Overview
overview
10Static
static
10PL/6523.exe
windows7-x64
10PL/6523.exe
windows10-2004-x64
10PL/Galaxy.exe
windows10-2004-x64
7PL/Service.exe
windows7-x64
6PL/Service.exe
windows10-2004-x64
6PL/Une1.exe
windows10-2004-x64
7PL/pb1115.exe
windows7-x64
7PL/pb1115.exe
windows10-2004-x64
7PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
10PL/setup.exe
windows7-x64
10PL/setup.exe
windows10-2004-x64
8PL/setup331.exe
windows7-x64
7PL/setup331.exe
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 08:10
Behavioral task
behavioral1
Sample
PL/6523.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
PL/6523.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
PL/Galaxy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
PL/Service.exe
Resource
win7-20240729-en
Behavioral task
behavioral5
Sample
PL/Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
PL/Une1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
PL/pb1115.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
PL/pb1115.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
PL/setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
PL/setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
PL/setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
PL/setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
PL/setup331.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
PL/setup331.exe
Resource
win10v2004-20241007-en
General
-
Target
PL/Une1.exe
-
Size
900KB
-
MD5
c340449d532642420d4bedc2e9f7ce7c
-
SHA1
6153df468674d2eb1680eb6bb0e1bdbc0d6856b7
-
SHA256
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
-
SHA512
c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3
-
SSDEEP
12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3680 Tanks.exe.pif 4036 Tanks.exe.pif -
Loads dropped DLL 6 IoCs
pid Process 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Une1.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4040 tasklist.exe 4144 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3680 set thread context of 4036 3680 Tanks.exe.pif 111 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Une1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tanks.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tanks.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5016 cmd.exe 3972 PING.EXE 3440 PING.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3972 PING.EXE 3440 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4040 tasklist.exe Token: SeDebugPrivilege 4144 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3680 Tanks.exe.pif 3680 Tanks.exe.pif 3680 Tanks.exe.pif -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3652 wrote to memory of 3324 3652 Une1.exe 84 PID 3652 wrote to memory of 3324 3652 Une1.exe 84 PID 3652 wrote to memory of 3324 3652 Une1.exe 84 PID 3652 wrote to memory of 5016 3652 Une1.exe 86 PID 3652 wrote to memory of 5016 3652 Une1.exe 86 PID 3652 wrote to memory of 5016 3652 Une1.exe 86 PID 5016 wrote to memory of 3628 5016 cmd.exe 89 PID 5016 wrote to memory of 3628 5016 cmd.exe 89 PID 5016 wrote to memory of 3628 5016 cmd.exe 89 PID 3628 wrote to memory of 4040 3628 cmd.exe 91 PID 3628 wrote to memory of 4040 3628 cmd.exe 91 PID 3628 wrote to memory of 4040 3628 cmd.exe 91 PID 3628 wrote to memory of 3948 3628 cmd.exe 92 PID 3628 wrote to memory of 3948 3628 cmd.exe 92 PID 3628 wrote to memory of 3948 3628 cmd.exe 92 PID 3628 wrote to memory of 4144 3628 cmd.exe 94 PID 3628 wrote to memory of 4144 3628 cmd.exe 94 PID 3628 wrote to memory of 4144 3628 cmd.exe 94 PID 3628 wrote to memory of 4688 3628 cmd.exe 95 PID 3628 wrote to memory of 4688 3628 cmd.exe 95 PID 3628 wrote to memory of 4688 3628 cmd.exe 95 PID 3628 wrote to memory of 2620 3628 cmd.exe 96 PID 3628 wrote to memory of 2620 3628 cmd.exe 96 PID 3628 wrote to memory of 2620 3628 cmd.exe 96 PID 3628 wrote to memory of 3680 3628 cmd.exe 97 PID 3628 wrote to memory of 3680 3628 cmd.exe 97 PID 3628 wrote to memory of 3680 3628 cmd.exe 97 PID 3628 wrote to memory of 3972 3628 cmd.exe 98 PID 3628 wrote to memory of 3972 3628 cmd.exe 98 PID 3628 wrote to memory of 3972 3628 cmd.exe 98 PID 5016 wrote to memory of 3440 5016 cmd.exe 104 PID 5016 wrote to memory of 3440 5016 cmd.exe 104 PID 5016 wrote to memory of 3440 5016 cmd.exe 104 PID 3680 wrote to memory of 4036 3680 Tanks.exe.pif 111 PID 3680 wrote to memory of 4036 3680 Tanks.exe.pif 111 PID 3680 wrote to memory of 4036 3680 Tanks.exe.pif 111 PID 3680 wrote to memory of 4036 3680 Tanks.exe.pif 111 PID 3680 wrote to memory of 4036 3680 Tanks.exe.pif 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\at.exeat 3874982763784yhwgdfg78234789s42809374918uf2⤵
- System Location Discovery: System Language Discovery
PID:3324
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Film.aspx & ping -n 5 localhost2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4688
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^otPcqYaF$" Deliver.aspx4⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pifTanks.exe.pif A4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4036
-
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 54⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3972
-
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3440
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
891KB
MD5ffc713ff8173dac3c96bc583eb916705
SHA13c1b3e1eb258e304722ecc876820a470d491467d
SHA2568d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4
SHA5128af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f
-
Filesize
924KB
MD5701381da8e4a87f18a22b98eee09a22b
SHA1f5ff5c1714155b853a8335b1d359a010c012c596
SHA2568b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3
SHA51255ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141
-
Filesize
12KB
MD58eb593f08a4cca9959a469af6528ac0d
SHA18f4ae3c90b6d653eb75224683358f12dfc442dca
SHA2567903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70
SHA512631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9
-
Filesize
924KB
MD56987e4cd3f256462f422326a7ef115b9
SHA171672a495b4603ecfec40a65254cb3ba8766bbe0
SHA2563e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA5124b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219