10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

check.bat
Size

293B
MD5

b3f76f60fe8737a2bd098120c7495ff1
SHA1

4cd59826e2718d4e8728fc4b46f3b35fd8ee7958
SHA256

a7d5f7a14e36920413e743932f26e624573bbb0f431c594fb71d87a252c8d90d
SHA512

18422e43876d2ab81f74df50be6087b18233197cd5826f7dfbca1bf0f290d238fc440c93bbb3548867c58794286d96d6a5ce7f9e53a2d6a14cb49c72089581c9

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xmlprov\Parameters\ServiceDll = "C:\\Windows\\System32\\xmlprov.dll"	reg.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 1 IoCs

pid	Process
2896	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\xmlprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.dll	cmd.exe
File created	C:\Windows\System32\xmlprov.ini	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.ini	cmd.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1980	sc.exe
4644	sc.exe
2376	sc.exe
4588	sc.exe
2620	sc.exe
4944	sc.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "65001"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1276	reg.exe

Runs net.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1864	2304	cmd.exe	79
PID 2304 wrote to memory of 1864	2304	cmd.exe	79
PID 1864 wrote to memory of 1332	1864	net.exe	80
PID 1864 wrote to memory of 1332	1864	net.exe	80
PID 2304 wrote to memory of 1980	2304	cmd.exe	81
PID 2304 wrote to memory of 1980	2304	cmd.exe	81
PID 2304 wrote to memory of 2444	2304	cmd.exe	82
PID 2304 wrote to memory of 2444	2304	cmd.exe	82
PID 2304 wrote to memory of 4212	2304	cmd.exe	83
PID 2304 wrote to memory of 4212	2304	cmd.exe	83
PID 2304 wrote to memory of 4644	2304	cmd.exe	84
PID 2304 wrote to memory of 4644	2304	cmd.exe	84
PID 2304 wrote to memory of 2376	2304	cmd.exe	85
PID 2304 wrote to memory of 2376	2304	cmd.exe	85
PID 2304 wrote to memory of 4588	2304	cmd.exe	86
PID 2304 wrote to memory of 4588	2304	cmd.exe	86
PID 2304 wrote to memory of 2620	2304	cmd.exe	87
PID 2304 wrote to memory of 2620	2304	cmd.exe	87
PID 2304 wrote to memory of 5000	2304	cmd.exe	88
PID 2304 wrote to memory of 5000	2304	cmd.exe	88
PID 2304 wrote to memory of 4984	2304	cmd.exe	89
PID 2304 wrote to memory of 4984	2304	cmd.exe	89
PID 2304 wrote to memory of 4944	2304	cmd.exe	90
PID 2304 wrote to memory of 4944	2304	cmd.exe	90
PID 2896 wrote to memory of 4504	2896	svchost.exe	92
PID 2896 wrote to memory of 4504	2896	svchost.exe	92
PID 4504 wrote to memory of 1276	4504	cmd.exe	94
PID 4504 wrote to memory of 1276	4504	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\check.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1332
- C:\Windows\system32\sc.exe
  sc stop XmlProv
  2⤵
  - Launches sc.exe
  PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\ "
  2⤵
  PID:2444
- C:\Windows\system32\findstr.exe
  findstr /i "system32"
  2⤵
  PID:4212
- C:\Windows\system32\sc.exe
  sc query XmlProv
  2⤵
  - Launches sc.exe
  PID:4644
- C:\Windows\system32\sc.exe
  sc create XmlProv binpath= "C:\Windows\System32\svchost.exe -k XmlProv" DisplayName= "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Windows\system32\sc.exe
  sc description XmlProv "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\system32\sc.exe
  sc config XmlProv type= interact type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k XmlProv"
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v XmlProv /t REG_MULTI_SZ /d "XmlProv" /f
  2⤵
  PID:5000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\XmlProv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\xmlprov.dll" /f
  2⤵
  - Sets DLL path for service in the registry
  PID:4984
- C:\Windows\system32\sc.exe
  sc start XmlProv
  2⤵
  - Launches sc.exe
  PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k XmlProv
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\cmd.exe
  cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry key
    PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.ini

Filesize
67B

MD5
6f287b6e63915d95be6bc6988713d83c

SHA1
13aa8bbf1a843b7cf81d6f052e83a9c3d113041a

SHA256
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6

SHA512
87a1c3cdbcb4b8d726959f988269a6df839e12e08f96b64d8221c8c056676cc91e3dd2d26b35a1cab7e526f96cd1055eb2063771f12c4d348c0796676ba4d1ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads