4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PL/Une1.exe
Size

900KB
MD5

c340449d532642420d4bedc2e9f7ce7c
SHA1

6153df468674d2eb1680eb6bb0e1bdbc0d6856b7
SHA256

a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
SHA512

c9a085e30ed056c819b992bbe34d606d9fca0704362917ad226b64d233b4800be5fb9de35150f2cdd6bc0f3f1132ac77f558f00dd27ca8d474df4a056a7ff4d3
SSDEEP

12288:5S7lrM9H8y8ea2SONB3/FI3o+fQqZ/pXVrMkM0ke4jNHUJopuBXidpX1ScBl/2GE:eM9H9MMIh4qZRVgtjOoAYX1SgB74j/

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Tanks.exe.pifTanks.exe.pif

pid process

3680 Tanks.exe.pif
4036 Tanks.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Tanks.exe.pif

pid process

3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif

pid	process
3680	Tanks.exe.pif
4036	Tanks.exe.pif

pid	process
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Une1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Une1.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4040 tasklist.exe
4144 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Tanks.exe.pif

description pid process target process

PID 3680 set thread context of 4036 3680 Tanks.exe.pif Tanks.exe.pif

pid	process
4040	tasklist.exe
4144	tasklist.exe

description	pid	process	target process
PID 3680 set thread context of 4036	3680	Tanks.exe.pif	Tanks.exe.pif

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Une1.exeat.exefind.exetasklist.exefindstr.exePING.EXETanks.exe.pifcmd.execmd.exetasklist.exefind.exeTanks.exe.pifPING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Une1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tanks.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tanks.exe.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEPING.EXE

pid process

5016 cmd.exe
3972 PING.EXE
3440 PING.EXE
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3972 PING.EXE
3440 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Tanks.exe.pif

pid process

3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4040 tasklist.exe
Token: SeDebugPrivilege 4144 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Tanks.exe.pif

pid process

3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Tanks.exe.pif

pid process

3680 Tanks.exe.pif
3680 Tanks.exe.pif
3680 Tanks.exe.pif

pid	process
5016	cmd.exe
3972	PING.EXE
3440	PING.EXE

pid	process
3972	PING.EXE
3440	PING.EXE

pid	process
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif

description	pid	process
Token: SeDebugPrivilege	4040	tasklist.exe
Token: SeDebugPrivilege	4144	tasklist.exe

pid	process
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif

pid	process
3680	Tanks.exe.pif
3680	Tanks.exe.pif
3680	Tanks.exe.pif

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Une1.execmd.execmd.exeTanks.exe.pif

description	pid	process	target process
PID 3652 wrote to memory of 3324	3652	Une1.exe	at.exe
PID 3652 wrote to memory of 3324	3652	Une1.exe	at.exe
PID 3652 wrote to memory of 3324	3652	Une1.exe	at.exe
PID 3652 wrote to memory of 5016	3652	Une1.exe	cmd.exe
PID 3652 wrote to memory of 5016	3652	Une1.exe	cmd.exe
PID 3652 wrote to memory of 5016	3652	Une1.exe	cmd.exe
PID 5016 wrote to memory of 3628	5016	cmd.exe	cmd.exe
PID 5016 wrote to memory of 3628	5016	cmd.exe	cmd.exe
PID 5016 wrote to memory of 3628	5016	cmd.exe	cmd.exe
PID 3628 wrote to memory of 4040	3628	cmd.exe	tasklist.exe
PID 3628 wrote to memory of 4040	3628	cmd.exe	tasklist.exe
PID 3628 wrote to memory of 4040	3628	cmd.exe	tasklist.exe
PID 3628 wrote to memory of 3948	3628	cmd.exe	find.exe
PID 3628 wrote to memory of 3948	3628	cmd.exe	find.exe
PID 3628 wrote to memory of 3948	3628	cmd.exe	find.exe
PID 3628 wrote to memory of 4144	3628	cmd.exe	tasklist.exe
PID 3628 wrote to memory of 4144	3628	cmd.exe	tasklist.exe
PID 3628 wrote to memory of 4144	3628	cmd.exe	tasklist.exe
PID 3628 wrote to memory of 4688	3628	cmd.exe	find.exe
PID 3628 wrote to memory of 4688	3628	cmd.exe	find.exe
PID 3628 wrote to memory of 4688	3628	cmd.exe	find.exe
PID 3628 wrote to memory of 2620	3628	cmd.exe	findstr.exe
PID 3628 wrote to memory of 2620	3628	cmd.exe	findstr.exe
PID 3628 wrote to memory of 2620	3628	cmd.exe	findstr.exe
PID 3628 wrote to memory of 3680	3628	cmd.exe	Tanks.exe.pif
PID 3628 wrote to memory of 3680	3628	cmd.exe	Tanks.exe.pif
PID 3628 wrote to memory of 3680	3628	cmd.exe	Tanks.exe.pif
PID 3628 wrote to memory of 3972	3628	cmd.exe	PING.EXE
PID 3628 wrote to memory of 3972	3628	cmd.exe	PING.EXE
PID 3628 wrote to memory of 3972	3628	cmd.exe	PING.EXE
PID 5016 wrote to memory of 3440	5016	cmd.exe	PING.EXE
PID 5016 wrote to memory of 3440	5016	cmd.exe	PING.EXE
PID 5016 wrote to memory of 3440	5016	cmd.exe	PING.EXE
PID 3680 wrote to memory of 4036	3680	Tanks.exe.pif	Tanks.exe.pif
PID 3680 wrote to memory of 4036	3680	Tanks.exe.pif	Tanks.exe.pif
PID 3680 wrote to memory of 4036	3680	Tanks.exe.pif	Tanks.exe.pif
PID 3680 wrote to memory of 4036	3680	Tanks.exe.pif	Tanks.exe.pif
PID 3680 wrote to memory of 4036	3680	Tanks.exe.pif	Tanks.exe.pif

C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe
"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\at.exe
  at 3874982763784yhwgdfg78234789s42809374918uf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Film.aspx & ping -n 5 localhost
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AvastUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avastui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3948
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq AVGUI.exe"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4144
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "avgui.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^otPcqYaF$" Deliver.aspx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
      Tanks.exe.pif A
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3972
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accurate.aspx

Filesize
891KB

MD5
ffc713ff8173dac3c96bc583eb916705

SHA1
3c1b3e1eb258e304722ecc876820a470d491467d

SHA256
8d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4

SHA512
8af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deliver.aspx

Filesize
924KB

MD5
701381da8e4a87f18a22b98eee09a22b

SHA1
f5ff5c1714155b853a8335b1d359a010c012c596

SHA256
8b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3

SHA512
55ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Film.aspx

Filesize
12KB

MD5
8eb593f08a4cca9959a469af6528ac0d

SHA1
8f4ae3c90b6d653eb75224683358f12dfc442dca

SHA256
7903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70

SHA512
631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/3680-31-0x0000000000DE0000-0x0000000000ECB000-memory.dmp

Filesize
940KB

Download
memory/4036-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4036-32-0x0000000000DE0000-0x0000000000ECB000-memory.dmp

Filesize
940KB

Download