10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f

Analysis

max time kernel
128s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-06-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

check.bat
Size

293B
MD5

b3f76f60fe8737a2bd098120c7495ff1
SHA1

4cd59826e2718d4e8728fc4b46f3b35fd8ee7958
SHA256

a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d
SHA512

18422e43876d2ab81f74df50be6087b18233197cd5826f7dfbca1bf0f290d238fc440c93bbb3548867c58794286d96d6a5ce7f9e53a2d6a14cb49c72089581c9

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xmlprov\Parameters\ServiceDll = "C:\\Windows\\System32\\xmlprov.dll"	reg.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
1556	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1296	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\xmlprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.dll	cmd.exe
File created	C:\Windows\System32\xmlprov.ini	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.ini	cmd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
592	sc.exe
684	sc.exe
1288	sc.exe
1144	sc.exe
1020	sc.exe
524	sc.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-46-d7-d9-cb-f6\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8BD28B-A178-4097-957E-4E862C0A20E1}\WpadDecisionTime = b0677841579cd901	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8BD28B-A178-4097-957E-4E862C0A20E1}\WpadNetworkName = "Network 2"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-46-d7-d9-cb-f6	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-46-d7-d9-cb-f6\WpadDecisionTime = b0677841579cd901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8BD28B-A178-4097-957E-4E862C0A20E1}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8BD28B-A178-4097-957E-4E862C0A20E1}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-46-d7-d9-cb-f6\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "65001"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8BD28B-A178-4097-957E-4E862C0A20E1}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A8BD28B-A178-4097-957E-4E862C0A20E1}\86-46-d7-d9-cb-f6	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1340	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 840	1556	cmd.exe	29
PID 1556 wrote to memory of 840	1556	cmd.exe	29
PID 1556 wrote to memory of 840	1556	cmd.exe	29
PID 840 wrote to memory of 1096	840	net.exe	30
PID 840 wrote to memory of 1096	840	net.exe	30
PID 840 wrote to memory of 1096	840	net.exe	30
PID 1556 wrote to memory of 1144	1556	cmd.exe	31
PID 1556 wrote to memory of 1144	1556	cmd.exe	31
PID 1556 wrote to memory of 1144	1556	cmd.exe	31
PID 1556 wrote to memory of 1168	1556	cmd.exe	32
PID 1556 wrote to memory of 1168	1556	cmd.exe	32
PID 1556 wrote to memory of 1168	1556	cmd.exe	32
PID 1556 wrote to memory of 1172	1556	cmd.exe	33
PID 1556 wrote to memory of 1172	1556	cmd.exe	33
PID 1556 wrote to memory of 1172	1556	cmd.exe	33
PID 1556 wrote to memory of 1020	1556	cmd.exe	34
PID 1556 wrote to memory of 1020	1556	cmd.exe	34
PID 1556 wrote to memory of 1020	1556	cmd.exe	34
PID 1556 wrote to memory of 524	1556	cmd.exe	35
PID 1556 wrote to memory of 524	1556	cmd.exe	35
PID 1556 wrote to memory of 524	1556	cmd.exe	35
PID 1556 wrote to memory of 592	1556	cmd.exe	36
PID 1556 wrote to memory of 592	1556	cmd.exe	36
PID 1556 wrote to memory of 592	1556	cmd.exe	36
PID 1556 wrote to memory of 684	1556	cmd.exe	37
PID 1556 wrote to memory of 684	1556	cmd.exe	37
PID 1556 wrote to memory of 684	1556	cmd.exe	37
PID 1556 wrote to memory of 1644	1556	cmd.exe	38
PID 1556 wrote to memory of 1644	1556	cmd.exe	38
PID 1556 wrote to memory of 1644	1556	cmd.exe	38
PID 1556 wrote to memory of 580	1556	cmd.exe	39
PID 1556 wrote to memory of 580	1556	cmd.exe	39
PID 1556 wrote to memory of 580	1556	cmd.exe	39
PID 1556 wrote to memory of 1288	1556	cmd.exe	40
PID 1556 wrote to memory of 1288	1556	cmd.exe	40
PID 1556 wrote to memory of 1288	1556	cmd.exe	40
PID 1296 wrote to memory of 696	1296	svchost.exe	42
PID 1296 wrote to memory of 696	1296	svchost.exe	42
PID 1296 wrote to memory of 696	1296	svchost.exe	42
PID 696 wrote to memory of 1340	696	cmd.exe	44
PID 696 wrote to memory of 1340	696	cmd.exe	44
PID 696 wrote to memory of 1340	696	cmd.exe	44

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\check.bat"
1⤵
- Deletes itself
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1096
- C:\Windows\system32\sc.exe
  sc stop XmlProv
  2⤵
  - Launches sc.exe
  PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\ "
  2⤵
  PID:1168
- C:\Windows\system32\findstr.exe
  findstr /i "system32"
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc query XmlProv
  2⤵
  - Launches sc.exe
  PID:1020
- C:\Windows\system32\sc.exe
  sc create XmlProv binpath= "C:\Windows\System32\svchost.exe -k XmlProv" DisplayName= "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:524
- C:\Windows\system32\sc.exe
  sc description XmlProv "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:592
- C:\Windows\system32\sc.exe
  sc config XmlProv type= interact type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k XmlProv"
  2⤵
  - Launches sc.exe
  PID:684
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v XmlProv /t REG_MULTI_SZ /d "XmlProv" /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\XmlProv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\xmlprov.dll" /f
  2⤵
  - Sets DLL path for service in the registry
  PID:580
- C:\Windows\system32\sc.exe
  sc start XmlProv
  2⤵
  - Launches sc.exe
  PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k XmlProv
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\System32\cmd.exe
  cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry key
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\system32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.ini

Filesize
67B

MD5
6f287b6e63915d95be6bc6988713d83c

SHA1
13aa8bbf1a843b7cf81d6f052e83a9c3d113041a

SHA256
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6

SHA512
87a1c3cdbcb4b8d726959f988269a6df839e12e08f96b64d8221c8c056676cc91e3dd2d26b35a1cab7e526f96cd1055eb2063771f12c4d348c0796676ba4d1ca

Download Submit
\Windows\System32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads