d261cc4cc40165817ae64ca19140e5c574f36d97c703165256e92e1df02becd0

Resubmissions

25-04-2023 20:18

230425-y3j7yscg23 10

Analysis

max time kernel
488s
max time network
494s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Executables/STARTMENU.cmd
Size

2KB
MD5

c031ff4e95a49ec045951e7719fe3430
SHA1

96dc5c0d9ccf656f5c4097e9e192b5290fe3f1d8
SHA256

b4856939dcc61ec37e5f5b0d37292486b12dbb0171e28fa08bce19d1498032a0
SHA512

d65e0a8b937d60385657c6a34599457a60c5e6134788e8d798ad37e75c36147eca83123b1bfbe020f40482759de1087231fe1cb5ece998372906f94605a45002

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\StartMenuLayout.xml	cmd.exe
File opened for modification	C:\Windows\StartMenuLayout.xml	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4424	taskkill.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	powershell.exe
2028	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	SearchApp.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4424	3748	cmd.exe	87
PID 3748 wrote to memory of 4424	3748	cmd.exe	87
PID 3748 wrote to memory of 348	3748	cmd.exe	88
PID 3748 wrote to memory of 348	3748	cmd.exe	88
PID 348 wrote to memory of 1432	348	cmd.exe	89
PID 348 wrote to memory of 1432	348	cmd.exe	89
PID 348 wrote to memory of 4012	348	cmd.exe	90
PID 348 wrote to memory of 4012	348	cmd.exe	90
PID 3748 wrote to memory of 4768	3748	cmd.exe	91
PID 3748 wrote to memory of 4768	3748	cmd.exe	91
PID 3748 wrote to memory of 4460	3748	cmd.exe	92
PID 3748 wrote to memory of 4460	3748	cmd.exe	92
PID 3748 wrote to memory of 2184	3748	cmd.exe	93
PID 3748 wrote to memory of 2184	3748	cmd.exe	93
PID 3748 wrote to memory of 1716	3748	cmd.exe	94
PID 3748 wrote to memory of 1716	3748	cmd.exe	94
PID 3748 wrote to memory of 4288	3748	cmd.exe	96
PID 3748 wrote to memory of 4288	3748	cmd.exe	96
PID 3748 wrote to memory of 2928	3748	cmd.exe	95
PID 3748 wrote to memory of 2928	3748	cmd.exe	95
PID 3748 wrote to memory of 1020	3748	cmd.exe	97
PID 3748 wrote to memory of 1020	3748	cmd.exe	97
PID 1020 wrote to memory of 4540	1020	cmd.exe	98
PID 1020 wrote to memory of 4540	1020	cmd.exe	98
PID 1020 wrote to memory of 548	1020	cmd.exe	99
PID 1020 wrote to memory of 548	1020	cmd.exe	99
PID 3748 wrote to memory of 1928	3748	cmd.exe	100
PID 3748 wrote to memory of 1928	3748	cmd.exe	100
PID 3748 wrote to memory of 3124	3748	cmd.exe	101
PID 3748 wrote to memory of 3124	3748	cmd.exe	101
PID 3748 wrote to memory of 2608	3748	cmd.exe	102
PID 3748 wrote to memory of 2608	3748	cmd.exe	102
PID 3748 wrote to memory of 4736	3748	cmd.exe	103
PID 3748 wrote to memory of 4736	3748	cmd.exe	103
PID 4736 wrote to memory of 4104	4736	cmd.exe	104
PID 4736 wrote to memory of 4104	4736	cmd.exe	104
PID 4736 wrote to memory of 1696	4736	cmd.exe	105
PID 4736 wrote to memory of 1696	4736	cmd.exe	105
PID 3748 wrote to memory of 1492	3748	cmd.exe	106
PID 3748 wrote to memory of 1492	3748	cmd.exe	106
PID 3748 wrote to memory of 1484	3748	cmd.exe	107
PID 3748 wrote to memory of 1484	3748	cmd.exe	107
PID 3748 wrote to memory of 4160	3748	cmd.exe	108
PID 3748 wrote to memory of 4160	3748	cmd.exe	108
PID 3748 wrote to memory of 1668	3748	cmd.exe	109
PID 3748 wrote to memory of 1668	3748	cmd.exe	109
PID 3748 wrote to memory of 748	3748	cmd.exe	110
PID 3748 wrote to memory of 748	3748	cmd.exe	110
PID 3748 wrote to memory of 2028	3748	cmd.exe	111
PID 3748 wrote to memory of 2028	3748	cmd.exe	111
PID 3748 wrote to memory of 5048	3748	cmd.exe	112
PID 3748 wrote to memory of 5048	3748	cmd.exe	112
PID 3748 wrote to memory of 4872	3748	cmd.exe	113
PID 3748 wrote to memory of 4872	3748	cmd.exe	113

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Executables\STARTMENU.cmd"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "SearchApp.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKEY_USERS" | findstr /r /x /c:"HKEY_USERS\\S-.*" /c:"HKEY_USERS\\AME_UserHive_[^_]*"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_USERS"
    3⤵
    PID:1432
- - C:\Windows\system32\findstr.exe
    findstr /r /x /c:"HKEY_USERS\\S-.*" /c:"HKEY_USERS\\AME_UserHive_[^_]*"
    3⤵
    PID:4012
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-19"
  2⤵
  PID:4768
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:4460
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-20"
  2⤵
  PID:2184
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:1716
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:2928
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-21-144354903-2550862337-1367551827-1000"
  2⤵
  PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Local AppData" | findstr /r /x /c:".*Local AppData[ ]*REG_SZ[ ].*"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\reg.exe
    reg query "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Local AppData"
    3⤵
    PID:4540
- - C:\Windows\system32\findstr.exe
    findstr /r /x /c:".*Local AppData[ ]*REG_SZ[ ].*"
    3⤵
    PID:548
- C:\Windows\system32\reg.exe
  reg add "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Policies\Microsoft\Windows\Explorer" /f
  2⤵
  PID:1928
- C:\Windows\system32\reg.exe
  reg add "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "LockedStartLayout" /t REG_DWORD /d "0" /f
  2⤵
  PID:3124
- C:\Windows\system32\reg.exe
  reg add "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "StartLayoutFile" /t REG_SZ /d "C:\Windows\StartMenuLayout.xml" /f
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount" | findstr /c:"start.tilegrid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKU\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount"
    3⤵
    PID:4104
- - C:\Windows\system32\findstr.exe
    findstr /c:"start.tilegrid"
    3⤵
    PID:1696
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${c087a099-e4e3-49a1-a47a-56018c3698f9}$start.tilegrid$windows.data.curatedtilecollection.tilecollection" /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-21-144354903-2550862337-1367551827-1000_Classes"
  2⤵
  PID:1484
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:4160
- C:\Windows\system32\reg.exe
  reg query "HKEY_USERS\S-1-5-18"
  2⤵
  PID:1668
- C:\Windows\system32\findstr.exe
  findstr /c:"Volatile Environment" /c:"AME_UserHive_"
  2⤵
  PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoP -C "Import-StartLayout -LayoutPath 'C:\Windows\StartMenuLayout.xml' -MountPath $env:SystemDrive\\"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /f
  2⤵
  PID:5048
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "StartLayoutFile" /t REG_SZ /d "C:\Windows\StartMenuLayout.xml" /f
  2⤵
  PID:4872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133269279461416848.txt

Filesize
75KB

MD5
65019a5db517d9fb830d8a57406a03ea

SHA1
817faf2ffe8461f653519e7bd96e7ee75021c891

SHA256
3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

SHA512
bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqvuqxon.mgi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\StartMenuLayout.xml

Filesize
496B

MD5
cc447c5c7ee23e8c95da45be3f7ca029

SHA1
2c39a0c9d9f8dc5e8a4e26018917135be183a72b

SHA256
5b9fd1e860f1b64c15747a7f75375af57106a57599cfd285ea6ce14266f1b648

SHA512
e9519855f425ce6a219b7c39fd12eadaf03bc8a138c4032c2d33871f228482642284197a1a3ceb15da38b0aa39b53b1b5c7c3632cb9ae8dd6565ddf61cf61950

Download Submit
memory/2028-135-0x000002E08BAF0000-0x000002E08BB12000-memory.dmp

Filesize
136KB

Download
memory/2028-145-0x000002E08BB60000-0x000002E08BB6A000-memory.dmp

Filesize
40KB

Download
memory/2028-147-0x000002E0A3D10000-0x000002E0A3D20000-memory.dmp

Filesize
64KB

Download
memory/2028-148-0x000002E0A3D10000-0x000002E0A3D20000-memory.dmp

Filesize
64KB

Download
memory/2028-150-0x000002E0A3D10000-0x000002E0A3D20000-memory.dmp

Filesize
64KB

Download
memory/2100-159-0x00000217DCDC0000-0x00000217DCDE0000-memory.dmp

Filesize
128KB

Download
memory/2100-162-0x00000217DCD80000-0x00000217DCDA0000-memory.dmp

Filesize
128KB

Download
memory/2100-165-0x00000217DD190000-0x00000217DD1B0000-memory.dmp

Filesize
128KB

Download