10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f

Analysis

max time kernel
90s
max time network
92s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-06-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.bat
Size

1KB
MD5

598217191b9283f95a025fc454b7a4f9
SHA1

65c5bafccea1a60eb5efb1fbc976333b6dddbd1f
SHA256

4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3
SHA512

100eeaaa2a3d2cc83f9a76adc5ac81d6284b321dbbb89481d5db06e5cd24ff6de03b6cdade7833e66c976bd597019763f7e230072bf5224bb687e36067f3fb45

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xmlprov\Parameters\ServiceDll = "C:\\Windows\\System32\\xmlprov.dll"	reg.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
2000	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1492	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\System32\xmlprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.dll	cmd.exe
File created	C:\Windows\System32\xmlprov.ini	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.ini	cmd.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1480	sc.exe
1636	sc.exe
772	sc.exe
1996	sc.exe
1860	sc.exe
572	sc.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D35652C-D422-4AD6-B227-42A6C3399395}\96-93-e9-65-7c-06	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-93-e9-65-7c-06\WpadDecisionTime = 606efd41579cd901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D35652C-D422-4AD6-B227-42A6C3399395}\WpadDecisionTime = 606efd41579cd901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D35652C-D422-4AD6-B227-42A6C3399395}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D35652C-D422-4AD6-B227-42A6C3399395}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D35652C-D422-4AD6-B227-42A6C3399395}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-93-e9-65-7c-06	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-93-e9-65-7c-06\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D35652C-D422-4AD6-B227-42A6C3399395}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "65001"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-93-e9-65-7c-06\WpadDecisionReason = "1"	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
828	reg.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1996	2000	cmd.exe	29
PID 2000 wrote to memory of 1996	2000	cmd.exe	29
PID 2000 wrote to memory of 1996	2000	cmd.exe	29
PID 2000 wrote to memory of 1956	2000	cmd.exe	30
PID 2000 wrote to memory of 1956	2000	cmd.exe	30
PID 2000 wrote to memory of 1956	2000	cmd.exe	30
PID 2000 wrote to memory of 928	2000	cmd.exe	31
PID 2000 wrote to memory of 928	2000	cmd.exe	31
PID 2000 wrote to memory of 928	2000	cmd.exe	31
PID 2000 wrote to memory of 1860	2000	cmd.exe	32
PID 2000 wrote to memory of 1860	2000	cmd.exe	32
PID 2000 wrote to memory of 1860	2000	cmd.exe	32
PID 2000 wrote to memory of 572	2000	cmd.exe	33
PID 2000 wrote to memory of 572	2000	cmd.exe	33
PID 2000 wrote to memory of 572	2000	cmd.exe	33
PID 2000 wrote to memory of 1480	2000	cmd.exe	34
PID 2000 wrote to memory of 1480	2000	cmd.exe	34
PID 2000 wrote to memory of 1480	2000	cmd.exe	34
PID 2000 wrote to memory of 1636	2000	cmd.exe	35
PID 2000 wrote to memory of 1636	2000	cmd.exe	35
PID 2000 wrote to memory of 1636	2000	cmd.exe	35
PID 2000 wrote to memory of 320	2000	cmd.exe	36
PID 2000 wrote to memory of 320	2000	cmd.exe	36
PID 2000 wrote to memory of 320	2000	cmd.exe	36
PID 2000 wrote to memory of 472	2000	cmd.exe	37
PID 2000 wrote to memory of 472	2000	cmd.exe	37
PID 2000 wrote to memory of 472	2000	cmd.exe	37
PID 2000 wrote to memory of 772	2000	cmd.exe	38
PID 2000 wrote to memory of 772	2000	cmd.exe	38
PID 2000 wrote to memory of 772	2000	cmd.exe	38
PID 1492 wrote to memory of 1168	1492	svchost.exe	40
PID 1492 wrote to memory of 1168	1492	svchost.exe	40
PID 1492 wrote to memory of 1168	1492	svchost.exe	40
PID 1168 wrote to memory of 828	1168	cmd.exe	42
PID 1168 wrote to memory of 828	1168	cmd.exe	42
PID 1168 wrote to memory of 828	1168	cmd.exe	42

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Deletes itself
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\sc.exe
  sc stop XmlProv
  2⤵
  - Launches sc.exe
  PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\ "
  2⤵
  PID:1956
- C:\Windows\system32\findstr.exe
  findstr /i "system32"
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc query XmlProv
  2⤵
  - Launches sc.exe
  PID:1860
- C:\Windows\system32\sc.exe
  sc create XmlProv binpath= "C:\Windows\System32\svchost.exe -k XmlProv" DisplayName= "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:572
- C:\Windows\system32\sc.exe
  sc description XmlProv "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\system32\sc.exe
  sc config XmlProv type= interact type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k XmlProv"
  2⤵
  - Launches sc.exe
  PID:1636
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v XmlProv /t REG_MULTI_SZ /d "XmlProv" /f
  2⤵
  PID:320
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\XmlProv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\xmlprov.dll" /f
  2⤵
  - Sets DLL path for service in the registry
  PID:472
- C:\Windows\system32\sc.exe
  sc start XmlProv
  2⤵
  - Launches sc.exe
  PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k XmlProv
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\System32\cmd.exe
  cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry key
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\system32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.ini

Filesize
67B

MD5
6f287b6e63915d95be6bc6988713d83c

SHA1
13aa8bbf1a843b7cf81d6f052e83a9c3d113041a

SHA256
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6

SHA512
87a1c3cdbcb4b8d726959f988269a6df839e12e08f96b64d8221c8c056676cc91e3dd2d26b35a1cab7e526f96cd1055eb2063771f12c4d348c0796676ba4d1ca

Download Submit
\Windows\System32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads