10109e69d1fb2fe8f801c3588f829e020f1f29c4638fad5394c1033bc298fd3f

General

Target

install.bat
Size

1KB
MD5

598217191b9283f95a025fc454b7a4f9
SHA1

65c5bafccea1a60eb5efb1fbc976333b6dddbd1f
SHA256

4876a41ca8919c4ff58ffb4b4df54202d82804fd85d0010669c7cb4f369c12c3
SHA512

100eeaaa2a3d2cc83f9a76adc5ac81d6284b321dbbb89481d5db06e5cd24ff6de03b6cdade7833e66c976bd597019763f7e230072bf5224bb687e36067f3fb45

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xmlprov\Parameters\ServiceDll = "C:\\Windows\\System32\\xmlprov.dll"	reg.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 1 IoCs

pid	Process
4356	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\xmlprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.dll	cmd.exe
File created	C:\Windows\System32\xmlprov.ini	cmd.exe
File opened for modification	C:\Windows\System32\xmlprov.ini	cmd.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4272	sc.exe
3540	sc.exe
3272	sc.exe
2456	sc.exe
2976	sc.exe
4724	sc.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Console\CodePage = "65001"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Console	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
324	reg.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4272	4088	cmd.exe	84
PID 4088 wrote to memory of 4272	4088	cmd.exe	84
PID 4088 wrote to memory of 2220	4088	cmd.exe	85
PID 4088 wrote to memory of 2220	4088	cmd.exe	85
PID 4088 wrote to memory of 636	4088	cmd.exe	86
PID 4088 wrote to memory of 636	4088	cmd.exe	86
PID 4088 wrote to memory of 3540	4088	cmd.exe	87
PID 4088 wrote to memory of 3540	4088	cmd.exe	87
PID 4088 wrote to memory of 3272	4088	cmd.exe	88
PID 4088 wrote to memory of 3272	4088	cmd.exe	88
PID 4088 wrote to memory of 2456	4088	cmd.exe	89
PID 4088 wrote to memory of 2456	4088	cmd.exe	89
PID 4088 wrote to memory of 2976	4088	cmd.exe	90
PID 4088 wrote to memory of 2976	4088	cmd.exe	90
PID 4088 wrote to memory of 3976	4088	cmd.exe	91
PID 4088 wrote to memory of 3976	4088	cmd.exe	91
PID 4088 wrote to memory of 4064	4088	cmd.exe	92
PID 4088 wrote to memory of 4064	4088	cmd.exe	92
PID 4088 wrote to memory of 4724	4088	cmd.exe	93
PID 4088 wrote to memory of 4724	4088	cmd.exe	93
PID 4356 wrote to memory of 220	4356	svchost.exe	95
PID 4356 wrote to memory of 220	4356	svchost.exe	95
PID 220 wrote to memory of 324	220	cmd.exe	97
PID 220 wrote to memory of 324	220	cmd.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\sc.exe
  sc stop XmlProv
  2⤵
  - Launches sc.exe
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Users\Admin\AppData\Local\Temp\ "
  2⤵
  PID:2220
- C:\Windows\system32\findstr.exe
  findstr /i "system32"
  2⤵
  PID:636
- C:\Windows\system32\sc.exe
  sc query XmlProv
  2⤵
  - Launches sc.exe
  PID:3540
- C:\Windows\system32\sc.exe
  sc create XmlProv binpath= "C:\Windows\System32\svchost.exe -k XmlProv" DisplayName= "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:3272
- C:\Windows\system32\sc.exe
  sc description XmlProv "Network Provisioning Service"
  2⤵
  - Launches sc.exe
  PID:2456
- C:\Windows\system32\sc.exe
  sc config XmlProv type= interact type= own start= auto error= normal binpath= "C:\Windows\System32\svchost.exe -k XmlProv"
  2⤵
  - Launches sc.exe
  PID:2976
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v XmlProv /t REG_MULTI_SZ /d "XmlProv" /f
  2⤵
  PID:3976
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\XmlProv\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\xmlprov.dll" /f
  2⤵
  - Sets DLL path for service in the registry
  PID:4064
- C:\Windows\system32\sc.exe
  sc start XmlProv
  2⤵
  - Launches sc.exe
  PID:4724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k XmlProv
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\System32\cmd.exe
  cmd /c REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Console /v CodePage /t REG_DWORD /d 65001 /f
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry key
    PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

New Service

1

T1050

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.dll

Filesize
2.6MB

MD5
b693e3d2f2cab550ad4f8c5722776498

SHA1
6dc93db10d46cf777f9928803157dd16dc097e79

SHA256
f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12

SHA512
d5c02150265ab6d5d2d6a6e39514b345f6108afaecfd0d8e196b0b99d6d1af36245eb12e8a6879f16b619ba89f8eec442c394eff5f6298d1534c9f0084d63f18

Download Submit
\??\c:\windows\system32\xmlprov.ini

Filesize
67B

MD5
6f287b6e63915d95be6bc6988713d83c

SHA1
13aa8bbf1a843b7cf81d6f052e83a9c3d113041a

SHA256
491ed46847e30b9765a7ec5ff08d9acb8601698019002be0b38becce477e12f6

SHA512
87a1c3cdbcb4b8d726959f988269a6df839e12e08f96b64d8221c8c056676cc91e3dd2d26b35a1cab7e526f96cd1055eb2063771f12c4d348c0796676ba4d1ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads