Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 10:26

General

  • Target

    04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe

  • Size

    71KB

  • MD5

    294e2c97a822c73f043efb54753b8e30

  • SHA1

    dec5e9287ecd0c800185b73e50ebeecc4e67eb7e

  • SHA256

    04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800

  • SHA512

    0c9298bf71bcbdecd748b4ca60236d8dc2f2fff13da52777540499bed9891a4e9ea8348303fa7d0ffc69189bc3064e397f26664f1322eab62bde3fa4a5e0ba42

  • SSDEEP

    1536:nvosBknP2Uo+GjDZwue3jzFfc4hghUapTOU:nvVMCcHVc4hghUS/

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 18 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe
    "C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\879.tmp\87A.bat C:\Users\Admin\AppData\Local\Temp\04f55c78f15f9e2fcbcc6312bde96b5135a6327732863b1cfcd581239cfaa800N.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\system32\cmd.exe
        cmd /c /MIN C:\Users\Admin\AppData\Local\Temp\tmp.cmd
        3⤵
          PID:2688
        • C:\ProgramData\pifloader32.exe
          C:\ProgramData\pifloader32.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\906.tmp\907.bat C:\ProgramData\pifloader32.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Windows\system32\cscript.exe
              cscript /b /nologo "C:\Users\Admin\AppData\Local\Temp\log25.vbs"
              5⤵
              • Drops startup file
              PID:2556
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2536
              • C:\Windows\System32\Wbem\WMIC.exe
                WMIC Path Win32_LocalTime Get Day,Hour,Minute,Month,Second,Year /Format:table
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2544
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2984
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2100
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1372
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2164
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2604
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1220
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:328
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1032
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1536
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2292
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2988
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1904
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2184
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1624
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2928
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2052
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:2856
            • C:\Windows\system32\timeout.exe
              timeout /T 7 /nobreak
              5⤵
              • Delays execution with timeout.exe
              PID:1824

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\pifloader32.exe

            Filesize

            71KB

            MD5

            21d8fd98ffce4604c9f6ed5a50250ace

            SHA1

            0365d85d56699cc96fe2f3ca619082119130f5ab

            SHA256

            50687f86ec7378ee5f6952e548251cfd22d803276cd70d91ab70fbe363c4cff5

            SHA512

            66df58cced3341bdb12a946976287663595b2d458ae57e4060adc88eee5e563196bbb9ead2ff0d1bf13f8b9ad8b460660d88ef01ebc02135efd808e0310f856c

          • C:\Users\Admin\AppData\Local\Temp\879.tmp\87A.bat

            Filesize

            4KB

            MD5

            0ea5fa94a89146f88854b46e18284141

            SHA1

            db3a53ad07943f4ec37f38eada72bb2195eca619

            SHA256

            3d8f4ced477de197df507677c349bf9d1dd1cfdb91327f58bd66e8a28f2e74cd

            SHA512

            6495561c529fa880b7e5327b469565dae60dc2850585c021ba93eafa4b37657b19ea9105cd6c48ed9cce7dc790f636498e2e02407b66d4d088080c9c935c0675

          • C:\Users\Admin\AppData\Local\Temp\log25.vbs

            Filesize

            329B

            MD5

            dca5253415cc37e4404cbea4eadc77c7

            SHA1

            be82b2554fa49fabd3e427d0fce82b2c490456b5

            SHA256

            6271ad49562396c26eca6b4826b13f93b4d84ee4b54c83db3d157d8b68312692

            SHA512

            75de408bd218f2e5a639d86104cde7219f54b97af1d1d6f416fef58f58254a6df83c022153bfe50d7e00c5fde3622b48c6e48ebe1a7c3142929bd59518aa5a68