f88a75bef7e65dd60.exe cmd.exe PID 3020 wrote to memory of 2820 3020 8432070440b9827f88a75bef7e65dd60.exe cmd.exe PID 3020 wrote to memory of 2820 3020 8432070440b9827f88a75bef7e65dd60.exe cmd.exe PID 3020 wrote to memory of 2820 3020 8432070440b9827f88a75bef7e65dd60.exe cmd.exe PID 2820 wrote to memory of 2832 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2832 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2832 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2832 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2896 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2896 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2896 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2896 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2712 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2712 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2712 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2712 2820 cmd.exe tasklist.exe PID 2820 wrote to memory of 2996 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2996 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2996 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2996 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2352 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2352 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2352 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2352 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2812 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2812 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2812 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2812 2820 cmd.exe findstr.exe PID 2820 wrote to memory of 2676 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2676 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2676 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2676 2820 cmd.exe cmd.exe PID 2820 wrote to memory of 2740 2820 cmd.exe Faced.pif PID 2820 wrote to memory of 2740 2820 cmd.exe Faced.pif PID 2820 wrote to memory of 2740 2820 cmd.exe Faced.pif PID 2820 wrote to memory of 2740 2820 cmd.exe Faced.pif PID 2820 wrote to memory of 1624 2820 cmd.exe choice.exe PID 2820 wrote to memory of 1624 2820 cmd.exe choice.exe PID 2820 wrote to memory of 1624 2820 cmd.exe choice.exe PID 2820 wrote to memory of 1624 2820 cmd.exe choice.exe PID 2740 wrote to memory of 2316 2740 Faced.pif schtasks.exe PID 2740 wrote to memory of 2316 2740 Faced.pif schtasks.exe PID 2740 wrote to memory of 2316 2740 Faced.pif schtasks.exe PID 2740 wrote to memory of 2532 2740 Faced.pif RegAsm.exe PID 2740 wrote to memory of 2532 2740 Faced.pif RegAsm.exe PID 2740 wrote to memory of 2532 2740 Faced.pif RegAsm.exe PID 2740 wrote to memory of 2532 2740 Faced.pif RegAsm.exe PID 2740 wrote to memory of 2532 2740 Faced.pif RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8432070440b9827f88a75bef7e65dd60.exe"C:\Users\Admin\AppData\Local\Temp\8432070440b9827f88a75bef7e65dd60.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Tall Tall.bat & Tall.bat2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\cmd.execmd /c md 3498773⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\findstr.exefindstr /V "ORDINANCECHILDHOODCONVERTENDORSED" Booty3⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Norwegian + ..\Mysql + ..\Tours + ..\Awareness + ..\Picking K3⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\349877\Faced.pifFaced.pif K3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BioMind" /tr "wscript //B 'C:\Users\Admin\AppData\Local\BioTech Dynamics\BioMind.js'" /sc onlogon /F /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\349877\RegAsm.exe4⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\choice.exechoice /d y /t 153⤵
- System Location Discovery: System Language Discovery
PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5c2a4fd12d413dfc8e4b1e37b8f8aee94
SHA15164e8f38a29ac76b34d03cdc16ce273a58bb432
SHA2566885fd9a711b7f8ba4d057eb6de0cee6e3ac5c193086220f0df473a293e54fd0
SHA5122cce54656fb690e7c494a2cbb2f9d2c7599f42ef8f138647d0aefd5b4cd0b4bd7f1674221359c9acaf70b8f3548b80b9f97e31b49c3d40fd49b0d370c7664c0e
-
Filesize
95KB
MD53d433702ad47521887f8f4c46367e188
SHA11f6a35c56aa019baefa709970d8710d5b6cc9a09
SHA256a7d8e066479c17eeafc4732d28b38c713ad82e45008c138bb482a302dbce4907
SHA5129f590f44dbd66218a2b3b3fcba7477f69ef4464d69337d67e021cdd883f0d4fc4b4125630f578754d1dae1a06296580d5f8c879dcb167bdc0906080b59b6bc35
-
Filesize
5KB
MD5456e8d3795990ee35e9cbc227cd15982
SHA19975e340561e157ac4e3c4c8fd33d7eef308268d
SHA256c9a8704bdb3aced2af9ef516c6c1ea53145460a763d54bacf3da50f07fbee52e
SHA512bbf344bee7a00522667aca111db321d9520ce5e986e4f7069343923553388321b95479897af013ce214783f23ce665980c67d2998373c3f61a1ce1c30bd93f69
-
Filesize
1.0MB
MD5350de0e31aa0d66122bd6f686c51a118
SHA16e97be100aca0c32186b29d0a1a01d0242bf92e3
SHA2563e63313db20fe4d41a6d16f50df9dd632b44b519299f7729cc98f183804e0751
SHA5123a45cb6b3d020d7006ba3813320024fb93ba8228674e474b061d078df39421c8900b25ef292bd5466a807a0bebf4e34deea585bf880cff7a8f3ef38a813775af
-
Filesize
91KB
MD5ff82d720fafa65d0118b0158ca740524
SHA1320a35c7ccb261719c4bce9eb102bf0644a6e70b
SHA256388fb4562fb986384807fdacd20f6879b640c36fde7a2e954986f53305f4b533
SHA512e43c701fe1635b2d84a9b39adc8d3bb7aeec81647cdacb5bce9a6298c98fa0da9d6858f7a7b8c72ad95a9ecf6874ad89fd33d06a9b400e3914db211552f6c392
-
Filesize
52KB
MD52f1dd187a223dd7faead0d4bceeba5b3
SHA18d86c8e86f21103ad29f1f6862343c2712a69f23
SHA2568687d07d8992cc9d82e7c30e09e02d5638ef497f1ca5f8162d6376f0ed82f2a6
SHA5127e18885e9fcd7e7fdb3fe274ef961d69400f73e559872d58cc305f992296202097de81f3c845dd34d2d85b378fd98c0330cd4d5b15b9a4d1ca6155dcf0b12238
-
Filesize
2KB
MD53a83957e84f93270c2bec9b39a578ce5
SHA168952c3e118405cf225796d6b5aa1c2bad16a0d6
SHA2563dd565cfb94bf646f5b2b42efade7a4abe8ec67661fad5e4630492bb3bf7817c
SHA512f8cc0ab08764b73622fae22687700957ce332d56150f863fef6cf4848129f2731ac559e2a6444d03c6a063c966b917c06ac8b79e5f615961bd84d179685254d2
-
Filesize
10KB
MD57bb1b88b0dad0d85e482bf27d8ed266f
SHA153621cae980c2232d1a06b834ee54f4cc551901c
SHA256f06031fd4be1e9e5d057622752c9d1f1ce4511c2839f4b218b4d5fa89a783225
SHA512cc479a4aed0568ddbf47d6e83d2a4f837fac47000244a7b6ceb81c02ab4480ae7a0dcf5d38cf05e179ff6fbc69e32e08041cdf65d52fe092de59fd3840d8a70d
-
Filesize
54KB
MD5b771cf4019629d56e8492691792498e5
SHA1b9e9e1d4829e6125c4ffb5fc19fd779968ce2778
SHA2562840fe24a2d9b7ca532c5f351469d50cc6bed0d37fb648753e940b49786be891
SHA512e20551a1dc3a8dd7445eceaecb14570c7f7681fd6b6c8322c31cdcd27560f5206ad9162d7cd71128bb28432f35f95f002233c0b3f7eeaf43b8539d281b153d48
-
Filesize
1.0MB
MD5c63860691927d62432750013b5a20f5f
SHA103678170aadf6bab2ac2b742f5ea2fd1b11feca3
SHA25669d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353
SHA5123357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de
-
Filesize
62KB
MD5a2284af079c78111b9b72e231b88508f
SHA1aaa8804fd8577c468c912dd81047582d1ab6e3e0
SHA256825de4ab6e824963a85f79ed1cd576a93a76d3ac78f2ac975895fe981b7d479a
SHA51269f791e2f56bf3cb66f31848bb5ede20cab704b9822dca081d818a41d3cdd4a89d3f397c86b5bc2cb2219493b9e2a6e12f62321d66afd42d87ded4079c0ca8ca