Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 10:26
Static task
static1
Behavioral task
behavioral1
Sample
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
Resource
win10v2004-20241007-en
General
-
Target
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
-
Size
71KB
-
MD5
294e2c97a822c73f043efb54753b8e30
-
SHA1
dec5e9287ecd0c800185b73e50ebeecc4e67eb7e
-
SHA256
04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800
-
SHA512
0c9298bf71bcbdecd748b4ca60236d8dc2f2fff13da52777540499bed9891a4e9ea8348303fa7d0ffc69189bc3064e397f26664f1322eab62bde3fa4a5e0ba42
-
SSDEEP
1536:nvosBknP2Uo+GjDZwue3jzFfc4hghUapTOU:nvVMCcHVc4hghUS/
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrayOnly.lnk cscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 pifloader32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pifloader32.exe -
Delays execution with timeout.exe 18 IoCs
pid Process 2100 timeout.exe 1220 timeout.exe 328 timeout.exe 1624 timeout.exe 2856 timeout.exe 2164 timeout.exe 1032 timeout.exe 2292 timeout.exe 2988 timeout.exe 1904 timeout.exe 1372 timeout.exe 1536 timeout.exe 2928 timeout.exe 2052 timeout.exe 2984 timeout.exe 2604 timeout.exe 2184 timeout.exe 1824 timeout.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2752 pifloader32.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2644 2216 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe 30 PID 2216 wrote to memory of 2644 2216 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe 30 PID 2216 wrote to memory of 2644 2216 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe 30 PID 2216 wrote to memory of 2644 2216 04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe 30 PID 2644 wrote to memory of 2688 2644 cmd.exe 32 PID 2644 wrote to memory of 2688 2644 cmd.exe 32 PID 2644 wrote to memory of 2688 2644 cmd.exe 32 PID 2644 wrote to memory of 2752 2644 cmd.exe 33 PID 2644 wrote to memory of 2752 2644 cmd.exe 33 PID 2644 wrote to memory of 2752 2644 cmd.exe 33 PID 2644 wrote to memory of 2752 2644 cmd.exe 33 PID 2752 wrote to memory of 2696 2752 pifloader32.exe 34 PID 2752 wrote to memory of 2696 2752 pifloader32.exe 34 PID 2752 wrote to memory of 2696 2752 pifloader32.exe 34 PID 2752 wrote to memory of 2696 2752 pifloader32.exe 34 PID 2696 wrote to memory of 2556 2696 cmd.exe 36 PID 2696 wrote to memory of 2556 2696 cmd.exe 36 PID 2696 wrote to memory of 2556 2696 cmd.exe 36 PID 2696 wrote to memory of 2536 2696 cmd.exe 37 PID 2696 wrote to memory of 2536 2696 cmd.exe 37 PID 2696 wrote to memory of 2536 2696 cmd.exe 37 PID 2536 wrote to memory of 2544 2536 cmd.exe 38 PID 2536 wrote to memory of 2544 2536 cmd.exe 38 PID 2536 wrote to memory of 2544 2536 cmd.exe 38 PID 2696 wrote to memory of 2984 2696 cmd.exe 40 PID 2696 wrote to memory of 2984 2696 cmd.exe 40 PID 2696 wrote to memory of 2984 2696 cmd.exe 40 PID 2696 wrote to memory of 2100 2696 cmd.exe 41 PID 2696 wrote to memory of 2100 2696 cmd.exe 41 PID 2696 wrote to memory of 2100 2696 cmd.exe 41 PID 2696 wrote to memory of 1372 2696 cmd.exe 42 PID 2696 wrote to memory of 1372 2696 cmd.exe 42 PID 2696 wrote to memory of 1372 2696 cmd.exe 42 PID 2696 wrote to memory of 2164 2696 cmd.exe 43 PID 2696 wrote to memory of 2164 2696 cmd.exe 43 PID 2696 wrote to memory of 2164 2696 cmd.exe 43 PID 2696 wrote to memory of 2604 2696 cmd.exe 44 PID 2696 wrote to memory of 2604 2696 cmd.exe 44 PID 2696 wrote to memory of 2604 2696 cmd.exe 44 PID 2696 wrote to memory of 1220 2696 cmd.exe 45 PID 2696 wrote to memory of 1220 2696 cmd.exe 45 PID 2696 wrote to memory of 1220 2696 cmd.exe 45 PID 2696 wrote to memory of 328 2696 cmd.exe 46 PID 2696 wrote to memory of 328 2696 cmd.exe 46 PID 2696 wrote to memory of 328 2696 cmd.exe 46 PID 2696 wrote to memory of 1032 2696 cmd.exe 47 PID 2696 wrote to memory of 1032 2696 cmd.exe 47 PID 2696 wrote to memory of 1032 2696 cmd.exe 47 PID 2696 wrote to memory of 1536 2696 cmd.exe 48 PID 2696 wrote to memory of 1536 2696 cmd.exe 48 PID 2696 wrote to memory of 1536 2696 cmd.exe 48 PID 2696 wrote to memory of 2292 2696 cmd.exe 49 PID 2696 wrote to memory of 2292 2696 cmd.exe 49 PID 2696 wrote to memory of 2292 2696 cmd.exe 49 PID 2696 wrote to memory of 2988 2696 cmd.exe 50 PID 2696 wrote to memory of 2988 2696 cmd.exe 50 PID 2696 wrote to memory of 2988 2696 cmd.exe 50 PID 2696 wrote to memory of 1904 2696 cmd.exe 51 PID 2696 wrote to memory of 1904 2696 cmd.exe 51 PID 2696 wrote to memory of 1904 2696 cmd.exe 51 PID 2696 wrote to memory of 2184 2696 cmd.exe 52 PID 2696 wrote to memory of 2184 2696 cmd.exe 52 PID 2696 wrote to memory of 2184 2696 cmd.exe 52 PID 2696 wrote to memory of 1624 2696 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\879.tmp\87A.bat C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\cmd.execmd /c /MIN C:\Users\Admin\AppData\Local\Temp\tmp.cmd3⤵PID:2688
-
-
C:\ProgramData\pifloader32.exeC:\ProgramData\pifloader32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\906.tmp\907.bat C:\ProgramData\pifloader32.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\cscript.execscript /b /nologo "C:\Users\Admin\AppData\Local\Temp\log25.vbs"5⤵
- Drops startup file
PID:2556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table5⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\Wbem\WMIC.exeWMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2984
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2100
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1372
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2164
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2604
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1220
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:328
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1032
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1536
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2292
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2988
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1904
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2184
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1624
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2928
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2052
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:2856
-
-
C:\Windows\system32\timeout.exetimeout /T 7 /nobreak5⤵
- Delays execution with timeout.exe
PID:1824
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD521d8fd98ffce4604c9f6ed5a50250ace
SHA10365d85d56699cc96fe2f3ca619082119130f5ab
SHA25650687f86ec7378ee5f6952e548251cfd22d803276cd70d91ab70fbe363c4cff5
SHA51266df58cced3341bdb12a946976287663595b2d458ae57e4060adc88eee5e563196bbb9ead2ff0d1bf13f8b9ad8b460660d88ef01ebc02135efd808e0310f856c
-
Filesize
4KB
MD50ea5fa94a89146f88854b46e18284141
SHA1db3a53ad07943f4ec37f38eada72bb2195eca619
SHA2563d8f4ced477de197df507677c349bf9d1dd1cfdb91327f58bd66e8a28f2e74cd
SHA5126495561c529fa880b7e5327b469565dae60dc2850585c021ba93eafa4b37657b19ea9105cd6c48ed9cce7dc790f636498e2e02407b66d4d088080c9c935c0675
-
Filesize
329B
MD5dca5253415cc37e4404cbea4eadc77c7
SHA1be82b2554fa49fabd3e427d0fce82b2c490456b5
SHA2566271ad49562396c26eca6b4826b13f93b4d84ee4b54c83db3d157d8b68312692
SHA51275de408bd218f2e5a639d86104cde7219f54b97af1d1d6f416fef58f58254a6df83c022153bfe50d7e00c5fde3622b48c6e48ebe1a7c3142929bd59518aa5a68