486b43592b175081fe3ca5e1bad2be4338285bffaf3d3c4a496b8aa87ae81d62

Analysis

max time kernel
98s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2023, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CloudDeviceATDLss.exe
Size

683KB
MD5

4e41ef79db3a3e90c60cff647c69a920
SHA1

61f01719de0c0fdbbcb0583d51ccf1559ccb0aa8
SHA256

486b43592b175081fe3ca5e1bad2be4338285bffaf3d3c4a496b8aa87ae81d62
SHA512

3c4caea7fe4654ae6b807e73511e2674374039e9f3d604d1ab7c58e1546efd6da5cce3bd14326e298af6fbfb273a5aaa9fa1335d22c8d806866ac16c9c1aaa6e
SSDEEP

6144:ktZEjNbRVNV6wdq5jE1p8S8kYadmkE8Xr4gp0iptw3NnbtB+8Xr4gp0i8tw3cnd:JDLdzXkgCwti3bXkgCVtr

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	CloudDeviceATDLss.exe
File created	C:\Windows\assembly\Desktop.ini	CloudDeviceATDLss.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	CloudDeviceATDLss.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	CloudDeviceATDLss.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe
File opened for modification	C:\Windows\assembly	CloudDeviceATDLss.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3492	dw20.exe
Token: SeBackupPrivilege	3492	dw20.exe
Token: SeBackupPrivilege	3492	dw20.exe
Token: SeBackupPrivilege	3492	dw20.exe
Token: SeBackupPrivilege	3492	dw20.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 3264	5080	CloudDeviceATDLss.exe	86
PID 5080 wrote to memory of 3264	5080	CloudDeviceATDLss.exe	86
PID 5080 wrote to memory of 3264	5080	CloudDeviceATDLss.exe	86
PID 3264 wrote to memory of 64	3264	csc.exe	88
PID 3264 wrote to memory of 64	3264	csc.exe	88
PID 3264 wrote to memory of 64	3264	csc.exe	88
PID 5080 wrote to memory of 1668	5080	CloudDeviceATDLss.exe	89
PID 5080 wrote to memory of 1668	5080	CloudDeviceATDLss.exe	89
PID 5080 wrote to memory of 1668	5080	CloudDeviceATDLss.exe	89
PID 1668 wrote to memory of 220	1668	csc.exe	91
PID 1668 wrote to memory of 220	1668	csc.exe	91
PID 1668 wrote to memory of 220	1668	csc.exe	91
PID 5080 wrote to memory of 3492	5080	CloudDeviceATDLss.exe	94
PID 5080 wrote to memory of 3492	5080	CloudDeviceATDLss.exe	94
PID 5080 wrote to memory of 3492	5080	CloudDeviceATDLss.exe	94

C:\Users\Admin\AppData\Local\Temp\CloudDeviceATDLss.exe
"C:\Users\Admin\AppData\Local\Temp\CloudDeviceATDLss.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uu1jcewh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8274.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8273.tmp"
    3⤵
    PID:64
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh0kye3v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8478.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8477.tmp"
    3⤵
    PID:220
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1520
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8274.tmp

Filesize
1KB

MD5
3c7f264204228ec59ddc1cf3ae0fe3e3

SHA1
2af6e86d05f7a7012623255e19ad4e9f1baf2480

SHA256
262dc17ba63421382b042863036ae501accc7b52aac2ba81fe5020084a8ce152

SHA512
048d5cd6be90d481acb0d9843a906915b89ed70033b3cc269b558fa32816229d7e7dc97606821514368d9608108f5c63d04a79b3605d500164ae403ebe25df5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8478.tmp

Filesize
1KB

MD5
d0994b0e1885399504802de832a01b8f

SHA1
d4bae95c3c6a0bb4463e359245e27dd6bb23513f

SHA256
e70d957ec77dad292dced5049ad5ded5c88e69a2dc42140461888085a2a49cdc

SHA512
4c9bac9255b7ff7a965ec36daa24747aafd765432c32e23925430d76a44f048bf3a4b7aae8607522350541f0cd69aae49abd4ad8e722c34b2ea749f5e508af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh0kye3v.dll

Filesize
88KB

MD5
994f5c558add89bdd821e1c82fb3d2a4

SHA1
088f97b905f14bb649269c95d88cdf2fb8f6d991

SHA256
1269cef4dcb5f9d62798df624d9d7c6183a9ca859bcbfc59d94f189287563c95

SHA512
a95987c32a0a71cc08e5f3e7ef033269cdeb7b4796a492fbc31f7d8e1c9b2b754ba1d024ef516d81d7f60a9b8d1dc6f4acab6673efafea40ed23b58c9e5c9538

Download Submit
C:\Users\Admin\AppData\Local\Temp\uu1jcewh.dll

Filesize
576KB

MD5
1596f97e684bb8be29cea2c68ae308d6

SHA1
6f5f3047359beafdf96b76446ebae24afe0713e5

SHA256
58c2b8eb56e7d9a6bf52b278a5542363949551f1483d6994fb0dc6d62ae25252

SHA512
f3f8c60b542ce5b2d0d8b705b286040d984368d800c61d5bc9dc4fc900ca1514dd8d3d963c80374db349ae558181415539c790a494105435b381a79d3685ff7a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8273.tmp

Filesize
652B

MD5
69087216a3fc833458f98eed4ac71fbf

SHA1
3d352c598a6f85e92986315c7d1d9962ed289c7a

SHA256
e0de085031ae8227a3901320bfa85dc3ab9f5efca55fc471f1c71532086e6149

SHA512
25bb4c144d82aaeee6433dd32e73f7ffadd417fe6d1b9a7682bc2cce2a509b9944c4a259e0b49221af27b7a18e18065a8b6b3f2cf04229c1e2316058c20f596a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8477.tmp

Filesize
652B

MD5
bbfaffdbd79ef016433e529e66ddf6fb

SHA1
6d5ec6a01de8bc70281e091d3aea3b37c6365688

SHA256
7a374db12bb96348eb71f1bbcb2820d7b9e628711b19a6b8928f65f70ff5ecfc

SHA512
92d39f87f38efbf7ec700f1cfaec475c4b9fa7c97a2dafe49d83dfe9ee51d8280d86715582e4e1846697d4c6962559625ab9cacfa6896a70421eb2067d8d5c08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh0kye3v.0.cs

Filesize
164KB

MD5
107d41022309883ad1ce3b7576464197

SHA1
82cd3c19ff798d2c23afbf4eb4b862595b522822

SHA256
a6e68ab3dbdfe89a6cbd4ded8132ebdd6cf8af8e514ba09547880b9d336bd50d

SHA512
bbe510fd5ebc29a01a7e3863f1211cf3ce3aff2abe1e323e501c8f2dcf717ea5ca9726ea483b2b43ebad9b451cf96b2f03530fdade5b0193735997027aad063d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hh0kye3v.cmdline

Filesize
676B

MD5
0cd81027cf7f1b6d21ece002d9f32711

SHA1
edd79868329797c6ef490be33c0e13b77335565b

SHA256
10065148cd82a36316b58b249c715f3d7242177814f3c583e5f1da92d89df4e0

SHA512
99875d6e591fcec98189d7aade9be2103290254bedffc425791392c12aff913fad084c5b84908f0cfbfc2194e98283be2905229872fec16b760661f49caecb4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uu1jcewh.0.cs

Filesize
1.3MB

MD5
2333951c6abeb2e72488422e878af6c9

SHA1
00a7d8be0f9faed35922eb6b11c7e4c90727fdc6

SHA256
1005292695d2f6abc8d2afc8c0bed9f5183b433e1eab2646dd666920e0692462

SHA512
20a5300fe02f2963cf863a5ad4beba6d1e7201c53fd0d39351dbae01bdd0d30a64694ca82b8f64e4192e72cdfd02875afa87bbc44a474b28b3feb5d25be51eac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uu1jcewh.cmdline

Filesize
676B

MD5
14fffaceb29b2fd7f0f44b2a9969c1d0

SHA1
29cf4e3b41456f6dbeea140f89c26495f759cb8b

SHA256
d19e2898c7468039397c81cc19ab5b461a42d515fd7e6134c5c5a609c19461dc

SHA512
7474d5957ac560bfafc91514cac04d738b8fc3fed971bbd38836a4dcf7d600aa556c40d6ecff68e5f43bb73f69c60117a39ae0b142869df262ac062512479e65

Download Submit
memory/5080-133-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/5080-162-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/5080-163-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads