d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25-04-2023 20:18

230425-y3j7yscg23 10

Analysis

max time kernel
290s
max time network
437s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executables/ONED.cmd
Size

1KB
MD5

cec711d5a97da76868926c26c9c009ae
SHA1

5e24bf73cb882d92b72b5a9fe9bfd014d334630a
SHA256

1d3873bbddece264a56a6287ce879ee778033f3232978e53cd4868186c78fff5
SHA512

3a5649f52d103a50a48d6ffabdc304d927c468cc5ce512278461f4f41171d59c31d243f34bb368f737ca9baee442ef8def732e315dc19f442323a2cb271589fb

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
5072	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3628	2200	cmd.exe	86
PID 2200 wrote to memory of 3628	2200	cmd.exe	86
PID 3628 wrote to memory of 2000	3628	cmd.exe	87
PID 3628 wrote to memory of 2000	3628	cmd.exe	87
PID 3628 wrote to memory of 3892	3628	cmd.exe	88
PID 3628 wrote to memory of 3892	3628	cmd.exe	88
PID 2200 wrote to memory of 1408	2200	cmd.exe	89
PID 2200 wrote to memory of 1408	2200	cmd.exe	89
PID 2200 wrote to memory of 2904	2200	cmd.exe	90
PID 2200 wrote to memory of 2904	2200	cmd.exe	90
PID 2200 wrote to memory of 2528	2200	cmd.exe	91
PID 2200 wrote to memory of 2528	2200	cmd.exe	91
PID 2200 wrote to memory of 4952	2200	cmd.exe	92
PID 2200 wrote to memory of 4952	2200	cmd.exe	92
PID 2200 wrote to memory of 1568	2200	cmd.exe	93
PID 2200 wrote to memory of 1568	2200	cmd.exe	93
PID 2200 wrote to memory of 644	2200	cmd.exe	94
PID 2200 wrote to memory of 644	2200	cmd.exe	94
PID 2200 wrote to memory of 1976	2200	cmd.exe	95
PID 2200 wrote to memory of 1976	2200	cmd.exe	95
PID 1976 wrote to memory of 3040	1976	cmd.exe	96
PID 1976 wrote to memory of 3040	1976	cmd.exe	96
PID 1976 wrote to memory of 2416	1976	cmd.exe	97
PID 1976 wrote to memory of 2416	1976	cmd.exe	97
PID 2200 wrote to memory of 3860	2200	cmd.exe	98
PID 2200 wrote to memory of 3860	2200	cmd.exe	98
PID 3860 wrote to memory of 4428	3860	cmd.exe	100
PID 3860 wrote to memory of 4428	3860	cmd.exe	100
PID 3860 wrote to memory of 5008	3860	cmd.exe	99
PID 3860 wrote to memory of 5008	3860	cmd.exe	99
PID 2200 wrote to memory of 212	2200	cmd.exe	101
PID 2200 wrote to memory of 212	2200	cmd.exe	101
PID 212 wrote to memory of 4976	212	cmd.exe	102
PID 212 wrote to memory of 4976	212	cmd.exe	102
PID 212 wrote to memory of 4504	212	cmd.exe	103
PID 212 wrote to memory of 4504	212	cmd.exe	103
PID 2200 wrote to memory of 2828	2200	cmd.exe	104
PID 2200 wrote to memory of 2828	2200	cmd.exe	104
PID 2200 wrote to memory of 2680	2200	cmd.exe	105
PID 2200 wrote to memory of 2680	2200	cmd.exe	105
PID 2680 wrote to memory of 1432	2680	cmd.exe	107
PID 2680 wrote to memory of 1432	2680	cmd.exe	107
PID 2680 wrote to memory of 5048	2680	cmd.exe	106
PID 2680 wrote to memory of 5048	2680	cmd.exe	106
PID 2200 wrote to memory of 4000	2200	cmd.exe	108
PID 2200 wrote to memory of 4000	2200	cmd.exe	108
PID 2200 wrote to memory of 3412	2200	cmd.exe	111
PID 2200 wrote to memory of 3412	2200	cmd.exe	111
PID 2200 wrote to memory of 4580	2200	cmd.exe	110
PID 2200 wrote to memory of 4580	2200	cmd.exe	110
PID 2200 wrote to memory of 4456	2200	cmd.exe	109
PID 2200 wrote to memory of 4456	2200	cmd.exe	109
PID 2200 wrote to memory of 1960	2200	cmd.exe	112
PID 2200 wrote to memory of 1960	2200	cmd.exe	112
PID 2200 wrote to memory of 952	2200	cmd.exe	113
PID 2200 wrote to memory of 952	2200	cmd.exe	113
PID 2200 wrote to memory of 5072	2200	cmd.exe	114
PID 2200 wrote to memory of 5072	2200	cmd.exe	114
PID 2200 wrote to memory of 4656	2200	cmd.exe	115
PID 2200 wrote to memory of 4656	2200	cmd.exe	115
PID 2200 wrote to memory of 400	2200	cmd.exe	116
PID 2200 wrote to memory of 400	2200	cmd.exe	116
PID 400 wrote to memory of 4272	400	cmd.exe	117
PID 400 wrote to memory of 4272	400	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\ONED.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_USERS" | findstr /r /x /c:"HKEY_USERS\\S-.*" /c:"HKEY_USERS\\AME_UserHive_[^_]*"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_USERS"
    3⤵
    PID:2000
- - C:\Windows\system32\findstr.exe
    findstr /r /x /c:"HKEY_USERS\\S-.*" /c:"HKEY_USERS\\AME_UserHive_[^_]*"
    3⤵
    PID:3892
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:1408
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-20"
  2⤵
  PID:2528
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:4952
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000"
  2⤵
  PID:1568
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BannerStore" | findstr /i /c:"OneDrive"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BannerStore"
    3⤵
    PID:3040
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"OneDrive"
    3⤵
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers" | findstr /i /c:"OneDrive"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"OneDrive"
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths" | findstr /i /c:"OneDrive"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\system32\reg.exe
    reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths"
    3⤵
    PID:4976
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"OneDrive"
    3⤵
    PID:4504
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneDriveFileLauncher.exe" /f
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" | findstr /i /c:"OneDrive"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"OneDrive"
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:1432
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /f
  2⤵
  PID:4000
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes"
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  reg delete "HKU\S-1-5-21-2805025096-2326403612-4231045514-1000\Environment" /v "OneDrive" /f
  2⤵
  PID:3412
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-18"
  2⤵
  PID:1960
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:952
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "OneDrive.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /a:d "C:\Users"
  2⤵
  PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager" | findstr /i /c:"OneDrive"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager"
    3⤵
    PID:4272
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"OneDrive"
    3⤵
    PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /query /fo list /v | findstr /c:"\OneDrive Reporting Task" /c:"\OneDrive Standalone Update Task"
  2⤵
  PID:3468
- - C:\Windows\system32\schtasks.exe
    schtasks /query /fo list /v
    3⤵
    PID:2084
- - C:\Windows\system32\findstr.exe
    findstr /c:"\OneDrive Reporting Task" /c:"\OneDrive Standalone Update Task"
    3⤵
    PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads